Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kewyIO69TI.exe

Overview

General Information

Sample name:kewyIO69TI.exe
renamed because original name is a hash value
Original sample name:ee766f8a002bc94c1ed54dc7602547c9.exe
Analysis ID:1520453
MD5:ee766f8a002bc94c1ed54dc7602547c9
SHA1:3cd317e022a72b3e7b25b3d87eecfb2fc6aafc5d
SHA256:aaefdf4d8df6b740054e00d65e9c56d081eaec7fe16e525b3895a6d882fb4cc0
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • kewyIO69TI.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\kewyIO69TI.exe" MD5: EE766F8A002BC94C1ED54DC7602547C9)
    • conhost.exe (PID: 4300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 7076 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 1448 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["drawzhotdog.shop", "stogeneratmns.shop", "lootebarrkeyn.shop", "gutterydhowi.shop", "fragnantbui.shop", "vozmeatillu.shop", "offensivedzvju.shop", "reinforcenh.shop", "ghostreedmnu.shop"], "Build id": "FATE99--"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.RegAsm.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          4.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:09.761554+020020546531A Network Trojan was detected192.168.2.749700104.21.4.136443TCP
            2024-09-27T11:19:10.980022+020020546531A Network Trojan was detected192.168.2.749701188.114.96.3443TCP
            2024-09-27T11:19:11.913044+020020546531A Network Trojan was detected192.168.2.749702188.114.96.3443TCP
            2024-09-27T11:19:12.867203+020020546531A Network Trojan was detected192.168.2.749703188.114.97.3443TCP
            2024-09-27T11:19:13.818966+020020546531A Network Trojan was detected192.168.2.749704104.21.58.182443TCP
            2024-09-27T11:19:14.778306+020020546531A Network Trojan was detected192.168.2.749705188.114.97.3443TCP
            2024-09-27T11:19:15.705280+020020546531A Network Trojan was detected192.168.2.749706188.114.96.3443TCP
            2024-09-27T11:19:16.606928+020020546531A Network Trojan was detected192.168.2.749707104.21.77.130443TCP
            2024-09-27T11:19:18.776975+020020546531A Network Trojan was detected192.168.2.749709104.21.2.13443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:09.761554+020020498361A Network Trojan was detected192.168.2.749700104.21.4.136443TCP
            2024-09-27T11:19:10.980022+020020498361A Network Trojan was detected192.168.2.749701188.114.96.3443TCP
            2024-09-27T11:19:11.913044+020020498361A Network Trojan was detected192.168.2.749702188.114.96.3443TCP
            2024-09-27T11:19:12.867203+020020498361A Network Trojan was detected192.168.2.749703188.114.97.3443TCP
            2024-09-27T11:19:13.818966+020020498361A Network Trojan was detected192.168.2.749704104.21.58.182443TCP
            2024-09-27T11:19:14.778306+020020498361A Network Trojan was detected192.168.2.749705188.114.97.3443TCP
            2024-09-27T11:19:15.705280+020020498361A Network Trojan was detected192.168.2.749706188.114.96.3443TCP
            2024-09-27T11:19:16.606928+020020498361A Network Trojan was detected192.168.2.749707104.21.77.130443TCP
            2024-09-27T11:19:18.776975+020020498361A Network Trojan was detected192.168.2.749709104.21.2.13443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:13.390734+020020561571Domain Observed Used for C2 Detected192.168.2.749704104.21.58.182443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:14.321187+020020561551Domain Observed Used for C2 Detected192.168.2.749705188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:10.388673+020020561631Domain Observed Used for C2 Detected192.168.2.749701188.114.96.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:09.241941+020020561651Domain Observed Used for C2 Detected192.168.2.749700104.21.4.136443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:11.461179+020020561611Domain Observed Used for C2 Detected192.168.2.749702188.114.96.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:16.189594+020020561511Domain Observed Used for C2 Detected192.168.2.749707104.21.77.130443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:15.258313+020020561531Domain Observed Used for C2 Detected192.168.2.749706188.114.96.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:12.420066+020020561591Domain Observed Used for C2 Detected192.168.2.749703188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:12.880479+020020561561Domain Observed Used for C2 Detected192.168.2.7590891.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:13.822074+020020561541Domain Observed Used for C2 Detected192.168.2.7622161.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:09.791657+020020561621Domain Observed Used for C2 Detected192.168.2.7544281.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:08.756688+020020561641Domain Observed Used for C2 Detected192.168.2.7525341.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:08.742677+020020560481Domain Observed Used for C2 Detected192.168.2.7594621.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:10.982845+020020561601Domain Observed Used for C2 Detected192.168.2.7530041.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:15.706895+020020561501Domain Observed Used for C2 Detected192.168.2.7551351.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:14.780197+020020561521Domain Observed Used for C2 Detected192.168.2.7494931.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:19:11.916804+020020561581Domain Observed Used for C2 Detected192.168.2.7546881.1.1.153UDP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
            Found malware configuration
            Source: 4.2.RegAsm.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["drawzhotdog.shop", "stogeneratmns.shop", "lootebarrkeyn.shop", "gutterydhowi.shop", "fragnantbui.shop", "vozmeatillu.shop", "offensivedzvju.shop", "reinforcenh.shop", "ghostreedmnu.shop"], "Build id": "FATE99--"}
            Multi AV Scanner detection for submitted file
            Source: kewyIO69TI.exeReversingLabs: Detection: 55%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Sample uses string decryption to hide its real strings
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: reinforcenh.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: stogeneratmns.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: fragnantbui.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: drawzhotdog.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: vozmeatillu.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: offensivedzvju.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: ghostreedmnu.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: gutterydhowi.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lootebarrkeyn.shop
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: FATE99--
            Source: kewyIO69TI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.7:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.7:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.7:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.7:49709 version: TLS 1.2
            Source: kewyIO69TI.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: c:\rje\tg\mjkz5\obj\Release\ojc.pdb source: kewyIO69TI.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then xor eax, eax4_2_0040F042
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_0040D470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+01h], 00000000h4_2_0040F807
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h4_2_00447AC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00447AC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+14h]4_2_00447D38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh4_2_00447E1B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edi, esi4_2_00401000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_0044B010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00425030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]4_2_0040C1C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h4_2_0044B1A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx4_2_00427230
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+08h]4_2_004452E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]4_2_004142E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah4_2_0044B320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]4_2_00407450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00412450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+08h]4_2_00412450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+08h]4_2_00412450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00412450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]4_2_00442410
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_0044B430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h4_2_004314A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h4_2_004404AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_0044A510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], cl4_2_00435519
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00433623
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh4_2_00449620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00434629
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+01h], 00000000h4_2_0040F63A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [ebx], 00000000h4_2_00414692
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+00000668h]4_2_0041E71A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h4_2_0041E71A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+01h], 00000000h4_2_0040F7E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+000001C8h]4_2_00432830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+00000198h]4_2_00432830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00432830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00432830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00432830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h4_2_004408E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+14h]4_2_00444970
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+00000884h]4_2_00429978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00434990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], al4_2_00434990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al4_2_00434990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_00420A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h4_2_00440A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]4_2_0040FA20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [ecx+eax]4_2_0040FA20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_0040FA20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh4_2_0042CAD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh4_2_0042CAD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]4_2_00421AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh4_2_00444BC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp], 00000000h4_2_0041AB90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh4_2_00448B90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_00430CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+ebx]4_2_00405CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]4_2_00404CB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-10h]4_2_00449D22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh4_2_00445DE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [edi+eax]4_2_00448D80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-18h]4_2_0042FE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [ebp-14h]4_2_0042FE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then add ebx, 02h4_2_00413EEC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]4_2_00413EEC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then dec ebx4_2_0043FE90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h4_2_00426FC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp dword ptr [004521ECh]4_2_0041FFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h4_2_0042DFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_0043BFF0

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.7:52534 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.7:54428 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.7:62216 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056048 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) : 192.168.2.7:59462 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.7:49703 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.7:49701 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.7:49700 -> 104.21.4.136:443
            Source: Network trafficSuricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.7:49704 -> 104.21.58.182:443
            Source: Network trafficSuricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.7:59089 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.7:53004 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.7:55135 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.7:49705 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.7:49707 -> 104.21.77.130:443
            Source: Network trafficSuricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.7:49702 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.7:49493 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.7:54688 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.7:49706 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49702 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49701 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49707 -> 104.21.77.130:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49705 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49703 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49703 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 104.21.58.182:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 104.21.4.136:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49706 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 104.21.4.136:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49706 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49709 -> 104.21.2.13:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49709 -> 104.21.2.13:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 104.21.58.182:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49707 -> 104.21.77.130:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: drawzhotdog.shop
            Source: Malware configuration extractorURLs: stogeneratmns.shop
            Source: Malware configuration extractorURLs: lootebarrkeyn.shop
            Source: Malware configuration extractorURLs: gutterydhowi.shop
            Source: Malware configuration extractorURLs: fragnantbui.shop
            Source: Malware configuration extractorURLs: vozmeatillu.shop
            Source: Malware configuration extractorURLs: offensivedzvju.shop
            Source: Malware configuration extractorURLs: reinforcenh.shop
            Source: Malware configuration extractorURLs: ghostreedmnu.shop
            Source: Joe Sandbox ViewIP Address: 104.21.77.130 104.21.77.130
            Source: Joe Sandbox ViewIP Address: 104.21.4.136 104.21.4.136
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: lootebarrkeyn.shop
            Source: global trafficDNS traffic detected: DNS query: gutterydhowi.shop
            Source: global trafficDNS traffic detected: DNS query: ghostreedmnu.shop
            Source: global trafficDNS traffic detected: DNS query: offensivedzvju.shop
            Source: global trafficDNS traffic detected: DNS query: vozmeatillu.shop
            Source: global trafficDNS traffic detected: DNS query: drawzhotdog.shop
            Source: global trafficDNS traffic detected: DNS query: fragnantbui.shop
            Source: global trafficDNS traffic detected: DNS query: stogeneratmns.shop
            Source: global trafficDNS traffic detected: DNS query: reinforcenh.shop
            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: ballotnwu.site
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/api
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/apiz
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/b
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site:443/api
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawzhotdog.shop/
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fragnantbui.shop/
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ghostreedmnu.shop/api
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gutterydhowi.shop/api
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/api
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/api0
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/apicL
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900$vF
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/~
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/api
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/api
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.7:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49702 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.58.182:443 -> 192.168.2.7:49704 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.7:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.7:49709 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_00439BD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_00439BD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043A777 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,4_2_0043A777

            System Summary

            barindex
            .NET source code contains very large array initializations
            Source: kewyIO69TI.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 365056
            Source: C:\Users\user\Desktop\kewyIO69TI.exeCode function: 0_2_01200C400_2_01200C40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004103A84_2_004103A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00447D384_2_00447D38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004010004_2_00401000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004480B04_2_004480B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004491204_2_00449120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040C1C04_2_0040C1C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042D2504_2_0042D250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040A2314_2_0040A231
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0044A2304_2_0044A230
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004012C74_2_004012C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004452E04_2_004452E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004153524_2_00415352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004074504_2_00407450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004054704_2_00405470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004094024_2_00409402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004404AB4_2_004404AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0044A5104_2_0044A510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004115B04_2_004115B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041D6104_2_0041D610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004496204_2_00449620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040A6E04_2_0040A6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040B6B04_2_0040B6B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043F7004_2_0043F700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0041E71A4_2_0041E71A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0044B7204_2_0044B720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004087F04_2_004087F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004288334_2_00428833
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004338C04_2_004338C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004408E64_2_004408E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004038A04_2_004038A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004349904_2_00434990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0040ABA04_2_0040ABA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042EBBC4_2_0042EBBC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00437CD04_2_00437CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00449D224_2_00449D22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00407E504_2_00407E50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00427E6C4_2_00427E6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00437F304_2_00437F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0042DFE04_2_0042DFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041D1E0 appears 164 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0040CC80 appears 44 times
            Source: kewyIO69TI.exe, 00000000.00000002.1293810312.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs kewyIO69TI.exe
            Source: kewyIO69TI.exe, 00000000.00000000.1288979532.00000000008AE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exeD vs kewyIO69TI.exe
            Source: kewyIO69TI.exeBinary or memory string: OriginalFilenameVQP.exeD vs kewyIO69TI.exe
            Source: kewyIO69TI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: kewyIO69TI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/2@11/7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0043910C CoCreateInstance,4_2_0043910C
            Source: C:\Users\user\Desktop\kewyIO69TI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kewyIO69TI.exe.logJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
            Source: kewyIO69TI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: kewyIO69TI.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\kewyIO69TI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: kewyIO69TI.exeReversingLabs: Detection: 55%
            Source: unknownProcess created: C:\Users\user\Desktop\kewyIO69TI.exe "C:\Users\user\Desktop\kewyIO69TI.exe"
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: kewyIO69TI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: kewyIO69TI.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: kewyIO69TI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\rje\tg\mjkz5\obj\Release\ojc.pdb source: kewyIO69TI.exe
            Source: C:\Users\user\Desktop\kewyIO69TI.exeCode function: 0_2_02CF1487 push ds; iretd 0_2_02CF1992
            Source: C:\Users\user\Desktop\kewyIO69TI.exeCode function: 0_2_02CF1997 push ds; iretd 0_2_02CF1992
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00438B7E push cs; iretd 4_2_00438B85
            Source: kewyIO69TI.exeStatic PE information: section name: .text entropy: 7.995225339741643
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory allocated: 1200000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exe TID: 3300Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 712Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: RegAsm.exe, 00000004.00000002.1394874514.0000000000DC6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_004476D0 LdrInitializeThunk,4_2_004476D0
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: kewyIO69TI.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
            Source: kewyIO69TI.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
            Source: kewyIO69TI.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Users\user\Desktop\kewyIO69TI.exeCode function: 0_2_02CF2155 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02CF2155
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            LummaC encrypted strings found
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: reinforcenh.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stogeneratmns.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: fragnantbui.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: drawzhotdog.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: vozmeatillu.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: offensivedzvju.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ghostreedmnu.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: gutterydhowi.shop
            Source: kewyIO69TI.exe, 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: lootebarrkeyn.shop
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BAF008Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\Desktop\kewyIO69TI.exeQueries volume information: C:\Users\user\Desktop\kewyIO69TI.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		411
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Screen Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager12
            System Information Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
            Process Injection            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            kewyIO69TI.exe55%ReversingLabsByteCode-MSIL.Trojan.Zilla

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            fragnantbui.shop
            		188.114.97.3
            		truetrue
              		unknown
              gutterydhowi.shop
              		104.21.4.136
              		truetrue
                		unknown
                steamcommunity.com
                		104.102.49.254
                		truefalse
                  		unknown
                  offensivedzvju.shop
                  		188.114.96.3
                  		truetrue
                    		unknown
                    stogeneratmns.shop
                    		188.114.96.3
                    		truetrue
                      		unknown
                      reinforcenh.shop
                      		104.21.77.130
                      		truetrue
                        		unknown
                        drawzhotdog.shop
                        		104.21.58.182
                        		truetrue
                          		unknown
                          ghostreedmnu.shop
                          		188.114.96.3
                          		truetrue
                            		unknown
                            vozmeatillu.shop
                            		188.114.97.3
                            		truetrue
                              		unknown
                              ballotnwu.site
                              		104.21.2.13
                              		truetrue
                                		unknown
                                lootebarrkeyn.shop
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://drawzhotdog.shop/apitrue
                                    		unknown
                                    lootebarrkeyn.shoptrue
                                      		unknown
                                      https://steamcommunity.com/profiles/76561199724331900true
                                      • URL Reputation: malware
                                      		unknown
                                      https://gutterydhowi.shop/apitrue
                                        		unknown
                                        https://vozmeatillu.shop/apitrue
                                          		unknown
                                          https://stogeneratmns.shop/apitrue
                                            		unknown
                                            stogeneratmns.shoptrue
                                              		unknown
                                              reinforcenh.shoptrue
                                                		unknown
                                                https://ghostreedmnu.shop/apitrue
                                                  		unknown
                                                  fragnantbui.shoptrue
                                                    		unknown
                                                    gutterydhowi.shoptrue
                                                      		unknown
                                                      https://offensivedzvju.shop/apitrue
                                                        		unknown
                                                        https://fragnantbui.shop/apitrue
                                                          		unknown
                                                          offensivedzvju.shoptrue
                                                            		unknown
                                                            https://reinforcenh.shop/apitrue
                                                              		unknown
                                                              drawzhotdog.shoptrue
                                                                		unknown
                                                                ghostreedmnu.shoptrue
                                                                  		unknown
                                                                  https://ballotnwu.site/apitrue
                                                                    		unknown
                                                                    vozmeatillu.shoptrue
                                                                      		unknown

