Edit tour

Windows Analysis Report
Solara.exe

Overview

General Information

Sample name:	Solara.exe
Analysis ID:	1532907
MD5:	c6b00ad78d1b7db6f9474502db6051a6
SHA1:	5515a67818d2b2421d5ea51283faace8c4d7f530
SHA256:	41e26eb267fcf3194f1036c30f021707a8e916bc480b5f1518d51ad7faf29ce0
Tags:	exeuser-KnownStormChaser
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Solara.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\Solara.exe" MD5: C6B00AD78D1B7DB6F9474502DB6051A6)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7636 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["allocatinow.sbs", "passimovrt.cfd", "drawwyobstacw.sbs", "mathcucom.sbs", "enlargkiw.sbs", "condifendteu.sbs", "resinedyw.sbs", "ehticsprocw.sbs", "vennurviot.sbs"], "Build id": "HpOoIh--@MoneyPayin"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Solara.exe PID: 7548	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:04.387538+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T07:10:05.386596+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-14T07:10:06.638060+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.33.249	443	TCP
2024-10-14T07:10:07.598398+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49733	104.21.77.78	443	TCP
2024-10-14T07:10:08.597694+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49734	172.67.140.193	443	TCP
2024-10-14T07:10:09.623731+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T07:10:10.641390+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T07:10:11.597583+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T07:10:13.752381+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49739	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:04.387538+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T07:10:05.386596+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-14T07:10:06.638060+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49732	104.21.33.249	443	TCP
2024-10-14T07:10:07.598398+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49733	104.21.77.78	443	TCP
2024-10-14T07:10:08.597694+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49734	172.67.140.193	443	TCP
2024-10-14T07:10:09.623731+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T07:10:10.641390+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T07:10:11.597583+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T07:10:13.752381+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49739	104.21.53.8	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:10.219440+0200	2056559	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	172.67.141.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:11.158743+0200	2056557	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:09.129452+0200	2056561	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.30.221	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:05.958493+0200	2056567	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.33.249	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:04.920885+0200	2056571	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:07.139869+0200	2056565	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.77.78	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:08.142113+0200	2056563	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	172.67.140.193	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:05.389269+0200	2056568	1	Domain Observed Used for C2 Detected	192.168.2.4	60851	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:09.690715+0200	2056558	1	Domain Observed Used for C2 Detected	192.168.2.4	52524	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:10.654066+0200	2056556	1	Domain Observed Used for C2 Detected	192.168.2.4	50614	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:08.624468+0200	2056560	1	Domain Observed Used for C2 Detected	192.168.2.4	57518	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:05.425246+0200	2056566	1	Domain Observed Used for C2 Detected	192.168.2.4	64453	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:04.394292+0200	2056570	1	Domain Observed Used for C2 Detected	192.168.2.4	62366	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:06.640446+0200	2056564	1	Domain Observed Used for C2 Detected	192.168.2.4	50108	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:07.632178+0200	2056562	1	Domain Observed Used for C2 Detected	192.168.2.4	62205	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T07:10:12.976836+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Solara.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

Avira: detection malicious, Label: HEUR/AGEN.1301971

Found malware configuration

Source: 2.2.aspnet_regiis.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["allocatinow.sbs", "passimovrt.cfd", "drawwyobstacw.sbs", "mathcucom.sbs", "enlargkiw.sbs", "condifendteu.sbs", "resinedyw.sbs", "ehticsprocw.sbs", "vennurviot.sbs"], "Build id": "HpOoIh--@MoneyPayin"}

Multi AV Scanner detection for domain / URL

Source: condifendteu.sbs	Virustotal: Detection: 17%	Perma Link
Source: vennurviot.sbs	Virustotal: Detection: 17%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 17%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: resinedyw.sbs	Virustotal: Detection: 17%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: https://vennurviot.sbs/	Virustotal: Detection: 17%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: https://vennurviot.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: https://mathcucom.sbs/#f	Virustotal: Detection: 20%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: https://mathcucom.sbs/	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Solara.exe	ReversingLabs: Detection: 42%
Source: Solara.exe	Virustotal: Detection: 53%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Solara.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: condifendteu.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vennurviot.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: resinedyw.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: enlargkiw.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: allocatinow.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: mathcucom.sbs
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: passimovrt.cfd
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: HpOoIh--@MoneyPayin