                                                                      URLs from Memory and Binaries

                                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                                      https://ballotnwu.site:443/apiRegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://stogeneratmns.shop/RegAsm.exe, 00000004.00000002.1394874514.0000000000DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://reinforcenh.shop/api0RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://reinforcenh.shop/apicLRegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://offensivedzvju.shop/RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://ballotnwu.site/apizRegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://steamcommunity.com/profiles/76561199724331900$vFRegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                    		unknown
                                                                                    https://reinforcenh.shop/RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://ballotnwu.site/bRegAsm.exe, 00000004.00000002.1394874514.0000000000DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://steamcommunity.com/~RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://drawzhotdog.shop/RegAsm.exe, 00000004.00000002.1394874514.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://fragnantbui.shop/RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://ballotnwu.site/RegAsm.exe, 00000004.00000002.1395000346.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown

                                                                                                World Map of Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public IPs

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                104.21.77.130
                                                                                                		reinforcenh.shopUnited States
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                104.21.4.136
                                                                                                		gutterydhowi.shopUnited States
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                188.114.97.3
                                                                                                		fragnantbui.shopEuropean Union
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                188.114.96.3
                                                                                                		offensivedzvju.shopEuropean Union
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                104.102.49.254
                                                                                                		steamcommunity.comUnited States
                                                                                                		16625AKAMAI-ASUSfalse
                                                                                                104.21.2.13
                                                                                                		ballotnwu.siteUnited States
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                104.21.58.182
                                                                                                		drawzhotdog.shopUnited States
                                                                                                		13335CLOUDFLARENETUStrue

                                                                                                General Information

                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                Analysis ID:1520453
                                                                                                Start date and time:2024-09-27 11:18:10 +02:00
                                                                                                Joe Sandbox product:CloudBasic
                                                                                                Overall analysis duration:0h 5m 12s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                Number of analysed new started processes analysed:10
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:0
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Sample name:kewyIO69TI.exe
                                                                                                renamed because original name is a hash value
                                                                                                Original Sample Name:ee766f8a002bc94c1ed54dc7602547c9.exe
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.evad.winEXE@6/2@11/7
                                                                                                EGA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 93%
                                                                                                • Number of executed functions: 15
                                                                                                • Number of non-executed functions: 56
                                                                                                Cookbook Comments:
                                                                                                • Found application associated with file extension: .exe

                                                                                                Warnings

                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • VT rate limit hit for: kewyIO69TI.exe

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                05:19:07API Interceptor4x Sleep call for process: RegAsm.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                104.21.77.130Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
                                                                                                • downloaddining3.com/h9fmdW7/index.php
                                                                                                am.exeGet hashmaliciousAmadeyBrowse
                                                                                                • downloaddining3.com/h9fmdW7/index.php
                                                                                                am.exeGet hashmaliciousAmadeyBrowse
                                                                                                • downloaddining3.com/h9fmdW7/index.php
                                                                                                104.21.4.136gZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                            SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeGet hashmaliciousLummaCBrowse
                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                  3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                                                                                                    188.114.97.39q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
                                                                                                                    QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                    • filetransfer.io/data-package/mfctuvFf/download
                                                                                                                    http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                    • brawllstars.ru/
                                                                                                                    http://aktiivasi-paylaterr.from-resmi.com/Get hashmaliciousUnknownBrowse
                                                                                                                    • aktiivasi-paylaterr.from-resmi.com/
                                                                                                                    ECChG5eWfZ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                    • homker11.uebki.one/GeneratorTest.php
                                                                                                                    HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                                                                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                    • filetransfer.io/data-package/Ky4pZ0WB/download
                                                                                                                    ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.1win-moldovia.fun/1g7m/
                                                                                                                    http://www.tiktok758.com/Get hashmaliciousUnknownBrowse
                                                                                                                    • www.tiktok758.com/img/logo.4c830710.svg
                                                                                                                    TRmSF36qQG.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+

                                                                                                                    Domains

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    gutterydhowi.shopgZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 104.21.4.136
                                                                                                                    U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.132.32
                                                                                                                    0UB3FIL25c.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 172.67.132.32
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                    • 104.21.4.136
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 172.67.132.32
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 172.67.132.32
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 104.21.4.136
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                    • 104.21.4.136
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 104.21.4.136
                                                                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                    • 104.21.4.136
                                                                                                                    steamcommunity.comgZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    zlsXub68El.exeGet hashmaliciousVidarBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    0UB3FIL25c.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 104.102.49.254
                                                                                                                    fragnantbui.shopgZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    0UB3FIL25c.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                    • 188.114.97.3

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    CLOUDFLARENETUSgZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 104.21.69.238
                                                                                                                    GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                                                                    • 162.159.130.233
                                                                                                                    https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 104.18.94.41
                                                                                                                    FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                                                                    • 162.159.130.233
                                                                                                                    https://www.vossloh-events.com/EMOS/Login.aspx?ReturnUrl=%2femosGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.18.11.207
                                                                                                                    CLOUDFLARENETUSgZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 104.21.69.238
                                                                                                                    GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                                                                    • 162.159.130.233
                                                                                                                    https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 104.18.94.41
                                                                                                                    FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                                                                    • 162.159.130.233
                                                                                                                    https://www.vossloh-events.com/EMOS/Login.aspx?ReturnUrl=%2femosGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.18.11.207
                                                                                                                    CLOUDFLARENETUSgZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 104.21.69.238
                                                                                                                    GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                                                    • 188.114.97.3
                                                                                                                    GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                    • 188.114.96.3
                                                                                                                    FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                                                                    • 162.159.130.233
                                                                                                                    https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 104.18.94.41
                                                                                                                    FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                                                                    • 162.159.130.233
                                                                                                                    https://www.vossloh-events.com/EMOS/Login.aspx?ReturnUrl=%2femosGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.18.11.207

                                                                                                                    JA3 Fingerprints

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1gZzI6gTYn4.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    U6b3tLFqN5.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    Dev_Project.xlsGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    0UB3FIL25c.exeGet hashmaliciousLummaCBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    https://klvegaold.com/clicks/MjM4ODJfMjgzMjU2XzIzLjAwMDg3XzEzXzE3MjczMjgwNzU5NDEwMDQ5MTcyXzIwXjkwMGMwZGQ5NzJkYzQ2OTYzZTUyM2Y4ZDA1YzJjOGM4XjA4LjkuMjYuMjAyNA==Get hashmaliciousUnknownBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    https://trivedikavya.github.io/netflix_clone/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182
                                                                                                                    http://intesa-it.serv00.net/it/conto/Get hashmaliciousUnknownBrowse
                                                                                                                    • 104.21.77.130
                                                                                                                    • 104.21.4.136
                                                                                                                    • 188.114.97.3
                                                                                                                    • 188.114.96.3
                                                                                                                    • 104.102.49.254
                                                                                                                    • 104.21.2.13
                                                                                                                    • 104.21.58.182

                                                                                                                    Dropped Files

                                                                                                                    No context

                                                                                                                    Created / dropped Files

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kewyIO69TI.exe.log

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\kewyIO69TI.exe
                                                                                                                    File Type:CSV text
                                                                                                                    Category:modified
                                                                                                                    Size (bytes):425
                                                                                                                    Entropy (8bit):5.353683843266035
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                                                                                    MD5:859802284B12C59DDBB85B0AC64C08F0
                                                                                                                    SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                                                                                    SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                                                                                    SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                                                                                    Malicious:true
                                                                                                                    Reputation:high, very likely benign file
                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                                                    \Device\ConDrv

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\kewyIO69TI.exe
                                                                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):33
                                                                                                                    Entropy (8bit):2.2845972159140855
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3:i6vvRyMivvRya:iKvHivD
                                                                                                                    MD5:45B4C82B8041BF0F9CCED0D6A18D151A
                                                                                                                    SHA1:B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
                                                                                                                    SHA-256:7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
                                                                                                                    SHA-512:B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
                                                                                                                    Malicious:false
                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                    Preview:0..1..2..3..4..0..1..2..3..4.....

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Entropy (8bit):7.988942382031895
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                    File name:kewyIO69TI.exe
                                                                                                                    File size:375'296 bytes
                                                                                                                    MD5:ee766f8a002bc94c1ed54dc7602547c9
                                                                                                                    SHA1:3cd317e022a72b3e7b25b3d87eecfb2fc6aafc5d
                                                                                                                    SHA256:aaefdf4d8df6b740054e00d65e9c56d081eaec7fe16e525b3895a6d882fb4cc0
                                                                                                                    SHA512:441a9cba71d038caca31614156c5f18f25826a5ee461f989b97519790eadaf3f19ceffcc9bf36017faf7f689ec56974d0a45872b004fd7f7d9561dd1e8a5b5b0
                                                                                                                    SSDEEP:6144:U097ZR4GXYSmClbH4yjrz5fCKdjH3avEz2cXtTM4fdCR3AkyQloBfqA27/V7jCnI:NlIOYyvz5fljH3avEXM4fdCykTohqAMo
                                                                                                                    TLSH:FE842374B497D73EEFA166B6B7B38FDA86B0D00141D8B24A0370970999CF239EE24754
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..f............................>.... ........@.. ....................... ............`................................

                                                                                                                    File Icon

                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0x45ce3e
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows cui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0x66F58368 [Thu Sep 26 15:53:12 2024 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:4
                                                                                                                    OS Version Minor:0
                                                                                                                    File Version Major:4
                                                                                                                    File Version Minor:0
                                                                                                                    Subsystem Version Major:4
                                                                                                                    Subsystem Version Minor:0
                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5cde80x53.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x5c8.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000xc.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x5ccb00x1c.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x20000x5ae440x5b0004467df89ee73d7db1162edc5ecc10192False0.9936711237980769data7.995225339741643IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rsrc0x5e0000x5c80x600a589a4206018b0dca6ae47d5c97f9001False0.4375data4.119926545451393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0x600000xc0x200ef500bd10f72fd04b5e7aed0b41ff3fdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_VERSION0x5e0a00x334data0.4426829268292683
                                                                                                                    RT_MANIFEST0x5e3d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                    Network Behavior

                                                                                                                    Suricata IDS Alerts

                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2024-09-27T11:19:08.742677+02002056048ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop)1192.168.2.7594621.1.1.153UDP
                                                                                                                    2024-09-27T11:19:08.756688+02002056164ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)1192.168.2.7525341.1.1.153UDP
                                                                                                                    2024-09-27T11:19:09.241941+02002056165ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)1192.168.2.749700104.21.4.136443TCP
                                                                                                                    2024-09-27T11:19:09.761554+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749700104.21.4.136443TCP
                                                                                                                    2024-09-27T11:19:09.761554+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749700104.21.4.136443TCP
                                                                                                                    2024-09-27T11:19:09.791657+02002056162ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)1192.168.2.7544281.1.1.153UDP
                                                                                                                    2024-09-27T11:19:10.388673+02002056163ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)1192.168.2.749701188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:10.980022+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749701188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:10.980022+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749701188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:10.982845+02002056160ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)1192.168.2.7530041.1.1.153UDP
                                                                                                                    2024-09-27T11:19:11.461179+02002056161ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)1192.168.2.749702188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:11.913044+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749702188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:11.913044+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749702188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:11.916804+02002056158ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)1192.168.2.7546881.1.1.153UDP
                                                                                                                    2024-09-27T11:19:12.420066+02002056159ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)1192.168.2.749703188.114.97.3443TCP
                                                                                                                    2024-09-27T11:19:12.867203+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749703188.114.97.3443TCP
                                                                                                                    2024-09-27T11:19:12.867203+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749703188.114.97.3443TCP
                                                                                                                    2024-09-27T11:19:12.880479+02002056156ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)1192.168.2.7590891.1.1.153UDP
                                                                                                                    2024-09-27T11:19:13.390734+02002056157ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)1192.168.2.749704104.21.58.182443TCP
                                                                                                                    2024-09-27T11:19:13.818966+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749704104.21.58.182443TCP
                                                                                                                    2024-09-27T11:19:13.818966+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749704104.21.58.182443TCP
                                                                                                                    2024-09-27T11:19:13.822074+02002056154ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)1192.168.2.7622161.1.1.153UDP
                                                                                                                    2024-09-27T11:19:14.321187+02002056155ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)1192.168.2.749705188.114.97.3443TCP
                                                                                                                    2024-09-27T11:19:14.778306+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749705188.114.97.3443TCP
                                                                                                                    2024-09-27T11:19:14.778306+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749705188.114.97.3443TCP
                                                                                                                    2024-09-27T11:19:14.780197+02002056152ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)1192.168.2.7494931.1.1.153UDP
                                                                                                                    2024-09-27T11:19:15.258313+02002056153ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)1192.168.2.749706188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:15.705280+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749706188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:15.705280+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749706188.114.96.3443TCP
                                                                                                                    2024-09-27T11:19:15.706895+02002056150ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)1192.168.2.7551351.1.1.153UDP
                                                                                                                    2024-09-27T11:19:16.189594+02002056151ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)1192.168.2.749707104.21.77.130443TCP
                                                                                                                    2024-09-27T11:19:16.606928+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749707104.21.77.130443TCP
                                                                                                                    2024-09-27T11:19:16.606928+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749707104.21.77.130443TCP
                                                                                                                    2024-09-27T11:19:18.776975+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749709104.21.2.13443TCP
                                                                                                                    2024-09-27T11:19:18.776975+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749709104.21.2.13443TCP

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Sep 27, 2024 11:19:08.774766922 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:08.774848938 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:08.774914980 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:08.778871059 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:08.778898001 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.241782904 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.241940975 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:09.245635033 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:09.245656967 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.245915890 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.293956995 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:09.330127001 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:09.330127001 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:09.330297947 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.761573076 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.761666059 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.761907101 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:09.777127028 CEST49700443192.168.2.7104.21.4.136
                                                                                                                    Sep 27, 2024 11:19:09.777175903 CEST44349700104.21.4.136192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.907802105 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:09.907866001 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.907960892 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:09.908525944 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:09.908539057 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.388593912 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.388673067 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.537415028 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.537456036 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.537821054 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.540781021 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.540781021 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.540894985 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.979285955 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.979371071 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.979444981 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.979686975 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.979710102 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.979721069 CEST49701443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.979727030 CEST44349701188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.999598980 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:10.999645948 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.999728918 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.000171900 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.000184059 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.461108923 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.461179018 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.463076115 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.463093042 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.463392019 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.464948893 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.464950085 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.465023041 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.913062096 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.913153887 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.913213968 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.913409948 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.913429976 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.913443089 CEST49702443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:11.913450956 CEST44349702188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.937189102 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:11.937226057 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.937696934 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:11.937696934 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:11.937731981 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.419939041 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.420066118 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:12.421864986 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:12.421875954 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.422118902 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.423351049 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:12.423388004 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:12.423427105 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.867187023 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.867274046 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.867353916 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:12.878937960 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:12.878938913 CEST49703443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:12.878972054 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.878983021 CEST44349703188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.896917105 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:12.896970987 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.897085905 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:12.897356033 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:12.897367954 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.390624046 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.390733957 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:13.392246008 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:13.392256975 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.392501116 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.393594980 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:13.393620968 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:13.393650055 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.818983078 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.819077015 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.819140911 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:13.819274902 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:13.819293976 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.819307089 CEST49704443192.168.2.7104.21.58.182
                                                                                                                    Sep 27, 2024 11:19:13.819310904 CEST44349704104.21.58.182192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.839633942 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:13.839678049 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.839766026 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:13.840064049 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:13.840085030 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.321120977 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.321187019 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:14.322717905 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:14.322725058 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.323040009 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.324187994 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:14.324224949 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:14.324258089 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.778337955 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.778580904 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.778659105 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:14.778712034 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:14.778729916 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.778753996 CEST49705443192.168.2.7188.114.97.3
                                                                                                                    Sep 27, 2024 11:19:14.778759956 CEST44349705188.114.97.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.793091059 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:14.793135881 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.793206930 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:14.793519974 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:14.793536901 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.258179903 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.258312941 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:15.259841919 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:15.259860992 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.260102034 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.261233091 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:15.261262894 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:15.261303902 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.705291986 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.705390930 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.705543995 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:15.705688953 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:15.705703020 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.705718994 CEST49706443192.168.2.7188.114.96.3
                                                                                                                    Sep 27, 2024 11:19:15.705723047 CEST44349706188.114.96.3192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.724312067 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:15.724339008 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.724508047 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:15.724730015 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:15.724739075 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.189388037 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.189594030 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:16.191030979 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:16.191042900 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.191325903 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.192579985 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:16.192606926 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:16.192662954 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.606952906 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.607198954 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.607279062 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:16.607371092 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:16.607398033 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.607413054 CEST49707443192.168.2.7104.21.77.130
                                                                                                                    Sep 27, 2024 11:19:16.607419014 CEST44349707104.21.77.130192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.616328955 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:16.616378069 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.616453886 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:16.616790056 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:16.616806030 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.263047934 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.263138056 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.264866114 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.264874935 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.265222073 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.266403913 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.311408043 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.745685101 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.745743036 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.745784998 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.745789051 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.745811939 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.745845079 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.745878935 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.846967936 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.847024918 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.847098112 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.847120047 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.847153902 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.847168922 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.852453947 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.852539062 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.852545977 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.852588892 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.852642059 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.852705002 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.852770090 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.852787971 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.852849960 CEST49708443192.168.2.7104.102.49.254
                                                                                                                    Sep 27, 2024 11:19:17.852855921 CEST44349708104.102.49.254192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.868069887 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:17.868117094 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.868186951 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:17.868506908 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:17.868522882 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.361959934 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.362087011 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:18.364015102 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:18.364027977 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.364305019 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.365511894 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:18.365536928 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:18.365588903 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.776984930 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.777084112 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.777132988 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:18.780220985 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:18.780242920 CEST44349709104.21.2.13192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:18.780255079 CEST49709443192.168.2.7104.21.2.13
                                                                                                                    Sep 27, 2024 11:19:18.780265093 CEST44349709104.21.2.13192.168.2.7

                                                                                                                    UDP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Sep 27, 2024 11:19:08.742676973 CEST5946253192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:08.752720118 CEST53594621.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:08.756688118 CEST5253453192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:08.769135952 CEST53525341.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:09.791656971 CEST5442853192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:09.806864023 CEST53544281.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:10.982845068 CEST5300453192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:10.998209953 CEST53530041.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:11.916804075 CEST5468853192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:11.931961060 CEST53546881.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:12.880479097 CEST5908953192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:12.894628048 CEST53590891.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:13.822073936 CEST6221653192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:13.838804960 CEST53622161.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:14.780196905 CEST4949353192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:14.792385101 CEST53494931.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:15.706895113 CEST5513553192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:15.723588943 CEST53551351.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:16.608776093 CEST6367353192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:16.615581989 CEST53636731.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:17.854218006 CEST6110453192.168.2.71.1.1.1
                                                                                                                    Sep 27, 2024 11:19:17.867294073 CEST53611041.1.1.1192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:52.927088022 CEST5362908162.159.36.2192.168.2.7
                                                                                                                    Sep 27, 2024 11:19:54.049200058 CEST53497551.1.1.1192.168.2.7

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Sep 27, 2024 11:19:08.742676973 CEST192.168.2.71.1.1.10x610eStandard query (0)lootebarrkeyn.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:08.756688118 CEST192.168.2.71.1.1.10x8e84Standard query (0)gutterydhowi.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:09.791656971 CEST192.168.2.71.1.1.10xbba1Standard query (0)ghostreedmnu.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:10.982845068 CEST192.168.2.71.1.1.10xc113Standard query (0)offensivedzvju.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:11.916804075 CEST192.168.2.71.1.1.10x90ecStandard query (0)vozmeatillu.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:12.880479097 CEST192.168.2.71.1.1.10x1a69Standard query (0)drawzhotdog.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:13.822073936 CEST192.168.2.71.1.1.10x6321Standard query (0)fragnantbui.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:14.780196905 CEST192.168.2.71.1.1.10x34b5Standard query (0)stogeneratmns.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:15.706895113 CEST192.168.2.71.1.1.10x79dfStandard query (0)reinforcenh.shopA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:16.608776093 CEST192.168.2.71.1.1.10xb031Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:17.854218006 CEST192.168.2.71.1.1.10x9669Standard query (0)ballotnwu.siteA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Sep 27, 2024 11:19:08.752720118 CEST1.1.1.1192.168.2.70x610eName error (3)lootebarrkeyn.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:08.769135952 CEST1.1.1.1192.168.2.70x8e84No error (0)gutterydhowi.shop104.21.4.136A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:08.769135952 CEST1.1.1.1192.168.2.70x8e84No error (0)gutterydhowi.shop172.67.132.32A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:09.806864023 CEST1.1.1.1192.168.2.70xbba1No error (0)ghostreedmnu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:09.806864023 CEST1.1.1.1192.168.2.70xbba1No error (0)ghostreedmnu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:10.998209953 CEST1.1.1.1192.168.2.70xc113No error (0)offensivedzvju.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:10.998209953 CEST1.1.1.1192.168.2.70xc113No error (0)offensivedzvju.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:11.931961060 CEST1.1.1.1192.168.2.70x90ecNo error (0)vozmeatillu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:11.931961060 CEST1.1.1.1192.168.2.70x90ecNo error (0)vozmeatillu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:12.894628048 CEST1.1.1.1192.168.2.70x1a69No error (0)drawzhotdog.shop104.21.58.182A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:12.894628048 CEST1.1.1.1192.168.2.70x1a69No error (0)drawzhotdog.shop172.67.162.108A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:13.838804960 CEST1.1.1.1192.168.2.70x6321No error (0)fragnantbui.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:13.838804960 CEST1.1.1.1192.168.2.70x6321No error (0)fragnantbui.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:14.792385101 CEST1.1.1.1192.168.2.70x34b5No error (0)stogeneratmns.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:14.792385101 CEST1.1.1.1192.168.2.70x34b5No error (0)stogeneratmns.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:15.723588943 CEST1.1.1.1192.168.2.70x79dfNo error (0)reinforcenh.shop104.21.77.130A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:15.723588943 CEST1.1.1.1192.168.2.70x79dfNo error (0)reinforcenh.shop172.67.208.139A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:16.615581989 CEST1.1.1.1192.168.2.70xb031No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:17.867294073 CEST1.1.1.1192.168.2.70x9669No error (0)ballotnwu.site104.21.2.13A (IP address)IN (0x0001)false
                                                                                                                    Sep 27, 2024 11:19:17.867294073 CEST1.1.1.1192.168.2.70x9669No error (0)ballotnwu.site172.67.128.144A (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • gutterydhowi.shop
                                                                                                                    • ghostreedmnu.shop
                                                                                                                    • offensivedzvju.shop
                                                                                                                    • vozmeatillu.shop
                                                                                                                    • drawzhotdog.shop
                                                                                                                    • fragnantbui.shop
                                                                                                                    • stogeneratmns.shop
                                                                                                                    • reinforcenh.shop
                                                                                                                    • steamcommunity.com
                                                                                                                    • ballotnwu.site

                                                                                                                    HTTPS Proxied Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.749700104.21.4.1364431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:09 UTC264OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: gutterydhowi.shop
                                                                                                                    2024-09-27 09:19:09 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:09 UTC782INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:09 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=dh9v9je0u020qao894rkkbcbvp; expires=Tue, 21 Jan 2025 03:05:48 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2B3atq%2FmuYzeBTyR9TFzOM%2BU5%2BtqqdTgF9iLX4D9DafN60EZvPFQxtddUusikndxOYY2PtGo4QSgvMfQALyGaPkTHYW27yNTW2VHwkBro1td3SRXdfrJ%2B%2FKj%2BJGpflSGKxokrA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a69139b2642e7-EWR
                                                                                                                    2024-09-27 09:19:09 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    1192.168.2.749701188.114.96.34431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:10 UTC264OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: ghostreedmnu.shop
                                                                                                                    2024-09-27 09:19:10 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:10 UTC784INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:10 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=rch7dlgbj0n19hm22equgpq76j; expires=Tue, 21 Jan 2025 03:05:49 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zarY43iEh%2B66RLFGc%2BN93Xb3tNKQF7x32RUi55ZNhz%2F%2FTPLpuWPMDKJdZGRXgzFjc5qrh%2FDE5LSziOB3%2FwxCHlL02auXw%2FX0oNNOxzIBZPHcllh%2FKoMwxvLMfu0L9v2vI11kEQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a691b3f6d0fa8-EWR
                                                                                                                    2024-09-27 09:19:10 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    2192.168.2.749702188.114.96.34431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:11 UTC266OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: offensivedzvju.shop
                                                                                                                    2024-09-27 09:19:11 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:11 UTC812INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:11 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=e05ibca6982gcfbju1n0vhbldk; expires=Tue, 21 Jan 2025 03:05:50 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tXpJJ%2BarDZKyvuQHE5tyG8aXYxvP%2Bg6YrwtaK2YU9R6XyYwtwaM9in1Qndkpn1jb3NG6%2FkJ8iZXiR6Dz7%2B%2FOe50JyTRZyipIhDhz%2BYLaZJPpgYicbZ2l%2FY%2BvQHtm0h%2FGtzs5iHop"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a69212ef67c8e-EWR
                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                    2024-09-27 09:19:11 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    3192.168.2.749703188.114.97.34431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:12 UTC263OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: vozmeatillu.shop
                                                                                                                    2024-09-27 09:19:12 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:12 UTC768INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:12 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=krtj7surbme1mffqba02rgikno; expires=Tue, 21 Jan 2025 03:05:51 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GhryVhrSHLVdU4jSMswLOcgd5QYYpNf1rcljCj%2B%2FdhSk8AgYugaYrdBI8y6ArO5%2F1SxhUPRI4Njr7RSxTR3QrizA7GHvUTUi7DPmAx%2Ba4bFDGDC5sIEvbiqeaKDCsilbeIZb"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a69272c787c9a-EWR
                                                                                                                    2024-09-27 09:19:12 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    4192.168.2.749704104.21.58.1824431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:13 UTC263OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: drawzhotdog.shop
                                                                                                                    2024-09-27 09:19:13 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:13 UTC776INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:13 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=fou2do1ejtosajn876pobgkbqd; expires=Tue, 21 Jan 2025 03:05:52 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KoEchm%2FhQ4ENCu6hCqD4j%2BS%2BHWpgEKm9nmmhYfoFBdgYFiFF11NuQYIl2IDS2V7ylk2r5%2BgZ1%2BmcwwH6U12VZ1mJpycj1nZ10WItUQ8buRBX9Q4X%2FJVtibmMDk%2FQCaE%2BZiWQ"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a692d1c1843a7-EWR
                                                                                                                    2024-09-27 09:19:13 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    5192.168.2.749705188.114.97.34431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:14 UTC263OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: fragnantbui.shop
                                                                                                                    2024-09-27 09:19:14 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:14 UTC760INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:14 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=32hsjufs57p0d17mq4j4g0c715; expires=Tue, 21 Jan 2025 03:05:53 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t3BatVoyLFWyIpcJEN5PMq3kGSyYV4PuLKMofToz734pkobzvP3Ropx68oUDYLHWWvAZb2PK8GsUhLT3t4JYVQCuuskrkSIP5UT0x7S8VwdrblzwH1s2oOw4ASVkSPI566eP"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a69330f8d5e66-EWR
                                                                                                                    2024-09-27 09:19:14 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    6192.168.2.749706188.114.96.34431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:15 UTC265OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: stogeneratmns.shop
                                                                                                                    2024-09-27 09:19:15 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:15 UTC774INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:15 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=p2n7f4pmusqft1agg8loj21ur7; expires=Tue, 21 Jan 2025 03:05:54 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GPw%2FqhFUZKGZDWmzJPDUtJqPXgla911vEyk6CdNH1l8bK6q6Prt%2BmzAsOvNAD9ZdBAug8mUXDldyZO7PVU0QdhsYfR3V8jj3LTm2%2BVgNM%2FjgZvLN9rpe5pxkKb1U24Evv6EayqQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a6938e80f4368-EWR
                                                                                                                    2024-09-27 09:19:15 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    7192.168.2.749707104.21.77.1304431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:16 UTC263OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: reinforcenh.shop
                                                                                                                    2024-09-27 09:19:16 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:16 UTC764INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:16 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=4tpfivfe2avg16b9ogek6q251i; expires=Tue, 21 Jan 2025 03:05:55 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nngU2s%2F6mALcAo3WyJkwoOTULnvWUZWvOOUTz7lIu71PALk5qm2e1siGjYuJP9PJsk1qm9jVxih%2Bzrdlo0peiJJsBWVD7XlXCHhV7g2yVHPACF7JPZqa05zJhouVLr6XwuGO"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a693eaaee72a7-EWR
                                                                                                                    2024-09-27 09:19:16 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    8192.168.2.749708104.102.49.2544431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:17 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Host: steamcommunity.com
                                                                                                                    2024-09-27 09:19:17 UTC1870INHTTP/1.1 200 OK
                                                                                                                    Server: nginx
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                    Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                    Cache-Control: no-cache
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:17 GMT
                                                                                                                    Content-Length: 34663
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: sessionid=bbe520e1870ce7e0b69aeb25; Path=/; Secure; SameSite=None
                                                                                                                    Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                    2024-09-27 09:19:17 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                    Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                    2024-09-27 09:19:17 UTC16384INData Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61
                                                                                                                    Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
                                                                                                                    2024-09-27 09:19:17 UTC3765INData Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70
                                                                                                                    Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p


                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    9192.168.2.749709104.21.2.134431448C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-09-27 09:19:18 UTC261OUTPOST /api HTTP/1.1
                                                                                                                    Connection: Keep-Alive
                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                    Content-Length: 8
                                                                                                                    Host: ballotnwu.site
                                                                                                                    2024-09-27 09:19:18 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                    Data Ascii: act=life
                                                                                                                    2024-09-27 09:19:18 UTC770INHTTP/1.1 200 OK
                                                                                                                    Date: Fri, 27 Sep 2024 09:19:18 GMT
                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                    Transfer-Encoding: chunked
                                                                                                                    Connection: close
                                                                                                                    Set-Cookie: PHPSESSID=4j4orbhatdcse9u3d3skvra61g; expires=Tue, 21 Jan 2025 03:05:57 GMT; Max-Age=9999999; path=/
                                                                                                                    Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                    Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                    Pragma: no-cache
                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HFr5kgVdTPcCADsxL%2FuqVt8SgVfx8FFfOJaoyvmdlQXJWa%2F3s3APHXBcNXHzMExoaukaxvueOGSt5PguhDiHCWWZ938PbxMh4Nf%2BJa96EoIz5LlyErDpVSdDNIrflbyW7Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                    Server: cloudflare
                                                                                                                    CF-RAY: 8c9a694c2d028cd4-EWR
                                                                                                                    2024-09-27 09:19:18 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                                                                    Data Ascii: aerror #D12
                                                                                                                    2024-09-27 09:19:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                    Data Ascii: 0