Source: Solara.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.28.222:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: Solara.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-33C2697Ah]	2_2_004431C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 27BAF212h	2_2_004431C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000001B8h]	2_2_00411183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_00411183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6B618F2Dh]	2_2_00411183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-2AE6E5FBh]	2_2_0043C516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, ebx	2_2_0043C516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	2_2_0040E9B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx]	2_2_0040CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 4E7D7006h	2_2_00442F0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042F000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+eax*8], 07E776F1h	2_2_004440D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	2_2_00440080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 53F09CFAh	2_2_00440080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ebx	2_2_00440080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 07E776F1h	2_2_00440080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_0042D166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0042D1D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00427180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+esi+7DD3323Ah]	2_2_004251A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], si	2_2_004251A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], F3285E74h	2_2_00441270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 731CDBF3h	2_2_00441270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-0000012Ah]	2_2_0042C204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Eh]	2_2_0042B2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+2Ch], esi	2_2_004452A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0041E400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-522ADBD1h]	2_2_00423490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004304A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-4E7A8F49h]	2_2_0043250E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+0Ch]	2_2_0043250E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	2_2_004465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	2_2_004465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042F5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_0042C644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ebx]	2_2_00405620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then dec eax	2_2_00403630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-0000012Ah]	2_2_0042C6EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	2_2_0043E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push eax	2_2_00410740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_00425750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042B780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 64567875h	2_2_00440780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	2_2_004408D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	2_2_004408D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_004408D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	2_2_004468B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042B963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	2_2_00444900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 731CDBF3h	2_2_00444900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+1Ch]	2_2_0042A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-56h]	2_2_0042A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, edx	2_2_004309D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, edx	2_2_004309D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004309D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, dword ptr [esi+0Ch]	2_2_004319E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004319E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_004319E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0041F980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+10h], 8F3C8951h	2_2_0041F980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0042FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041DA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, eax	2_2_0041DA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0041DA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00406AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx+035E8DCAh]	2_2_00410AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, ebx	2_2_0043CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00439A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h	2_2_0042CB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_00408CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	2_2_0043CCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00424CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [ebp+eax*4+00h]	2_2_0040BCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, word ptr [ebp+ebx*4+00h]	2_2_0040BCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_00429D54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 07E776F1h	2_2_00429D54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, eax	2_2_00428D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_00428D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_00428D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, ebx	2_2_00444DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0042FDD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], dl	2_2_0042FDE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esi+28h]	2_2_0042FDE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi+08h], edi	2_2_0042FDE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-4A206314h]	2_2_00420D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-80h]	2_2_00420D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax-0000008Fh]	2_2_00420D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [ebp-34h], edi	2_2_00420D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+752D80C8h]	2_2_00422E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042BE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, eax	2_2_00428EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_00428EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_00428EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00430FE2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:52524 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:50614 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:62366 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:57518 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:64453 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:62205 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49733 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49734 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49732 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:60851 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:50108 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.33.249:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49738 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.28.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.28.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.77.78:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: allocatinow.sbs
Source: Malware configuration extractor	URLs: passimovrt.cfd
Source: Malware configuration extractor	URLs: drawwyobstacw.sbs
Source: Malware configuration extractor	URLs: mathcucom.sbs
Source: Malware configuration extractor	URLs: enlargkiw.sbs
Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 104.21.33.249 104.21.33.249

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passimovrt.cfd
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=85b9fb4fb34aa8db42a07078; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 14 Oct 2024 05:10:12 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=85b9fb4fb34aa8db42a07078; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 14 Oct 2024 05:10:12 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: passimovrt.cfd
Source: global traffic	DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic	DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic	DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic	DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic	DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic	DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic	DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic	DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passimovrt.cfd

Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/2k
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/W
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/api7
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/pi
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic
Source: aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: aspnet_regiis.exe, 00000002.00000003.1839250186.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condifendteu.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1839250186.000000000302B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.000000000302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1824067435.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1824067435.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/apiL
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/.
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/7
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/api=
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/apig
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/apis
Source: aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enlargkiw.sbs/apibs
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: aspnet_regiis.exe, 00000002.00000003.1784100878.000000000300A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.0000000003009000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/#f
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: aspnet_regiis.exe, 00000002.00000003.1762090963.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000301C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1784100878.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804419835.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000301C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passimovrt.cfd/
Source: aspnet_regiis.exe, 00000002.00000002.1861062720.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passimovrt.cfd/api
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: aspnet_regiis.exe, 00000002.00000003.1784100878.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1784100878.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1861062720.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1860514193.000000000309B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com//
Source: aspnet_regiis.exe, 00000002.00000003.1860514193.000000000309B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/0
Source: aspnet_regiis.exe, 00000002.00000003.1860514193.000000000309B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/8
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1860603844.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1861062720.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: aspnet_regiis.exe, 00000002.00000002.1861062720.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiS-
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apir
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiv
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000002.00000003.1839250186.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com//
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aspnet_regiis.exe, 00000002.00000003.1839250186.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003009000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1839250186.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/#f
Source: aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1839250186.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/apis
Source: aspnet_regiis.exe, 00000002.00000003.1845849529.0000000003087000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.0000000003098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: aspnet_regiis.exe, 00000002.00000003.1845849529.0000000003087000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-managem5
Source: aspnet_regiis.exe, 00000002.00000003.1845566204.0000000003098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.28.222:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.249:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00436290 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00436290

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00436290 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00436290

System Summary

PE file contains section with special chars

Source: Solara.exe

Static PE information: section name: |Fa'xdCV

PE file has nameless sections

Source: Solara.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\Solara.exe

Code function: 0_2_6CEFAEB0 GetModuleHandleW,NtQueryInformationProcess,

0_2_6CEFAEB0

Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEFAEB0	0_2_6CEFAEB0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEFB600	0_2_6CEFB600
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEF9710	0_2_6CEF9710
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF078F0	0_2_6CF078F0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF1ACF5	0_2_6CF1ACF5
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0C8D0	0_2_6CF0C8D0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF058A0	0_2_6CF058A0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF04480	0_2_6CF04480
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0A800	0_2_6CF0A800
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0D800	0_2_6CF0D800
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF075F0	0_2_6CF075F0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF09DF0	0_2_6CF09DF0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF04DF0	0_2_6CF04DF0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF055B0	0_2_6CF055B0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF07D80	0_2_6CF07D80
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0BD60	0_2_6CF0BD60
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEF1D20	0_2_6CEF1D20
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0A500	0_2_6CF0A500
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF036F0	0_2_6CF036F0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF066A0	0_2_6CF066A0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF08AA0	0_2_6CF08AA0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF086A0	0_2_6CF086A0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF05290	0_2_6CF05290
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0DA80	0_2_6CF0DA80
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF04A70	0_2_6CF04A70
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0BA60	0_2_6CF0BA60
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEF5A70	0_2_6CEF5A70
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0D630	0_2_6CF0D630
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEF5620	0_2_6CEF5620
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0C220	0_2_6CF0C220
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF05E10	0_2_6CF05E10
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEFA7D0	0_2_6CEFA7D0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF093A0	0_2_6CF093A0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEFB3B0	0_2_6CEFB3B0
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF08370	0_2_6CF08370
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CEF8320	0_2_6CEF8320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00411183	2_2_00411183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0043C516	2_2_0043C516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040F6A0	2_2_0040F6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040CF50	2_2_0040CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042E056	2_2_0042E056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00436060	2_2_00436060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004280F4	2_2_004280F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0043A083	2_2_0043A083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00440080	2_2_00440080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040A0A0	2_2_0040A0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040F150	2_2_0040F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00445100	2_2_00445100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00428110	2_2_00428110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042D1D1	2_2_0042D1D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040B190	2_2_0040B190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040127F	2_2_0040127F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042C204	2_2_0042C204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042B2D0	2_2_0042B2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00436290	2_2_00436290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004452A0	2_2_004452A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00401356	2_2_00401356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004283C0	2_2_004283C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004273E0	2_2_004273E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041E400	2_2_0041E400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00444420	2_2_00444420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004304A1	2_2_004304A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00422560	2_2_00422560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00430570	2_2_00430570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004465D0	2_2_004465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004235E0	2_2_004235E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00434640	2_2_00434640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0043A65C	2_2_0043A65C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00403630	2_2_00403630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004096B7	2_2_004096B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041771C	2_2_0041771C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040972E	2_2_0040972E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00434860	2_2_00434860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00407830	2_2_00407830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0043B8D0	2_2_0043B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004408D0	2_2_004408D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004468B0	2_2_004468B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042B963	2_2_0042B963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00444900	2_2_00444900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042A920	2_2_0042A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00443930	2_2_00443930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004309D7	2_2_004309D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004319E7	2_2_004319E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041F980	2_2_0041F980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041DA30	2_2_0041DA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042CAF1	2_2_0042CAF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0043BB30	2_2_0043BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00446BC0	2_2_00446BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00409C01	2_2_00409C01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00408CCF	2_2_00408CCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042DC84	2_2_0042DC84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040BCA0	2_2_0040BCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00429D54	2_2_00429D54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00404D70	2_2_00404D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040AD00	2_2_0040AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040DD20	2_2_0040DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00428D20	2_2_00428D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00427D3F	2_2_00427D3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00444DC0	2_2_00444DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042FDD7	2_2_0042FDD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042FDE1	2_2_0042FDE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00420D85	2_2_00420D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00435E20	2_2_00435E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00406E30	2_2_00406E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00422E90	2_2_00422E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00428EB0	2_2_00428EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00430FE2	2_2_00430FE2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 0041D600 appears 217 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 0040C800 appears 63 times
Source: C:\Users\user\Desktop\Solara.exe	Code function: String function: 6CF0EB60 appears 33 times