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:05:19:07
                                                                                                                    Start date:27/09/2024
                                                                                                                    Path:C:\Users\user\Desktop\kewyIO69TI.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\kewyIO69TI.exe"
                                                                                                                    Imagebase:0x850000
                                                                                                                    File size:375'296 bytes
                                                                                                                    MD5 hash:EE766F8A002BC94C1ED54DC7602547C9
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1295381070.0000000003CF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:1
                                                                                                                    Start time:05:19:07
                                                                                                                    Start date:27/09/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:3
                                                                                                                    Start time:05:19:07
                                                                                                                    Start date:27/09/2024
                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                    Imagebase:0x460000
                                                                                                                    File size:65'440 bytes
                                                                                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:4
                                                                                                                    Start time:05:19:07
                                                                                                                    Start date:27/09/2024
                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                    Imagebase:0x910000
                                                                                                                    File size:65'440 bytes
                                                                                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:20.7%
                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                      Signature Coverage:36.4%
                                                                                                                      Total number of Nodes:22
                                                                                                                      Total number of Limit Nodes:0
                                                                                                                      execution_graph 606 1200988 607 120099e 606->607 608 1200abb 607->608 611 1201220 607->611 615 1201218 607->615 612 120126b VirtualProtectEx 611->612 614 12012af 612->614 614->608 616 1201220 VirtualProtectEx 615->616 618 12012af 616->618 618->608 627 1200978 628 120099e 627->628 629 1200abb 628->629 630 1201220 VirtualProtectEx 628->630 631 1201218 VirtualProtectEx 628->631 630->629 631->629 619 2cf2155 620 2cf218d 619->620 621 2cf229b CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 620->621 624 2cf235a TerminateProcess 620->624 621->620 622 2cf236a WriteProcessMemory 621->622 623 2cf23af 622->623 625 2cf23b4 WriteProcessMemory 623->625 626 2cf23f1 WriteProcessMemory Wow64SetThreadContext ResumeThread 623->626 624->621 625->623

                                                                                                                      Callgraph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      • Opacity -> Relevance
                                                                                                                      • Disassembly available
                                                                                                                      callgraph 0 Function_01201220 1 Function_01200224 2 Function_02CF25CB 3 Function_02CF27C9 4 Function_01200528 30 Function_01200260 4->30 5 Function_01200B2A 6 Function_0120012C 7 Function_02CF26C3 8 Function_02CF2DDF 9 Function_02CF1DDC 10 Function_01200534 10->30 11 Function_01200234 12 Function_02CF2DDB 13 Function_0120013C 14 Function_01200100 15 Function_02CF2CEB 16 Function_01200208 17 Function_02CF26E7 18 Function_0120010C 19 Function_02CF2CE3 20 Function_02CF25E3 21 Function_0120050F 22 Function_02CF2CFF 23 Function_01200214 24 Function_01200014 25 Function_01201218 26 Function_0120051C 27 Function_0120011C 28 Function_02CF2CF3 29 Function_01200060 31 Function_01200461 32 Function_02CF2D8C 33 Function_01200165 34 Function_01200465 35 Function_02CF1487 36 Function_01200469 37 Function_0120046D 38 Function_0120056F 39 Function_01200070 40 Function_01200270 41 Function_01200471 42 Function_02CF2C9B 43 Function_01200475 44 Function_01200178 45 Function_01200978 45->0 45->4 45->5 45->10 45->25 45->26 50 Function_01200C40 45->50 51 Function_01200540 45->51 46 Function_02CF1997 47 Function_01200479 48 Function_02CF2C94 49 Function_02CF1993 50->30 52 Function_02CF2CAF 53 Function_02CF1FAE 54 Function_01200244 55 Function_01200444 56 Function_01200848 57 Function_01200148 58 Function_0120054D 59 Function_01200450 60 Function_02CF2CBF 61 Function_01200551 62 Function_01200154 63 Function_01200054 64 Function_01200254 65 Function_01200555 66 Function_01201056 67 Function_01200559 68 Function_0120105C 68->30 69 Function_02CF2CB3 70 Function_0120045D 71 Function_012000A0 72 Function_02CF254B 73 Function_012010A5 73->30 74 Function_012001A8 75 Function_02CF2D47 76 Function_02CF2D43 77 Function_01200BB0 78 Function_012000B0 79 Function_012001B4 80 Function_02CF2757 81 Function_012004B9 82 Function_02CF2155 83 Function_012000BC 84 Function_012004BD 85 Function_01200080 86 Function_01200988 86->0 86->4 86->5 86->10 86->25 86->26 86->50 86->51 87 Function_01200188 88 Function_0120048F 89 Function_01200090 90 Function_02CF1E7D 91 Function_01200198 92 Function_02CF2474 93 Function_02CF1B0F 94 Function_02CF270F 95 Function_012012E1 96 Function_012000E4 97 Function_02CF260B 98 Function_012008E8 99 Function_02CF1B05 100 Function_02CF2D03 101 Function_012000F0 102 Function_02CF1B1F 103 Function_02CF2D1B 104 Function_012001F8 105 Function_02CF1B17 106 Function_02CF1114 107 Function_02CF2713 108 Function_012001C0 109 Function_012004C1 110 Function_012011C6 111 Function_012000C8 112 Function_02CF2727 113 Function_02CF2D27 114 Function_012011CC 114->30 115 Function_02CF2D23 116 Function_02CF2D3F 117 Function_012000D4 118 Function_02CF1D3B 119 Function_02CF2D3B 120 Function_012001D5 121 Function_012004D7 122 Function_012008D8 123 Function_02CF2D37 124 Function_02CF1E34

                                                                                                                      Executed Functions

                                                                                                                      Function 02CF2155 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02CF20C7,02CF20B7), ref: 02CF22C4
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02CF22D7
                                                                                                                      • Wow64GetThreadContext.KERNEL32(0000031C,00000000), ref: 02CF22F5
                                                                                                                      • ReadProcessMemory.KERNELBASE(00000318,?,02CF210B,00000004,00000000), ref: 02CF2319
                                                                                                                      • VirtualAllocEx.KERNELBASE(00000318,?,?,00003000,00000040), ref: 02CF2344
                                                                                                                      • TerminateProcess.KERNELBASE(00000318,00000000), ref: 02CF2363
                                                                                                                      • WriteProcessMemory.KERNELBASE(00000318,00000000,?,?,00000000,?), ref: 02CF239C
                                                                                                                      • WriteProcessMemory.KERNELBASE(00000318,00400000,?,?,00000000,?,00000028), ref: 02CF23E7
                                                                                                                      • WriteProcessMemory.KERNELBASE(00000318,?,?,00000004,00000000), ref: 02CF2425
                                                                                                                      • Wow64SetThreadContext.KERNEL32(0000031C,02C30000), ref: 02CF2461
                                                                                                                      • ResumeThread.KERNELBASE(0000031C), ref: 02CF2470
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1294442611.0000000002CF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF1000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2cf1000_kewyIO69TI.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
                                                                                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                      • API String ID: 2440066154-1257834847
                                                                                                                      • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                      • Instruction ID: 47c6b93150d591b7eb1435ebed121497986412bdd4e5f53e923bb9b612bb8cb3
                                                                                                                      • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                      • Instruction Fuzzy Hash: 1AB1D67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94
                                                                                                                      Function 01200C40 Relevance: .3, Instructions: 322COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 37 1200c40-1200c9b 40 1200d07-1200d15 37->40 41 1200c9d-1200cb6 37->41 42 1200da4-1200db7 40->42 43 1200d1b 40->43 49 1200f0d-1200f87 41->49 60 1200cbc-1200cdd 41->60 46 1200f03-1200f0a 42->46 47 1200dbd-1200dc6 42->47 44 1200d1e-1200d23 43->44 48 1200d29-1200d39 44->48 44->49 50 1200dc8-1200dce 47->50 51 1200dcf-1200dda 47->51 48->49 53 1200d3f-1200d4b 48->53 71 1200f89-1200fae 49->71 72 1200fdb-1201027 49->72 50->51 51->49 52 1200de0-1200dec 51->52 56 1200df5-1200dfc 52->56 57 1200dee-1200df4 52->57 58 1200d54-1200d5b 53->58 59 1200d4d-1200d53 53->59 56->49 62 1200e02-1200e0c 56->62 57->56 58->49 63 1200d61-1200d6b 58->63 59->58 60->49 64 1200ce3-1200cf1 60->64 62->49 66 1200e12-1200e1c 62->66 63->49 67 1200d71-1200d7b 63->67 64->49 65 1200cf7-1200d05 64->65 65->40 65->41 66->49 69 1200e22-1200e28 66->69 67->49 70 1200d81-1200d87 67->70 69->49 73 1200e2e-1200e3a 69->73 70->49 74 1200d8d-1200d9e 70->74 71->72 80 1200fb0-1200fb2 71->80 85 1201030-1201068 72->85 86 1201029-120102f 72->86 73->49 75 1200e40-1200e51 73->75 74->42 74->44 78 1200e53-1200e59 75->78 79 1200e5a-1200eb4 75->79 78->79 103 1200ee5-1200eea 79->103 104 1200eb6-1200ec0 79->104 82 1200fb4-1200fbe 80->82 83 1200fd5-1200fd8 80->83 87 1200fc0 82->87 88 1200fc2-1200fd1 82->88 83->72 95 1201078 85->95 96 120106a-120106e 85->96 86->85 87->88 88->88 89 1200fd3 88->89 89->83 100 1201079 95->100 96->95 98 1201070-1201073 call 1200260 96->98 98->95 100->100 108 1200ef1-1200efd 103->108 104->103 105 1200ec2-1200eda 104->105 105->103 106 1200edc-1200ee3 105->106 106->108 108->46 108->47
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1294287855.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1200000_kewyIO69TI.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 122559c0dfb25cd9e87cd65cdbd3031cf0931226791b34228c8c3a52e38d5ec8
                                                                                                                      • Instruction ID: ddcab0ff11934924a2150df270c8405ae77871d994048aed4cfeb437fef22438
                                                                                                                      • Opcode Fuzzy Hash: 122559c0dfb25cd9e87cd65cdbd3031cf0931226791b34228c8c3a52e38d5ec8
                                                                                                                      • Instruction Fuzzy Hash: 76D1A170A142598FDB16CFA8C484BECFBF2BF58314F188669E455E7286C734AC41CBA4
                                                                                                                      Function 01201218 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 22 1201218-12012ad VirtualProtectEx 26 12012b4-12012d5 22->26 27 12012af 22->27 27->26
                                                                                                                      APIs
                                                                                                                      • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 012012A0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1294287855.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1200000_kewyIO69TI.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ProtectVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 544645111-0
                                                                                                                      • Opcode ID: f1e8a1a4a6e03d3a788aad5cf4a814236e92af947f857b5fde44039b540f7857
                                                                                                                      • Instruction ID: 2db59067505184173f01dad9b5eb18f103c504e51aaba137dbb85a49132d49a6
                                                                                                                      • Opcode Fuzzy Hash: f1e8a1a4a6e03d3a788aad5cf4a814236e92af947f857b5fde44039b540f7857
                                                                                                                      • Instruction Fuzzy Hash: 5D2123B1C103499FDB10DFAAC880ADEBBF4FF48310F508529E959A3240C735A904CBA1
                                                                                                                      Function 01201220 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 30 1201220-12012ad VirtualProtectEx 33 12012b4-12012d5 30->33 34 12012af 30->34 34->33
                                                                                                                      APIs
                                                                                                                      • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 012012A0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1294287855.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_1200000_kewyIO69TI.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ProtectVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 544645111-0
                                                                                                                      • Opcode ID: 4b7e804b53c671808cedacc8f2f21dba6672b209f7de86c520d436263ddba469
                                                                                                                      • Instruction ID: 62241d7dc87dbb637157ea06cf15d800a2f0362ddf5875693f7baa2f71730971
                                                                                                                      • Opcode Fuzzy Hash: 4b7e804b53c671808cedacc8f2f21dba6672b209f7de86c520d436263ddba469
                                                                                                                      • Instruction Fuzzy Hash: 9C2102B1C003599FDB20DFAAC880ADEBBF4FF48310F50852AE919A3240C775A901CBA1

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:1.2%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:47.2%
                                                                                                                      Total number of Nodes:125
                                                                                                                      Total number of Limit Nodes:11
                                                                                                                      execution_graph 19222 40d470 19223 40d479 19222->19223 19224 40d481 GetInputState 19223->19224 19225 40d64e ExitProcess 19223->19225 19226 40d48e 19224->19226 19227 40d496 GetCurrentThreadId GetCurrentProcessId 19226->19227 19228 40d644 19226->19228 19229 40d4c6 19227->19229 19228->19225 19229->19228 19231 412450 CoInitialize 19229->19231 19232 412580 19231->19232 19233 412883 CoUninitialize 19231->19233 19234 412893 GetSystemDirectoryW 19231->19234 19235 412889 19231->19235 19236 41286f 19231->19236 19237 41255e CoInitializeSecurity 19231->19237 19261 4402a0 19232->19261 19233->19235 19239 4128bd 19234->19239 19235->19228 19236->19233 19236->19235 19237->19232 19237->19233 19237->19234 19237->19235 19237->19236 19264 444490 19239->19264 19241 4128f6 19241->19233 19241->19235 19245 412cca 19241->19245 19268 429700 19245->19268 19247 412ec1 19278 42c060 19247->19278 19262 44030a 19261->19262 19263 440367 CoCreateInstance 19262->19263 19263->19262 19263->19263 19265 444526 19264->19265 19266 44452c RtlFreeHeap 19264->19266 19267 4444a8 19264->19267 19265->19266 19267->19241 19269 42970e 19268->19269 19289 44b320 19269->19289 19271 4297ef 19273 4298db 19271->19273 19274 4296d2 19271->19274 19276 429569 19271->19276 19293 44b720 19271->19293 19301 44b430 19273->19301 19274->19247 19274->19274 19283 4230f0 19276->19283 19280 42c094 19278->19280 19282 42c2a1 19278->19282 19279 44b320 LdrInitializeThunk 19279->19282 19281 44b320 LdrInitializeThunk 19280->19281 19281->19282 19282->19279 19284 423100 19283->19284 19309 44ad90 19284->19309 19286 423180 19286->19274 19287 423159 19287->19286 19313 425fd0 19287->19313 19291 44b340 19289->19291 19290 44b3ff 19290->19271 19291->19290 19322 4476d0 LdrInitializeThunk 19291->19322 19295 44b746 19293->19295 19294 44b9e1 19294->19271 19297 44b79e 19295->19297 19323 4476d0 LdrInitializeThunk 19295->19323 19297->19294 19300 44b85e 19297->19300 19324 4476d0 LdrInitializeThunk 19297->19324 19298 444490 RtlFreeHeap 19298->19294 19300->19298 19300->19300 19303 44b456 19301->19303 19302 44b709 19302->19274 19306 44b4ae 19303->19306 19325 4476d0 LdrInitializeThunk 19303->19325 19305 44b5ce 19307 444490 RtlFreeHeap 19305->19307 19306->19302 19306->19305 19326 4476d0 LdrInitializeThunk 19306->19326 19307->19302 19311 44adb0 19309->19311 19310 44aede 19310->19287 19311->19310 19316 4476d0 LdrInitializeThunk 19311->19316 19317 44abe0 19313->19317 19315 42601e 19316->19310 19318 44ac00 19317->19318 19319 44ad3e 19318->19319 19321 4476d0 LdrInitializeThunk 19318->19321 19319->19315 19321->19319 19322->19290 19323->19297 19324->19300 19325->19306 19326->19305 19327 410690 19331 4108fa 19327->19331 19328 410a61 19329 410a6f 19328->19329 19332 444490 RtlFreeHeap 19328->19332 19330 447130 RtlFreeHeap RtlReAllocateHeap 19330->19331 19331->19328 19331->19329 19331->19330 19332->19328 19333 40f042 19338 40f06f 19333->19338 19334 40f3b6 19336 40fa20 2 API calls 19334->19336 19337 40f123 19336->19337 19338->19334 19338->19337 19339 40fa20 19338->19339 19341 40fa5a 19339->19341 19345 410690 19341->19345 19342 40fd54 19342->19334 19343 444490 RtlFreeHeap 19343->19342 19344 40fc3d 19344->19342 19344->19343 19349 4108fa 19345->19349 19346 410a61 19347 410a6f 19346->19347 19350 444490 RtlFreeHeap 19346->19350 19347->19344 19348 447130 RtlFreeHeap RtlReAllocateHeap 19348->19349 19349->19346 19349->19347 19349->19348 19350->19346 19356 444470 RtlAllocateHeap 19357 40f807 19358 40f402 19357->19358 19359 40f3e9 19358->19359 19361 40f4ef 19358->19361 19362 40fa20 2 API calls 19358->19362 19359->19359 19360 444490 RtlFreeHeap 19360->19359 19361->19360 19362->19361 19363 4103a8 19364 4103b5 19363->19364 19366 410423 19363->19366 19366->19364 19367 447130 19366->19367 19368 4471c0 RtlReAllocateHeap 19367->19368 19369 44715a 19367->19369 19370 44714c 19367->19370 19371 4471eb 19367->19371 19372 4471d3 19367->19372 19376 4471f1 19367->19376 19368->19372 19369->19368 19370->19368 19370->19369 19370->19371 19370->19372 19370->19376 19373 444490 RtlFreeHeap 19371->19373 19372->19366 19373->19376 19374 444490 RtlFreeHeap 19375 4471fa 19374->19375 19376->19374 19377 447d38 19378 447d47 19377->19378 19380 447dce 19377->19380 19378->19380 19381 4476d0 LdrInitializeThunk 19378->19381 19380->19380 19381->19380 19382 410e0c 19383 410e54 19382->19383 19385 410a7b 19382->19385 19384 444490 RtlFreeHeap 19384->19385 19385->19383 19385->19384 19386 447ac9 19387 447af9 19386->19387 19388 447a08 19387->19388 19390 4476d0 LdrInitializeThunk 19387->19390 19390->19388