Source: Solara.exe, 00000000.00000002.1746215834.000000000092E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Solara.exe
Source: Solara.exe	Binary or memory string: OriginalFilenameUlyssesTrumpAmerica131Kaitlyn.pWRT vs Solara.exe

Source: Solara.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Solara.exe

Static PE information: Section: |Fa'xdCV ZLIB complexity 1.000327063586098

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@11/10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_0043C420 CoCreateInstance,

2_2_0043C420

Source: C:\Users\user\Desktop\Solara.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03

Source: Solara.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Solara.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Solara.exe	ReversingLabs: Detection: 42%
Source: Solara.exe	Virustotal: Detection: 53%

Source: unknown	Process created: C:\Users\user\Desktop\Solara.exe "C:\Users\user\Desktop\Solara.exe"
Source: C:\Users\user\Desktop\Solara.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Solara.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Solara.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Solara.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Solara.exe

Unpacked PE file: 0.2.Solara.exe.2a0000.0.unpack |Fa'xdCV:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: Solara.exe	Static PE information: section name: \|Fa'xdCV
Source: Solara.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_002F2E70 push ss; ret	0_2_002F2EC8
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF1B401 push ecx; ret	0_2_6CF1B414
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00400000 push eax; iretd	2_2_004000A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041C0F3 push cs; mov dword ptr [esp], esi	2_2_0041C0FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0044D3D8 push edx; retf 0041h	2_2_0044D3D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0044C991 pushfd ; ret	2_2_0044C99D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0044CD67 pushfd ; iretd	2_2_0044CD8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0044CE33 pushfd ; retf	2_2_0044CE34

Source: Solara.exe

Static PE information: section name: |Fa'xdCV entropy: 7.999489537609034

Source: C:\Users\user\Desktop\Solara.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Solara.exe PID: 7548, type: MEMORYSTR

Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 5E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 5F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 6F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 73C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 83C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory allocated: 93C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Solara.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7688	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7652	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Solara.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1804655921.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1784100878.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: aspnet_regiis.exe, 00000002.00000003.1804655921.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1784100878.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000002.00000002.1861062720.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00442CC0 LdrInitializeThunk,

2_2_00442CC0

Source: C:\Users\user\Desktop\Solara.exe

Code function: 0_2_6CF0E9E2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CF0E9E2

Source: C:\Users\user\Desktop\Solara.exe

Code function: 0_2_6CF15FF0 GetProcessHeap,

0_2_6CF15FF0

Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0E4B7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CF0E4B7
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF0E9E2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF0E9E2
Source: C:\Users\user\Desktop\Solara.exe	Code function: 0_2_6CF1297C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF1297C

Source: C:\Users\user\Desktop\Solara.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Solara.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Solara.exe

Code function: 0_2_6CEFB600 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,CreateProcessW,GetThreadContext,VirtualAllocEx,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,CloseHandle,

0_2_6CEFB600

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\Solara.exe

0_2_6CEFB600

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Solara.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: drawwyobstacw.sbs
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: condifendteu.sbs
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: ehticsprocw.sbs
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: vennurviot.sbss
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: resinedyw.sbs
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: enlargkiw.sbs
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: allocatinow.sbs
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: mathcucom.sbs
Source: Solara.exe, 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: passimovrt.cfds