                                                                                                                      Executed Functions

                                                                                                                      Function 0040D470 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 153threadCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentProcess$ExitInputStateThread
                                                                                                                      • String ID: mlon$qpsr
                                                                                                                      • API String ID: 1029096631-2320206279
                                                                                                                      • Opcode ID: 7930aff37ba72ce8264af3c29ed56ea6ce6d8b229feb210a3e04cfecf3ed9881
                                                                                                                      • Instruction ID: 0b5985bc83f50576ef1f085b5a0d62e7e6efba06dbaf663de6811bcd9dd79fdb
                                                                                                                      • Opcode Fuzzy Hash: 7930aff37ba72ce8264af3c29ed56ea6ce6d8b229feb210a3e04cfecf3ed9881
                                                                                                                      • Instruction Fuzzy Hash: 7D416C7480C240ABD301BFA8D544A1EFBE5EF56705F148C2EE4C4A7392C23AC818CB6B
                                                                                                                      Function 00447AC9 Relevance: 5.3, Strings: 4, Instructions: 253COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 42 447ac9-447af7 43 447b26-447b32 42->43 44 447af9 42->44 46 447b34-447b3f 43->46 47 447b82-447b87 43->47 45 447b00-447b24 call 448a50 44->45 45->43 49 447b40-447b47 46->49 50 447b95-447bb9 call 4480b0 47->50 51 447bc0-447bd3 47->51 52 447be0 47->52 53 447a70-447a8d 47->53 54 447be2-447c00 47->54 55 447b8e-447b90 47->55 56 447a08-447a22 47->56 63 447b50-447b56 49->63 64 447b49-447b4c 49->64 50->51 50->52 50->53 50->54 50->56 51->52 52->54 65 447ab6-447ac4 53->65 66 447a8f 53->66 61 447c36-447c3d 54->61 62 447c02 54->62 67 447c7c-447c9a 55->67 59 447a24 56->59 60 447a56-447a69 56->60 71 447a30-447a54 call 448ac0 59->71 60->53 60->54 61->67 75 447c3f-447c4b 61->75 72 447c10-447c34 call 448a50 62->72 63->47 74 447b58-447b7a call 4476d0 63->74 64->49 73 447b4e 64->73 65->54 76 447a90-447ab4 call 448b30 66->76 68 447cc6-447cd0 67->68 69 447c9c-447c9f 67->69 78 447cd2-447cdf 68->78 79 447cfc 68->79 77 447ca0-447cc4 call 448a50 69->77 71->60 72->61 73->47 91 447b7f 74->91 83 447c50-447c5c 75->83 76->65 77->68 86 447ce0-447cec 78->86 89 447d03 79->89 90 447f5a-447f65 79->90 97 447c5e 83->97 98 447cee 86->98 89->90 91->47 97->67 98->79
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: }D$%sgh$4`[b${D
                                                                                                                      • API String ID: 0-1200795032
                                                                                                                      • Opcode ID: 05b3149f2a3e830b37f71957d57e1fb7ca9e9332a621777ac5fd2e0c82385c56
                                                                                                                      • Instruction ID: e9ff087d7b6ba292c07e2a373faf3cf3d0a9800b043d4ee0ae862f7c510f9595
                                                                                                                      • Opcode Fuzzy Hash: 05b3149f2a3e830b37f71957d57e1fb7ca9e9332a621777ac5fd2e0c82385c56
                                                                                                                      • Instruction Fuzzy Hash: 05817A7060C3419FE710EF28D890A2EBBE5EB99315F148C6DF1C597262C739E891CB1A
                                                                                                                      Function 004476D0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 216 4476d0-447702 LdrInitializeThunk
                                                                                                                      APIs
                                                                                                                      • LdrInitializeThunk.NTDLL(0044B41F,?,00000004,?,?,00000018,?), ref: 004476FE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                      • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                                                                      • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                                                                      • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                                                                      Function 00447E1B Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 291 447e1b-447e2b call 445dc0 294 447e41-447ebf 291->294 295 447e2d 291->295 296 447ef6-447f02 294->296 297 447ec1 294->297 298 447e30-447e3f 295->298 300 447f04-447f0f 296->300 301 447f45-447f47 296->301 299 447ed0-447ef4 call 448a50 297->299 298->294 298->298 299->296 303 447f10-447f17 300->303 305 447f20-447f26 303->305 306 447f19-447f1c 303->306 305->301 308 447f28-447f3d call 4476d0 305->308 306->303 307 447f1e 306->307 307->301 310 447f42 308->310 310->301
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 0-2766056989
                                                                                                                      • Opcode ID: 2042c984cff8e36586f157c90dfe1e22c009bb683d2571c29aa94926772e1527
                                                                                                                      • Instruction ID: cdf6f297f13441fe2925969da6b6994966f8396d0ae99224b9e918e95d5920a6
                                                                                                                      • Opcode Fuzzy Hash: 2042c984cff8e36586f157c90dfe1e22c009bb683d2571c29aa94926772e1527
                                                                                                                      • Instruction Fuzzy Hash: 9B31A97180C3018BE714DF28C89072BB7F1EF95305F44596EF8C9A72A1E7399845CB9A
                                                                                                                      Function 00447D38 Relevance: .5, Instructions: 487COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 311 447d38-447d40 312 447d47-447d7a 311->312 313 447df1-447df3 311->313 314 448118-44813c 311->314 316 447d7c-447d7f 312->316 317 447da9-447db0 312->317 315 447f5c-447f65 313->315 318 448166-448173 314->318 319 44813e-44813f 314->319 320 447d80-447da7 call 448a50 316->320 317->313 322 447db2-447dbf 317->322 323 448396-44839d 318->323 324 4483c7-4483db 318->324 325 4482e0-4482f0 318->325 326 448390-448394 318->326 327 4482b3-4482d9 318->327 328 4481cf-4481e5 318->328 329 448199-4481c8 318->329 330 44817a-448192 318->330 331 44835a-448389 call 40cc80 318->331 321 448140-448164 call 448730 319->321 320->317 321->318 332 447dc0-447dc7 322->332 336 4483e0-4483e7 324->336 339 4482f7-448321 call 40cc70 325->339 340 4482f2-4482f5 325->340 326->323 327->324 327->325 327->326 333 4481e7-4481ea 328->333 334 4481ec-448222 call 40cc70 328->334 329->324 329->325 329->326 329->327 329->328 329->331 330->323 330->324 330->325 330->326 330->327 330->328 330->329 330->331 331->324 331->326 341 447de9-447def 332->341 342 447dc9-447dcc 332->342 333->334 357 448328-448353 334->357 359 448228-44822a 334->359 336->336 345 4483e9-448418 336->345 339->324 339->326 339->357 340->339 341->313 351 447df8-447e0c call 4476d0 341->351 342->332 350 447dce 342->350 353 448446-44844d 345->353 354 44841a 345->354 350->313 379 447e11-447e16 351->379 355 4484c0-4484d2 353->355 356 44844f-448466 353->356 360 448420-448444 call 4487c0 354->360 363 4485a6-4485da 355->363 364 4485a0 355->364 365 4483a0-4483c0 355->365 366 448540-44854c 355->366 367 448600 355->367 368 448581-44858d 355->368 369 4485e1-4485f1 355->369 370 448562-44856a 355->370 371 448602-448611 355->371 372 4484f4-4484fd 355->372 373 448516-448538 355->373 374 448510 355->374 375 448571-44857a 355->375 376 448553-44855b 355->376 377 4485f8-4485ff 355->377 378 4484d9-4484ed 355->378 361 448468-44846f 356->361 362 44849b-44849f 356->362 357->324 357->326 357->327 357->331 359->357 380 448230-448236 359->380 360->353 387 448470-448499 361->387 362->355 388 4484a1-4484a3 362->388 363->324 363->326 363->369 364->363 365->324 365->326 366->365 366->367 366->368 366->369 366->370 366->371 366->375 366->376 366->377 368->364 368->365 368->367 368->371 368->377 369->365 369->367 369->371 369->377 370->365 370->367 370->369 370->371 370->375 370->377 382 448656-44865b 371->382 383 448620-448628 371->383 384 448662-44866c 371->384 385 448642-44864f 371->385 372->365 372->366 372->367 372->368 372->369 372->370 372->371 372->373 372->374 372->375 372->376 372->377 373->365 373->366 373->367 373->368 373->369 373->370 373->371 373->375 373->376 373->377 374->373 375->365 375->366 375->367 375->368 375->369 375->370 375->371 375->375 375->376 375->377 376->365 376->367 376->368 376->369 376->370 376->371 376->375 376->377 377->367 378->365 378->366 378->367 378->368 378->369 378->370 378->371 378->372 378->373 378->374 378->375 378->376 378->377 379->315 389 44829d-4482ac 380->389 390 448238-448247 380->390 382->365 382->384 392 4486a0 382->392 393 448673-448692 382->393 394 44862f-44863b 382->394 383->365 383->384 383->392 383->393 383->394 384->365 384->392 384->393 385->382 385->383 387->362 387->387 391 4484b0-4484be 388->391 389->324 389->326 389->327 389->331 395 448250-44829b 390->395 391->355 391->391 396 4486a2 392->396 393->392 394->382 394->383 394->384 394->385 395->389 395->395 396->396
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f5fa1b09104253a195c0fe57cdf171331a83f09fff8ede92eb3ccc747820151f
                                                                                                                      • Instruction ID: 8bcc6fb386cb15c142638edae28a52624d13c148528c1f92ba7a2a6e1e143af4
                                                                                                                      • Opcode Fuzzy Hash: f5fa1b09104253a195c0fe57cdf171331a83f09fff8ede92eb3ccc747820151f
                                                                                                                      • Instruction Fuzzy Hash: A7021036A08341CFD700DF28E89052EB7E1FB89312F194A7EE49487392D735E955CB86
                                                                                                                      Function 0040F807 Relevance: .4, Instructions: 390COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 397 40f807-40f814 398 40f816 397->398 399 40f847-40f84f call 40ff80 397->399 400 40f820-40f845 call 411840 398->400 402 40f854-40f85a 399->402 400->399 404 40f680 402->404 405 40f861-40f86d 402->405 406 40f7e1-40f7e8 402->406 407 40f682-40f68c 402->407 408 40f5a6-40f5c6 402->408 409 40f547-40f567 402->409 410 40f649-40f65c 402->410 411 40f86e 402->411 412 40f7ef-40f7fc call 444490 402->412 413 40f670-40f675 402->413 414 40f691-40f6df 402->414 415 40f714-40f762 402->415 416 40f638-40f642 402->416 417 40f679-40f67b 402->417 418 40f7fe 402->418 406->404 406->407 406->408 406->409 406->410 406->412 406->413 406->416 406->417 406->418 435 40f400 406->435 436 40f501-40f513 406->436 437 40f402-40f409 406->437 438 40f410-40f424 406->438 439 40f472-40f47f 406->439 440 40f4fc 406->440 407->412 428 40f5f4-40f5fb 408->428 429 40f5c8 408->429 409->408 426 40f569 409->426 420 40f677 410->420 421 40f65e-40f662 410->421 411->411 412->405 413->420 413->421 414->415 425 40f6e1 414->425 430 40f794-40f7a4 415->430 431 40f764 415->431 416->404 416->407 416->410 416->412 416->413 416->417 416->435 416->436 416->437 416->438 416->439 416->440 417->404 418->405 420->417 421->420 432 40f664 421->432 442 40f6f0-40f712 call 4118b0 425->442 441 40f570-40f592 call 411930 426->441 445 40f5a0 428->445 446 40f5fd-40f603 428->446 443 40f5d0-40f5f2 call 411930 429->443 448 40f7bd-40f7c9 430->448 444 40f770-40f792 call 4118b0 431->444 432->421 465 40f520-40f52f 436->465 437->436 437->438 437->439 437->440 449 40f430 438->449 450 40f470 438->450 451 40f436-40f467 438->451 452 40f3e9-40f3fb 438->452 453 40f480-40f487 439->453 440->436 473 40f594 441->473 442->415 443->428 444->430 445->408 447 40f61c-40f620 446->447 459 40f630 447->459 460 40f622-40f624 447->460 449->451 450->439 451->450 452->435 453->453 462 40f489-40f494 453->462 459->412 468 40f610-40f613 460->468 469 40f626-40f628 460->469 471 40f4e2-40f4f5 call 40fa20 462->471 472 40f496-40f498 462->472 465->465 474 40f531-40f542 465->474 475 40f615-40f61a 468->475 469->475 471->436 471->440 477 40f4a0-40f4cd call 4115b0 472->477 473->408 474->412 475->445 475->447 484 40f4d7-40f4df 477->484 485 40f4cf-40f4d5 477->485 484->471 485->477 485->484
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 12b76bd1cddf45bbd6207310afd8c4b1868e0259217c3cf0ed6db9d5703ced3b
                                                                                                                      • Instruction ID: cd89484c1d0e19e46c954de61e31bbebaec41b12b1ade970bd1187d44bb00fae
                                                                                                                      • Opcode Fuzzy Hash: 12b76bd1cddf45bbd6207310afd8c4b1868e0259217c3cf0ed6db9d5703ced3b
                                                                                                                      • Instruction Fuzzy Hash: B8C11574904256CFCB25CF68C8506BFB7B1FF46300F18497AE451AB792D339A85ACB98
                                                                                                                      Function 0040F042 Relevance: .3, Instructions: 268COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 487 40f042-40f06d 488 40f094-40f0d0 487->488 489 40f06f 487->489 490 40f0d2 488->490 491 40f104-40f107 488->491 492 40f070-40f092 call 4117b0 489->492 493 40f0e0-40f102 call 411740 490->493 497 40f10b-40f11c call 445da0 491->497 492->488 493->491 501 40f340-40f34e 497->501 502 40f320-40f32b 497->502 503 40f123-40f125 497->503 504 40f3e4-40f863 497->504 505 40f3c8-40f3d4 497->505 506 40f12a-40f268 call 44a230 * 12 497->506 507 40f270-40f288 call 440df0 497->507 508 40f3b0-40f3b6 call 40fa20 497->508 509 40f390-40f392 497->509 510 40f355-40f363 497->510 511 40f396-40f39c 497->511 512 40f3b9-40f3bf call 40fa20 497->512 513 40f3db 497->513 501->502 501->504 501->505 501->509 501->510 501->511 501->513 502->501 502->502 502->504 502->505 502->507 502->508 502->509 502->510 502->511 502->512 502->513 520 40f866-40f86d 503->520 504->520 505->504 505->513 506->501 506->502 506->504 506->505 506->507 506->508 506->509 506->510 506->511 506->512 506->513 527 40f290-40f297 507->527 508->512 509->511 514 40f381-40f38f 510->514 515 40f365-40f368 510->515 511->502 511->504 511->505 511->508 511->513 512->505 513->504 514->509 525 40f370-40f37f 515->525 525->514 525->525 527->527 530 40f299-40f2a8 527->530 532 40f303-40f308 530->532 533 40f2aa-40f2af 530->533 532->502 535 40f2b0-40f2b3 533->535 537 40f300 535->537 538 40f2b5-40f2dd call 4115b0 535->538 537->532 544 40f2e7-40f2ec 538->544 545 40f2df-40f2e5 538->545 544->537 545->535 545->544
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ca4472624897f6057df6c8ffb23683dd2a6b038d4d54d03cf02992a55fdc48f7
                                                                                                                      • Instruction ID: ef9271f13a37813059f82d7b2aef6f9b9132d2b5a11f53dfc547668204b89559
                                                                                                                      • Opcode Fuzzy Hash: ca4472624897f6057df6c8ffb23683dd2a6b038d4d54d03cf02992a55fdc48f7
                                                                                                                      • Instruction Fuzzy Hash: 6CA17DB6C14214DFDB109FA0EC915BEBBB1FB0A309F04047AE805BB362E7759914CB69
                                                                                                                      Function 0044445C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 99 44445c-444462 101 444470-444474 RtlAllocateHeap 99->101
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(?,00000000), ref: 00444474
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID: |DD
                                                                                                                      • API String ID: 1279760036-1192118190
                                                                                                                      • Opcode ID: 4cbc25f787769cefebd05a7767c6a86754462c7e8b1f71f112afd27836c89513
                                                                                                                      • Instruction ID: 3820a18ae079cb7e4426f798123fe2c3e110840b7bb1f0220b84c6f01d08581c
                                                                                                                      • Opcode Fuzzy Hash: 4cbc25f787769cefebd05a7767c6a86754462c7e8b1f71f112afd27836c89513
                                                                                                                      • Instruction Fuzzy Hash: A6B01230146210BCD03113111CC5FFF3C2CAF83F5EF101014B208180C047549001D07D
                                                                                                                      Function 00444470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 102 444470-444474 RtlAllocateHeap
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(?,00000000), ref: 00444474
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID: |DD
                                                                                                                      • API String ID: 1279760036-1192118190
                                                                                                                      • Opcode ID: 624b63b64e6b03db0bd12635e7aa1ed08730c5fdf8c669e26ca804604db2a04b
                                                                                                                      • Instruction ID: e0ccf817579d59bbce23a8ee5fc248487fbde0254dbb899775f0dc122b38b7e8
                                                                                                                      • Opcode Fuzzy Hash: 624b63b64e6b03db0bd12635e7aa1ed08730c5fdf8c669e26ca804604db2a04b
                                                                                                                      • Instruction Fuzzy Hash: D2A00231145211EDD16117556C95F6F3968AB82A5EF100064B2081809586649041D56D
                                                                                                                      Function 00447130 Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 181 447130-447145 182 4471f4-4471fd call 444490 181->182 183 4471e4 181->183 184 4471c0-4471c7 RtlReAllocateHeap 181->184 185 4471d3-4471dc call 4443f0 181->185 186 4471b3-4471b7 181->186 187 44714c-447153 181->187 188 4471de 181->188 189 44715a-447174 181->189 190 4471eb-4471f1 call 444490 181->190 192 4471e7-4471ea 183->192 184->185 185->192 186->184 187->182 187->183 187->184 187->186 187->188 187->189 187->190 188->183 193 4471a6-4471aa 189->193 194 447176 189->194 190->182 193->186 199 447180-4471a4 call 447660 194->199 199->193
                                                                                                                      APIs
                                                                                                                      • RtlReAllocateHeap.NTDLL(4B6A4902,00000000), ref: 004471C7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: 075eca6f4d3ab2b32250008e5405eb17f7b6311b29791edff883b0048aa32bd2
                                                                                                                      • Instruction ID: 791a43c74a769a95d2d08492084f957e37920ab13efbc1f4451e356eca9c60a1
                                                                                                                      • Opcode Fuzzy Hash: 075eca6f4d3ab2b32250008e5405eb17f7b6311b29791edff883b0048aa32bd2
                                                                                                                      • Instruction Fuzzy Hash: F711E435508240EBE3006F28EC45F2B7BB4EF96716F044879F48487212D339D851CBAA
                                                                                                                      Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 203 444490-4444a1 204 444526-444529 203->204 205 444500 203->205 206 444520 203->206 207 444511-444517 203->207 208 444502-444505 203->208 209 44452c-444530 RtlFreeHeap 203->209 210 4444a8-4444bd 203->210 204->209 205->208 208->207 211 4444e6-4444f3 210->211 212 4444bf 210->212 211->205 213 4444c0-4444e4 call 4475d0 212->213 213->211
                                                                                                                      APIs
                                                                                                                      • RtlFreeHeap.NTDLL(4B6A4902,00000000), ref: 00444530
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3298025750-0
                                                                                                                      • Opcode ID: 7303358f5359f19ca23f0687a22b433efaff00f6e34e09b9e2f94b9ea2ceaedc
                                                                                                                      • Instruction ID: caa5a61c1fc6514fa69d27dc7abdf64d4e2d01bb00e12b800d78490065dd5173
                                                                                                                      • Opcode Fuzzy Hash: 7303358f5359f19ca23f0687a22b433efaff00f6e34e09b9e2f94b9ea2ceaedc
                                                                                                                      • Instruction Fuzzy Hash: 5A01803550C240DFD210AB18ED80A1ABBF8EF8A716F054868E5C48B252C335EC50DB6A

                                                                                                                      Non-executed Functions

                                                                                                                      Function 0041E71A Relevance: 30.0, Strings: 23, Instructions: 1251COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: !>?$ z%$()&'$(qM$,-*+$0$01NO$4523$<=:;$@A^_$DEBC$HIFG$HKJM$LMJK$ONIH$PQno$XYVW$[ZED$\]Z[$dgfi$turs$xyvw$x{z}
                                                                                                                      • API String ID: 0-2038966068
                                                                                                                      • Opcode ID: f90f97c9c9ee660e4de228bad1591d79a832447606f1d05447c21198192b42ed
                                                                                                                      • Instruction ID: dd8c9a11170efe247047064befbb3e8e17caaf51c98d00186aa99d3ab3198a48
                                                                                                                      • Opcode Fuzzy Hash: f90f97c9c9ee660e4de228bad1591d79a832447606f1d05447c21198192b42ed
                                                                                                                      • Instruction Fuzzy Hash: F2A2ABB55083819FD730CF11D884BEBBBE1AFC5304F54492EE9C88B251DB399885CB9A
                                                                                                                      Function 00439BD0 Relevance: 29.8, APIs: 6, Strings: 11, Instructions: 99clipboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                                                                      • String ID: F$G$H$N$S$s$u$z${$|$}
                                                                                                                      • API String ID: 2832541153-1941974359
                                                                                                                      • Opcode ID: c2f3d5519ab13067e96e8a8e1554d226321cbd2039ebb6754a01b94ca404930a
                                                                                                                      • Instruction ID: 1a35188d04eb71108be36436a893f0745e74d17b360d7727ff600e0e31ba3cd0
                                                                                                                      • Opcode Fuzzy Hash: c2f3d5519ab13067e96e8a8e1554d226321cbd2039ebb6754a01b94ca404930a
                                                                                                                      • Instruction Fuzzy Hash: B341617150C3808ED301EF78D48831FBFE0AB96318F05596EE4DA86292D6BD8949C79B
                                                                                                                      Function 00429978 Relevance: 24.3, Strings: 19, Instructions: 551COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .,$37$53$9)$<&$<:$MI$O=|?$Q%e'$TW$[Y$`a$n)l+$sAuC$#!$/-$31$75$sq
                                                                                                                      • API String ID: 0-518734598
                                                                                                                      • Opcode ID: b3b08317d2e0cfa541fc023eb25e697968bc4af5299184a1130a56b36b739f48
                                                                                                                      • Instruction ID: 03ea407fed1d32f28916693174b9482451e2888c3307ff2ead53aff0a4ec171c
                                                                                                                      • Opcode Fuzzy Hash: b3b08317d2e0cfa541fc023eb25e697968bc4af5299184a1130a56b36b739f48
                                                                                                                      • Instruction Fuzzy Hash: D362D6B55093828AE3748F01E680BDFBBF1BB96344F90892DE5D89B241DB748449CF97
                                                                                                                      Function 004404AB Relevance: 19.9, APIs: 8, Strings: 3, Instructions: 644memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocString$InitVariant
                                                                                                                      • String ID: 4`[b$4`[b$<],[
                                                                                                                      • API String ID: 3074814690-2254285042
                                                                                                                      • Opcode ID: 0ea8b8889e0bb4a45b6034501902803b8855704a2f451e5abac1be5342d0fdbe
                                                                                                                      • Instruction ID: 3b70daff5964ce097363bec6f93c74fecd6cdfee96da66d185794e42f4892200
                                                                                                                      • Opcode Fuzzy Hash: 0ea8b8889e0bb4a45b6034501902803b8855704a2f451e5abac1be5342d0fdbe
                                                                                                                      • Instruction Fuzzy Hash: 6022CA756083409FE714DF28D880B2FBBE1FF85309F14882DE6858B2A1D739E955CB5A
                                                                                                                      Function 00432830 Relevance: 18.6, APIs: 1, Strings: 9, Instructions: 1081COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ,"@$#6C$%W U$::$VVOT$[X^"$vT^:$xdaa$SQ
                                                                                                                      • API String ID: 0-3977809258
                                                                                                                      • Opcode ID: 687946c3e46dcd2fef14dd3dc931c1ff83cc1edd7a341014e5edc793b6e60020
                                                                                                                      • Instruction ID: 6a30e320bc9aa03169a315c8e403c78acd1a2c3e87340e59c740f6ce2ae395c4
                                                                                                                      • Opcode Fuzzy Hash: 687946c3e46dcd2fef14dd3dc931c1ff83cc1edd7a341014e5edc793b6e60020
                                                                                                                      • Instruction Fuzzy Hash: 06827A70405B818AE7318F25C590BA3BBF0AF1B306F14189ED4EB9B293D739A545CF69
                                                                                                                      Function 00434990 Relevance: 13.1, APIs: 1, Strings: 6, Instructions: 824COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $ $$8r?$--',$nLv($u}|
                                                                                                                      • API String ID: 0-457197051
                                                                                                                      • Opcode ID: 68e599e8ffaa50a487a7f43620eb8ee021e6b6941ac51a7c1ed568df97d2eee9
                                                                                                                      • Instruction ID: 8b41d4da4bcd42269ea7739c650f07c77f5b2283e083b4b23c58f1815274c948
                                                                                                                      • Opcode Fuzzy Hash: 68e599e8ffaa50a487a7f43620eb8ee021e6b6941ac51a7c1ed568df97d2eee9
                                                                                                                      • Instruction Fuzzy Hash: 9352CF70504B418BE7258F35C494BA7BBE1AF4A305F14886EE5EB8B392CB3AF405CB55
                                                                                                                      Function 004408E6 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 348COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantClear.OLEAUT32(00000008), ref: 004408F3
                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00440920
                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00440929
                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 00440940
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeString$ClearVariant
                                                                                                                      • String ID: 4`[b$4`[b
                                                                                                                      • API String ID: 3349467263-3640500014
                                                                                                                      • Opcode ID: e385970683e39f11de06317a4428018e5c6c996f516a19f857f1be5293d116c9
                                                                                                                      • Instruction ID: 09d7fc534b87bbdf8393991c9ef56cf577bcdd1ce3a6edc29adcf294396d53e5
                                                                                                                      • Opcode Fuzzy Hash: e385970683e39f11de06317a4428018e5c6c996f516a19f857f1be5293d116c9
                                                                                                                      • Instruction Fuzzy Hash: CFB1CF756083009FE710DF64E891B2FB7E5EB8530AF14883DE685CB252D739E815CB5A
                                                                                                                      Function 00401000 Relevance: 10.7, Strings: 7, Instructions: 1914COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$A$gfff$gfff$gfff
                                                                                                                      • API String ID: 0-947532036
                                                                                                                      • Opcode ID: e06ab667e6b9483aab09583229f0419af3f4093797c2ed4d09b53c95b9789ffe
                                                                                                                      • Instruction ID: 21de5e691bd859abbc2be4e82a4dcaafefefd4727c911ae8c5553d0c2646aee4
                                                                                                                      • Opcode Fuzzy Hash: e06ab667e6b9483aab09583229f0419af3f4093797c2ed4d09b53c95b9789ffe
                                                                                                                      • Instruction Fuzzy Hash: 4EE2D2716083418FD714CF29C49476BBBE2ABC9314F188A3EE895A73D1D379DA05CB86
                                                                                                                      Function 00412450 Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 916COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 0041254E
                                                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00412570
                                                                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0041289E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Initialize$DirectorySecuritySystem
                                                                                                                      • String ID: q-s
                                                                                                                      • API String ID: 1379780170-2538240376
                                                                                                                      • Opcode ID: 574801d40f12a725b9c9cb71e3c2e1c5558239a08317548fb3447c718f303320
                                                                                                                      • Instruction ID: e90c699da80fdbf97deba592771adfca9ffecd6f7c132f23d46d425fcbc939e9
                                                                                                                      • Opcode Fuzzy Hash: 574801d40f12a725b9c9cb71e3c2e1c5558239a08317548fb3447c718f303320
                                                                                                                      • Instruction Fuzzy Hash: AA62D0B45007419FD3219F26D481627BBF1FF06308F14495DE4DA8BBA2D33AE896CB99
                                                                                                                      Function 0040FA20 Relevance: 7.9, Strings: 6, Instructions: 380COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: J<BJ$f`E$f`E$v{${3$~
                                                                                                                      • API String ID: 0-1732740514
                                                                                                                      • Opcode ID: 76f2aed4a057638f363fd031f3dbe0569a69028984208c497ec39f2097cc7ed5
                                                                                                                      • Instruction ID: 4e670058078cea7fd43884a886fc8be73a26d202e8482742903b49392826d215
                                                                                                                      • Opcode Fuzzy Hash: 76f2aed4a057638f363fd031f3dbe0569a69028984208c497ec39f2097cc7ed5
                                                                                                                      • Instruction Fuzzy Hash: 53D1687050C3818BD321DF18C49062EBBE1AF92744F54093EE5D1AB7A2D339D949CBAB
                                                                                                                      Function 004338C0 Relevance: 7.5, Strings: 5, Instructions: 1246COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: drG$)FC$?*$2$CIBH${vry
                                                                                                                      • API String ID: 0-1492907507
                                                                                                                      • Opcode ID: 76d7692e372014387e47a71721219990899b7678fcf2bf8cf459b591c2ce3725
                                                                                                                      • Instruction ID: ae17b6820417c1f5d865f6f8db41105b67f97988771920ed6e8cdea7b43e7d9c
                                                                                                                      • Opcode Fuzzy Hash: 76d7692e372014387e47a71721219990899b7678fcf2bf8cf459b591c2ce3725
                                                                                                                      • Instruction Fuzzy Hash: 87A28B70405B818AE7328F35C590BE3BBF1AF1A305F04589ED4EA9B282DB3AB545CB55
                                                                                                                      Function 0043A777 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MetricsSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4116985748-3916222277
                                                                                                                      • Opcode ID: 6d15c560a22f2f746b61e91c69fede85cce94a29c4e560c9bab8bff2291995dd
                                                                                                                      • Instruction ID: 04cec409040a24a7638083f5cbef6eeda66da4d91f8b2fb747c19da65d0b6118
                                                                                                                      • Opcode Fuzzy Hash: 6d15c560a22f2f746b61e91c69fede85cce94a29c4e560c9bab8bff2291995dd
                                                                                                                      • Instruction Fuzzy Hash: 62319FB49182009FDB00EF68D98565EBBF0BB89304F11853EE898D7360D774A959CF86
                                                                                                                      Function 00433623 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ,"@$#6C$%W U$::$VVOT$[X^"$vT^:$xdaa$SQ
                                                                                                                      • API String ID: 0-3977809258
                                                                                                                      • Opcode ID: 5316a4421e8038fc09d359bae9942a20de967b06b3305538db8130970f2136b8
                                                                                                                      • Instruction ID: 47a7bdd0108c2fb9dd8588cd9d3ff781ee98881393f00aa1a63237223b76b1bc
                                                                                                                      • Opcode Fuzzy Hash: 5316a4421e8038fc09d359bae9942a20de967b06b3305538db8130970f2136b8
                                                                                                                      • Instruction Fuzzy Hash: 4A615B70005B808AE7718F34C494BE7BBE0BF1A306F44589ED4EA9B292DB3AA505CF55
                                                                                                                      Function 0041FFD8 Relevance: 4.2, Strings: 3, Instructions: 450COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4`[b$4`[b$D
                                                                                                                      • API String ID: 0-2855741908
                                                                                                                      • Opcode ID: ed9ea28e12b6c3f2a80f412645aefceee75c8d90be7708955877a316dca48e77
                                                                                                                      • Instruction ID: 31d3bb4f6c8ef88d8f7c367f3412f89acc0e11c248f3c087f24487996a868f02
                                                                                                                      • Opcode Fuzzy Hash: ed9ea28e12b6c3f2a80f412645aefceee75c8d90be7708955877a316dca48e77
                                                                                                                      • Instruction Fuzzy Hash: 5DE1BBB0608381DFD720CF24E895BABB7E2FF85305F54496EE4889B352D3799850CB5A
                                                                                                                      Function 00427230 Relevance: 4.2, Strings: 3, Instructions: 429COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4`[b$`cb]$hi
                                                                                                                      • API String ID: 0-188674353
                                                                                                                      • Opcode ID: 1f5791c10a8d9b9034cf8b33a2b296a3773450a9b318bd1f49d32c9470c40f7b
                                                                                                                      • Instruction ID: e8b149cf807d1c003d5c69b0e71323098e2fb5bb7a12dbfc9662ce51d29e78b9
                                                                                                                      • Opcode Fuzzy Hash: 1f5791c10a8d9b9034cf8b33a2b296a3773450a9b318bd1f49d32c9470c40f7b
                                                                                                                      • Instruction Fuzzy Hash: FDC1BE7160C3209BD710EF18E881A2BB7E4EF96354F84095EF8C597351E339E954C7AA
                                                                                                                      Function 00420A70 Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: |}$IO$M"C
                                                                                                                      • API String ID: 0-2140647755
                                                                                                                      • Opcode ID: a38601d3fca04be0643588d29395e0164f5203bdcff9d00cb4cb4415e9c9f1d7
                                                                                                                      • Instruction ID: 95a8a3ba117dcb61b299199237c9eeeb104e0e6ef4a4d217e90056a207d5ce29
                                                                                                                      • Opcode Fuzzy Hash: a38601d3fca04be0643588d29395e0164f5203bdcff9d00cb4cb4415e9c9f1d7
                                                                                                                      • Instruction Fuzzy Hash: A7E1ACB5D00269DBDF04CFD4E881AEEBBB1BF06304F640859E850AB346D3759A45CBA9
                                                                                                                      Function 0042FE26 Relevance: 4.1, Strings: 3, Instructions: 362COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ((*$4`[b$KJML
                                                                                                                      • API String ID: 0-1972290462
                                                                                                                      • Opcode ID: dec8e1f1a6e47717e73a8b1603991c167e71ac5dd27e416a59c03452828de5c7
                                                                                                                      • Instruction ID: fe7f7a316f197fe0042526b9999b7c3ec2d399551d2672056d428c2cb04b8ed6
                                                                                                                      • Opcode Fuzzy Hash: dec8e1f1a6e47717e73a8b1603991c167e71ac5dd27e416a59c03452828de5c7
                                                                                                                      • Instruction Fuzzy Hash: ADC10371E00205CFDF09CFA8D851BAEBBB2EF4A305F248269E415B7392D7399945CB58
                                                                                                                      Function 00421AD0 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: fL[D$wcjn
                                                                                                                      • API String ID: 0-3212404223
                                                                                                                      • Opcode ID: f7381f910d54b45702fc34180e1fe2687b4c52f9d4af3e67fb7e363e571e8373
                                                                                                                      • Instruction ID: f42574bc615607f6af951fa0bda80222cba276cb5f891ef9b4a55e7d3f85a151
                                                                                                                      • Opcode Fuzzy Hash: f7381f910d54b45702fc34180e1fe2687b4c52f9d4af3e67fb7e363e571e8373
                                                                                                                      • Instruction Fuzzy Hash: CF029C75608350ABD311EF25E841B2FBBE4AF95308F44492EF5C897262D239E914CB9B
                                                                                                                      Function 0042CAD0 Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: KJML$w
                                                                                                                      • API String ID: 2994545307-3028343826
                                                                                                                      • Opcode ID: 4633c47ec76e09bc5f344fa9432b6b331caf1fae4f0c009488e9d39b1f9fd13b
                                                                                                                      • Instruction ID: 080b7696ce438855e2865b836230b873bea6a0c21e24f15a690f1c4f281cc9ae
                                                                                                                      • Opcode Fuzzy Hash: 4633c47ec76e09bc5f344fa9432b6b331caf1fae4f0c009488e9d39b1f9fd13b
                                                                                                                      • Instruction Fuzzy Hash: B0B101706083118BE714DF25E881B2FBBE1EF96314F54492EE5C997352E339E844CB9A
                                                                                                                      Function 00440A70 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4`[b$4`[b
                                                                                                                      • API String ID: 0-3640500014
                                                                                                                      • Opcode ID: d1b627fec911b8c28985ab63311d4cc2010a42749d977885f13158c72016bf89
                                                                                                                      • Instruction ID: 4a5db5bc531862a3fafa49679c1da16283dda6f39ad5b5a5d790b33b14943aa6
                                                                                                                      • Opcode Fuzzy Hash: d1b627fec911b8c28985ab63311d4cc2010a42749d977885f13158c72016bf89
                                                                                                                      • Instruction Fuzzy Hash: 3081D3B160C3409BE710DF65E981B2FB7E5EB85709F04482DF6C487252D739E824CB6A
                                                                                                                      Function 004452E0 Relevance: 1.9, Strings: 1, Instructions: 662COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: f
                                                                                                                      • API String ID: 0-1993550816
                                                                                                                      • Opcode ID: 0a82051139f66ddf593a476851d42ce7362ebefd45d52c377741e50279ceb0fc
                                                                                                                      • Instruction ID: 69f14e0446ed55d0bc363b11fecc12665fd0227c7f6396fa499844b82b808001
                                                                                                                      • Opcode Fuzzy Hash: 0a82051139f66ddf593a476851d42ce7362ebefd45d52c377741e50279ceb0fc
                                                                                                                      • Instruction Fuzzy Hash: 5D32AF716087419FEB14CF18C880B2FBBE1ABC8354F58892EF895973A2D778D845CB56
                                                                                                                      Function 00413EEC Relevance: 1.8, Strings: 1, Instructions: 559COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: p9A
                                                                                                                      • API String ID: 0-2767146494
                                                                                                                      • Opcode ID: cc4438e265543dc60c17e4af3816322dfc04a26b990f0c8e12e52939bdc12f3d
                                                                                                                      • Instruction ID: 2c8aa80ce659a15c762eb3e1e81ca8c73c00eafc5f89e39574f9bbbba22e0185
                                                                                                                      • Opcode Fuzzy Hash: cc4438e265543dc60c17e4af3816322dfc04a26b990f0c8e12e52939bdc12f3d
                                                                                                                      • Instruction Fuzzy Hash: 5812BCB5500B008FD725CF24D980B67B7F2AF86309F14892ED49A87B92E739F845CB59
                                                                                                                      Function 00426FC0 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoCreateInstance.OLE32(0044EB80,00000000,00000001,0044EB70), ref: 00426FE9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateInstance
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 542301482-0
                                                                                                                      • Opcode ID: 6b857c024720ac7b7e352e76ddfa4817e7e42bf3c285e39b0cfbbb18e45e5121
                                                                                                                      • Instruction ID: 6c14e4c9a293253992b80aceda0b72b65ad673230c86ebd3f60838f3fce4d3ea
                                                                                                                      • Opcode Fuzzy Hash: 6b857c024720ac7b7e352e76ddfa4817e7e42bf3c285e39b0cfbbb18e45e5121
                                                                                                                      • Instruction Fuzzy Hash: DE61FEB03082209BDB209B24DC96B7733A4EF82358F144559F986CB390E379E809C76A
                                                                                                                      Function 004314A0 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "
                                                                                                                      • API String ID: 0-123907689
                                                                                                                      • Opcode ID: 3a375ffb791029574d5d487153f84a713dd1c5f8a93d4cec6e8116d322515391
                                                                                                                      • Instruction ID: dac99c5dab73986a5260e87837a74846541daf9fe20671a14200a52273f6332c
                                                                                                                      • Opcode Fuzzy Hash: 3a375ffb791029574d5d487153f84a713dd1c5f8a93d4cec6e8116d322515391
                                                                                                                      • Instruction Fuzzy Hash: CCC159B2A043045BD7148F24C49176BB7E9AF89354F1C9A2FE895873A1D73CDC44C79A
                                                                                                                      Function 00449620 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: P
                                                                                                                      • API String ID: 0-3110715001
                                                                                                                      • Opcode ID: 096e396a3b36b829a6566558fd17d7f7d8ce7d5dba024e2e843d7647ff22d511
                                                                                                                      • Instruction ID: dd4241a5a5a1caa29915f85dd6641d1f89e5dc2f7704d5486d9f392ef1a7eae6
                                                                                                                      • Opcode Fuzzy Hash: 096e396a3b36b829a6566558fd17d7f7d8ce7d5dba024e2e843d7647ff22d511
                                                                                                                      • Instruction Fuzzy Hash: E9D104329082714FE725CE18989071FB6E1EB85718F168A3DE8B5AB381CB75DC06D7C6
                                                                                                                      Function 0042DFE0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 2B
                                                                                                                      • API String ID: 0-2489582833
                                                                                                                      • Opcode ID: e7c9954c64a2a2e716abb4006260575443ff31ca00f66fa76071335e070d8145
                                                                                                                      • Instruction ID: 1648f17e86a6f30225877104b632deb72bbb2998103f50de6865a7bf14004587
                                                                                                                      • Opcode Fuzzy Hash: e7c9954c64a2a2e716abb4006260575443ff31ca00f66fa76071335e070d8145
                                                                                                                      • Instruction Fuzzy Hash: 26A15731608391DFD3158F39EC5132A7BE2BF8A312F0986BDE491873A2D739DA458B05
                                                                                                                      Function 00434629 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: drG$)FC$?*$2$CIBH${vry
                                                                                                                      • API String ID: 0-1492907507
                                                                                                                      • Opcode ID: bc606f07fc9a9b37c0bbc1281e8971c1ba7d3ec63685693cc84bf1c889e06ed2
                                                                                                                      • Instruction ID: cd923c6c2a59a948de96ec4fde7e4145b598f3882073ecf6b485000af5a54b7d
                                                                                                                      • Opcode Fuzzy Hash: bc606f07fc9a9b37c0bbc1281e8971c1ba7d3ec63685693cc84bf1c889e06ed2
                                                                                                                      • Instruction Fuzzy Hash: 40B15C70404B818AE776CF39C490BE3BBE0AF5A304F44589ED4EA87792DB3AB445CB55
                                                                                                                      Function 00448D80 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: 4`[b
                                                                                                                      • API String ID: 2994545307-3962175265
                                                                                                                      • Opcode ID: d7efba24f39cafc4f8138a2c0540639fa06f185e091667fb1a290be13ed1cba3
                                                                                                                      • Instruction ID: 65037cb4b131e6f69ae25d9d0f844069ac1afd20bdace3c3e68c66be08e3ab69
                                                                                                                      • Opcode Fuzzy Hash: d7efba24f39cafc4f8138a2c0540639fa06f185e091667fb1a290be13ed1cba3
                                                                                                                      • Instruction Fuzzy Hash: 3291C371608341ABF720DB15DC41B6FB7E6EB85354F54882EF98487352EB34E840DB9A
                                                                                                                      Function 00448B90 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4`[b
                                                                                                                      • API String ID: 0-3962175265
                                                                                                                      • Opcode ID: a9deb8d38d84d4afaf040186a8d67045d647737b27c5b75a10c779e7b3d72402
                                                                                                                      • Instruction ID: c5202ddbdcec288203f215c2c9f34064d5f6e2a8da8471ef5e17f24a05bd36fb
                                                                                                                      • Opcode Fuzzy Hash: a9deb8d38d84d4afaf040186a8d67045d647737b27c5b75a10c779e7b3d72402
                                                                                                                      • Instruction Fuzzy Hash: DB511371A09310ABEB159B189C90B3FB7E5EB89314F148A2DF8E5573E1CA35EC01C75A
                                                                                                                      Function 00425030 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @QB
                                                                                                                      • API String ID: 0-3030980731
                                                                                                                      • Opcode ID: fa7d8ae5b693dd60f6850cd017a17b0abae062ab4b2c1048713c2209d971f0dc
                                                                                                                      • Instruction ID: 6d0cb73502d01e38b06274afbc8596ab77b17627c4c691baab7245b414bc2194
                                                                                                                      • Opcode Fuzzy Hash: fa7d8ae5b693dd60f6850cd017a17b0abae062ab4b2c1048713c2209d971f0dc
                                                                                                                      • Instruction Fuzzy Hash: C8219F74A093109BC310AB18D851A3BB7F5EF93755F848A1DE4D59B392E338CD10CBA6
                                                                                                                      Function 0044B320 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 2994545307-2766056989
                                                                                                                      • Opcode ID: 405783dcd224cdf1397306dffb70641e0a1f7fae826e9b44d4411e2f7100f4cf
                                                                                                                      • Instruction ID: a91349f1e9a40293b62091c3c1e01b002cddce6e5b6639776973f8a2a5a102dc
                                                                                                                      • Opcode Fuzzy Hash: 405783dcd224cdf1397306dffb70641e0a1f7fae826e9b44d4411e2f7100f4cf
                                                                                                                      • Instruction Fuzzy Hash: 493156705093009BE714DF25D980A2BFBF9FF8A314F14892DF9C897252D339D9048BAA
                                                                                                                      Function 0040C1C0 Relevance: .8, Instructions: 778COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4631f2e57031adde87b200ba4790210232e1e318b6d81c4360bce7a359158444
                                                                                                                      • Instruction ID: 956be2415fbe3cf17e3c2b9217a92116aac390c51ce612f86c4722e2567f76f6
                                                                                                                      • Opcode Fuzzy Hash: 4631f2e57031adde87b200ba4790210232e1e318b6d81c4360bce7a359158444
                                                                                                                      • Instruction Fuzzy Hash: BF42B331508315CBC725DF18E88026BB3E2FFD4314F258A3ED996A7385D739A951CB8A
                                                                                                                      Function 00407450 Relevance: .7, Instructions: 658COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4890b7e1405b60d2036cc250fc21e402b4f197dab0f25acee06565f4f699a01d
                                                                                                                      • Instruction ID: e9f524300c54591016e612151c2e6d16e79c1b555d40a7684eed9594cd61b04f
                                                                                                                      • Opcode Fuzzy Hash: 4890b7e1405b60d2036cc250fc21e402b4f197dab0f25acee06565f4f699a01d
                                                                                                                      • Instruction Fuzzy Hash: 9152B331A0C3458FCB15CF24C0906AABBE1BF85314F19897EE89A67391D778E945CF86
                                                                                                                      Function 0044A510 Relevance: .4, Instructions: 415COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0a7a94d621f91307b6425b2df28a6db3f3defc87c09105d060c306e6a5a959a9
                                                                                                                      • Instruction ID: 12bdd899994ea3f390c2677d5a8b46d1064a99c9932b785e2cc315b4497e3188
                                                                                                                      • Opcode Fuzzy Hash: 0a7a94d621f91307b6425b2df28a6db3f3defc87c09105d060c306e6a5a959a9
                                                                                                                      • Instruction Fuzzy Hash: EFB1BE31A09254DFD704DF28D99166EB7F1FB8A312F0A8829E889D7352D335ED20CB95
                                                                                                                      Function 00449D22 Relevance: .3, Instructions: 334COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bfd3633d6ed618898280b2bfa9fcdb0017dbfca5d3d0489a1ceccd4b7ddeeab4
                                                                                                                      • Instruction ID: ba77fbe9a575c5c0e3916e552f8b9e900528f4925402827c04f08fa9a54957d4
                                                                                                                      • Opcode Fuzzy Hash: bfd3633d6ed618898280b2bfa9fcdb0017dbfca5d3d0489a1ceccd4b7ddeeab4
                                                                                                                      • Instruction Fuzzy Hash: 6FB1BA76A04316CFDB00CF64E8A466EB7B1FB4A302F194869D9019B362D3349854DB95
                                                                                                                      Function 004142E4 Relevance: .3, Instructions: 323COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4b39d16f317e8d19da953c30fd6ba31bcb37fca65e178eef6612cf70bcdbf204
                                                                                                                      • Instruction ID: 777062db379b90a3490bb9d039b80cdec0e37db8c352507ae385cde0aeea2dbb
                                                                                                                      • Opcode Fuzzy Hash: 4b39d16f317e8d19da953c30fd6ba31bcb37fca65e178eef6612cf70bcdbf204
                                                                                                                      • Instruction Fuzzy Hash: 3AB159B4500B419FD3218F24CA80B67BBF5FF46705F04891DE8AA97A91E339F854CB69
                                                                                                                      Function 0044B430 Relevance: .3, Instructions: 284COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 9d4a0865f99f740c6db4d1f545baa4b7358d8cded0662193f7d95dc8b470dc04
                                                                                                                      • Instruction ID: 71323470c014a4a126a73179cc5a1ef60c16c30d165a2ed76876cba0ed87e0d4
                                                                                                                      • Opcode Fuzzy Hash: 9d4a0865f99f740c6db4d1f545baa4b7358d8cded0662193f7d95dc8b470dc04
                                                                                                                      • Instruction Fuzzy Hash: 0181C0706083019BE7109F68D880A2FB7E6FF95744F25882DE5C58B362D739EC54CB9A
                                                                                                                      Function 0040F7E3 Relevance: .3, Instructions: 255COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6bc8c1bd5ce96e5f68242ff809a3884e59ac652b41232c3f29468b36261b81fa
                                                                                                                      • Instruction ID: 70c147ec3628391604478acdee8e0d2f37a7db2c632e37ade1ef48e142da4b81
                                                                                                                      • Opcode Fuzzy Hash: 6bc8c1bd5ce96e5f68242ff809a3884e59ac652b41232c3f29468b36261b81fa
                                                                                                                      • Instruction Fuzzy Hash: 8E711075A142158BCB25CF68C8502BFB7B2BF9A301F18457AD841A77E2D3399809CB58
                                                                                                                      Function 00445DE0 Relevance: .2, Instructions: 216COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7831cf32dc2c0b8a978041a18ff1a4a9518294b4dfe30571e244d26eee5d1997
                                                                                                                      • Instruction ID: b5ff81ec9e9af75986a4fac7fb74df821215003c5149bce377154884bf3d8d24
                                                                                                                      • Opcode Fuzzy Hash: 7831cf32dc2c0b8a978041a18ff1a4a9518294b4dfe30571e244d26eee5d1997
                                                                                                                      • Instruction Fuzzy Hash: B561E030608701ABEB10DF15D880B2BF7E6EB85314F24892EF59887362D739EC55CB5A
                                                                                                                      Function 00444970 Relevance: .2, Instructions: 206COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 742f14a2709897ecdbb5e48ca64229ac29e7b7e0da12c54bddaaaaba9491ebdf
                                                                                                                      • Instruction ID: dc97e09a7f7da624c8807c98710862b4dce587ce3812b6c05e15904d13e63158
                                                                                                                      • Opcode Fuzzy Hash: 742f14a2709897ecdbb5e48ca64229ac29e7b7e0da12c54bddaaaaba9491ebdf
                                                                                                                      • Instruction Fuzzy Hash: 31518F716083409BE714DF29D880B2FB7E5EB85325F14892EF58497352C739E8148BAA
                                                                                                                      Function 0040F63A Relevance: .2, Instructions: 176COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 05d69a286e2430bbf8d7d29ed6800b71f8178752ddf9001bef238cf64567d83a
                                                                                                                      • Instruction ID: 305a687461efa61535f20c4e30c50516a1adfbbcd579c48b290b171d3c892896
                                                                                                                      • Opcode Fuzzy Hash: 05d69a286e2430bbf8d7d29ed6800b71f8178752ddf9001bef238cf64567d83a
                                                                                                                      • Instruction Fuzzy Hash: BD413835A04210CFCB29CF28D8903BEB3B2FF5A311F18417AD801A7792D739A845C759
                                                                                                                      Function 00444BC0 Relevance: .2, Instructions: 172COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e8fe51a964e94862e6280fd4530e8e23ea3388074881357ebe8cc1fa4d45db18
                                                                                                                      • Instruction ID: dec6aa83464d3b4264dd44e35dd919ff3509ff86f22b815f22340c26f882f573
                                                                                                                      • Opcode Fuzzy Hash: e8fe51a964e94862e6280fd4530e8e23ea3388074881357ebe8cc1fa4d45db18
                                                                                                                      • Instruction Fuzzy Hash: 8951B3746092009BEB24DF55E980B2BB7E6EBC5305F18882EF4C587321D739DC10CB6A
                                                                                                                      Function 00405CF0 Relevance: .2, Instructions: 163COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b49a934ef247a52156d8ec0288b7fb744e74ccf73bfd21c8170fa558b5e02194
                                                                                                                      • Instruction ID: a93e7bb16f79f5bee52f37b023afbee245ecc507bf95419d7e2d32b41e93770e
                                                                                                                      • Opcode Fuzzy Hash: b49a934ef247a52156d8ec0288b7fb744e74ccf73bfd21c8170fa558b5e02194
                                                                                                                      • Instruction Fuzzy Hash: 8E51A0B5A046009FC714DF14C480927B7A1FF89328F15467EE899AB392D635ED42CFDA
                                                                                                                      Function 0044B010 Relevance: .1, Instructions: 137COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e751b8f787bac87f8cfd85bdda4c79210fa0da3de7a9e49238e203542471c3f4
                                                                                                                      • Instruction ID: 67ff51331bc586e3258e30a007c696559b29967afb165d85162e472efda89275
                                                                                                                      • Opcode Fuzzy Hash: e751b8f787bac87f8cfd85bdda4c79210fa0da3de7a9e49238e203542471c3f4
                                                                                                                      • Instruction Fuzzy Hash: AB41CF74208300ABE7149F24DD91B2FB7E6EB85755F24882DF58897352D339EC10CB9A
                                                                                                                      Function 0044B1A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0d7b21b20dac4ed1bd6ec73c56021cf920500350a9747a94f58476bfd9bcc6f6
                                                                                                                      • Instruction ID: 7bb1e064a9e3fe809587a2e583d5bbbc0ac817289a77bfc4f351f9a1e2f1ca79
                                                                                                                      • Opcode Fuzzy Hash: 0d7b21b20dac4ed1bd6ec73c56021cf920500350a9747a94f58476bfd9bcc6f6
                                                                                                                      • Instruction Fuzzy Hash: F741AF34208300ABE7149F25ED94B2FB7E6FB85715F14886DF88957351D379E810CB9A
                                                                                                                      Function 00435519 Relevance: .1, Instructions: 124COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7e24e261311531be54728c1f7de490a8c5844de532af9053c9630d86519809ba
                                                                                                                      • Instruction ID: 7a9764bf3efe6304778dabb77bcc631861f8f1a38c5e90041bb2cad766b257b8
                                                                                                                      • Opcode Fuzzy Hash: 7e24e261311531be54728c1f7de490a8c5844de532af9053c9630d86519809ba
                                                                                                                      • Instruction Fuzzy Hash: 11416A72505F418FC324CB29C491363B7E2AF59324F699A1EC4AA47B91E338F805CB59
                                                                                                                      Function 00414692 Relevance: .1, Instructions: 100COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 57a6c332c5d3211bb44ff9af79ab587ffb2f10c5d39c5de35afcf0ad077f2112
                                                                                                                      • Instruction ID: a376e7b36b3188e4cd9addea55493a65cc0f09d2769b96ef42937a54c16a89e2
                                                                                                                      • Opcode Fuzzy Hash: 57a6c332c5d3211bb44ff9af79ab587ffb2f10c5d39c5de35afcf0ad077f2112
                                                                                                                      • Instruction Fuzzy Hash: 02313EB4500B009BD735CF24C480AA3BBF5BB59300F154A2ED49787752E779F989CB99
                                                                                                                      Function 0043FE90 Relevance: .1, Instructions: 98COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9f0085e10853b1e2969aa1028db42883cbeaeadcd86b2518a4c6ae1f0978dd0f
                                                                                                                      • Instruction ID: a7d9893a673cfc8e199ffc65db64a738f37302f500c8e91188f8a16d540f37a9
                                                                                                                      • Opcode Fuzzy Hash: 9f0085e10853b1e2969aa1028db42883cbeaeadcd86b2518a4c6ae1f0978dd0f
                                                                                                                      • Instruction Fuzzy Hash: 9C210332D082104BC3249B59848152BF7E5EB9E704F16A62FED84973A5E3389C1887EA
                                                                                                                      Function 00404CB0 Relevance: .1, Instructions: 95COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 609c9fe2b85b6fa7177e1b6ed724a188d16551f5cddb16224451ebaab9e6e429
                                                                                                                      • Instruction ID: d5cb594caa8decbb0462b1d43e6d8ce9a9ace7f061841147579c4ba8b6174a16
                                                                                                                      • Opcode Fuzzy Hash: 609c9fe2b85b6fa7177e1b6ed724a188d16551f5cddb16224451ebaab9e6e429
                                                                                                                      • Instruction Fuzzy Hash: 5131BBB16042009BD7149F19D88092BB7E1EFC4319F14493EE999AB3D5D339EC42CB4A
                                                                                                                      Function 0043BFF0 Relevance: .1, Instructions: 64COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                      • Instruction ID: 5cf3d3f30d9613fe2714edcff59f0b0304f0c98455ce6f2d5f572e95ba5a2b3d
                                                                                                                      • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                                                                      • Instruction Fuzzy Hash: 10114C33A051D04EC31A8D7C844056ABFF30A97274F2D939AF4F5AB2D2D6278D8B8359
                                                                                                                      Function 00430CC0 Relevance: .1, Instructions: 63COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: aaac78c8cd68a7ef2a1be881b231878366a9c247148d4d2edc3e404ad033c8a4
                                                                                                                      • Instruction ID: ed189d3e896a10b0522a78e84ad2b8f9b6df22bdec7557734b8ad8c6367bbd7f
                                                                                                                      • Opcode Fuzzy Hash: aaac78c8cd68a7ef2a1be881b231878366a9c247148d4d2edc3e404ad033c8a4
                                                                                                                      • Instruction Fuzzy Hash: 4E019EB160030187E7209F65E4E072BA2E86F98708F18273EE80957342DB79EC098299
                                                                                                                      Function 0043910C Relevance: .1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 59f5e468a665b6614cdaf652ec57e02a503b3cbdf54c46e0d058b3155dca0263
                                                                                                                      • Instruction ID: 1143063129ae067a2310e813a7ac3cd5872c45bc9fc8c24add8bef49e4b85578
                                                                                                                      • Opcode Fuzzy Hash: 59f5e468a665b6614cdaf652ec57e02a503b3cbdf54c46e0d058b3155dca0263
                                                                                                                      • Instruction Fuzzy Hash: 3711F3F0901B00AFD360EF3AC94A747BAE8FB45350F508A0DE8AA87391D735A4048B96
                                                                                                                      Function 0041AB90 Relevance: .0, Instructions: 38COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6741416765b83c74a1c2c5cba02842341f77218c3f9d8f562cc197a6a78b22bd
                                                                                                                      • Instruction ID: de6e10c6ac35777bcd7977231f09f0839b9338373d8b97cfe4fbdb5b7db4e514
                                                                                                                      • Opcode Fuzzy Hash: 6741416765b83c74a1c2c5cba02842341f77218c3f9d8f562cc197a6a78b22bd
                                                                                                                      • Instruction Fuzzy Hash: 31F027B1A0819017DB218D449C80FB7BBADCB87228F190456EA8157202E1356C9083EE
                                                                                                                      Function 00442410 Relevance: .0, Instructions: 21COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                      • Instruction ID: e276e2e20c09421a09e08c01a3586b5c7f2cd1a113514abf4008fb378859171c
                                                                                                                      • Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
                                                                                                                      • Instruction Fuzzy Hash: D1D0A72160832146AB788E1AA500977F7F0EAC7B11FC9A55FF582E3248D634DC41C2BD
                                                                                                                      Function 0043ACD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MetricsSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4116985748-3916222277
                                                                                                                      • Opcode ID: 7c882c57007ae2b99843c88eb0c07b372622de9aeed33002503f8c382e2d4657
                                                                                                                      • Instruction ID: d31701c45078c7d4269a8adf496a0dfe1e86747451595843b7a2005472f7adb8
                                                                                                                      • Opcode Fuzzy Hash: 7c882c57007ae2b99843c88eb0c07b372622de9aeed33002503f8c382e2d4657
                                                                                                                      • Instruction Fuzzy Hash: 9A5180B4E142189FDB40EFACD985A9EBBF0BB48310F11852DE858E7350D734A949CF86
                                                                                                                      Function 0043A77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1394693175.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_RegAsm.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MetricsSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4116985748-3916222277
                                                                                                                      • Opcode ID: 013dc761e4909440771d46bafdb638bb20e567719734dc29c98b96e9aaa0edbc
                                                                                                                      • Instruction ID: 5819706d29ef5a07fa912cd141edfc67d55658e54de8dc311193a39933180409
                                                                                                                      • Opcode Fuzzy Hash: 013dc761e4909440771d46bafdb638bb20e567719734dc29c98b96e9aaa0edbc
                                                                                                                      • Instruction Fuzzy Hash: 5C319FB49182009FDB00EF78D985A1EBBF4BB89304F11853DE898D7360D774A949CF86