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Solara.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 448000	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 44B000	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 45B000	Jump to behavior
Source: C:\Users\user\Desktop\Solara.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: C00008	Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe

Code function: 0_2_6CF0EBA8 cpuid

0_2_6CF0EBA8

Source: C:\Users\user\Desktop\Solara.exe	Queries volume information: C:\Users\user\Desktop\Solara.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Solara.exe

Code function: 0_2_6CF0E62B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CF0E62B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	511 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	511 Process Injection	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Solara.exe	42%	ReversingLabs	Win32.Trojan.SpywareX
Solara.exe	53%	Virustotal		Browse
Solara.exe	100%	Avira	HEUR/AGEN.1352236
Solara.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\msvcp110.dll	100%	Avira	HEUR/AGEN.1301971
C:\Users\user\AppData\Roaming\msvcp110.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\msvcp110.dll	66%	ReversingLabs	Win32.Trojan.LummaStealer

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
condifendteu.sbs	18%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
vennurviot.sbs	18%	Virustotal	Browse
drawwyobstacw.sbs	18%	Virustotal	Browse
mathcucom.sbs	21%	Virustotal	Browse
sergei-esenin.com	18%	Virustotal	Browse
enlargkiw.sbs	18%	Virustotal	Browse
allocatinow.sbs	20%	Virustotal	Browse
resinedyw.sbs	18%	Virustotal	Browse
passimovrt.cfd	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
ehticsprocw.sbs	16%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://player.vimeo.com	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://avatars.akamai.steamstatic	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://vennurviot.sbs/	18%	Virustotal		Browse
https://sergei-esenin.com/	0%	Virustotal		Browse
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
drawwyobstacw.sbs	18%	Virustotal		Browse
allocatinow.sbs	20%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
enlargkiw.sbs	18%	Virustotal		Browse
https://enlargkiw.sbs/apibs	3%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	0%	Virustotal		Browse
mathcucom.sbs	21%	Virustotal		Browse
https://ehticsprocw.sbs/api=	0%	Virustotal		Browse
https://vennurviot.sbs/api	18%	Virustotal		Browse
https://sketchfab.com	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
https://mathcucom.sbs/#f	21%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
ehticsprocw.sbs	16%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	0%	Virustotal		Browse
passimovrt.cfd	0%	Virustotal		Browse
https://mathcucom.sbs/	21%	Virustotal		Browse
https://www.google.com/recaptcha/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
condifendteu.sbs	172.67.141.136	true	true	18%, Virustotal, Browse	unknown
steamcommunity.com	104.102.49.254	true	true	0%, Virustotal, Browse	unknown
vennurviot.sbs	172.67.140.193	true	true	18%, Virustotal, Browse	unknown
drawwyobstacw.sbs	188.114.96.3	true	true	18%, Virustotal, Browse	unknown
mathcucom.sbs	188.114.97.3	true	true	21%, Virustotal, Browse	unknown
sergei-esenin.com	104.21.53.8	true	true	18%, Virustotal, Browse	unknown
passimovrt.cfd	104.21.28.222	true	true	0%, Virustotal, Browse	unknown
ehticsprocw.sbs	104.21.30.221	true	true	16%, Virustotal, Browse	unknown
resinedyw.sbs	104.21.77.78	true	true	18%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
enlargkiw.sbs	104.21.33.249	true	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
enlargkiw.sbs	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	true	20%, Virustotal, Browse	unknown
drawwyobstacw.sbs	true	18%, Virustotal, Browse	unknown
mathcucom.sbs	true	21%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vennurviot.sbs/api	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	true	16%, Virustotal, Browse	unknown
passimovrt.cfd	true	0%, Virustotal, Browse	unknown
condifendteu.sbs	true		unknown
https://drawwyobstacw.sbs/api	true		unknown
https://resinedyw.sbs/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	aspnet_regiis.exe, 00000002.00000003.1845566204.0000000003098000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://player.vimeo.com	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/apig	aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://enlargkiw.sbs/apibs	aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
https://steamcommunity.com/?subsection=broadcasts	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://sergei-esenin.com/	aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1861062720.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1860514193.000000000309B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://vennurviot.sbs/	aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiS-	aspnet_regiis.exe, 00000002.00000002.1861062720.0000000002FFC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/api=	aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/2k	aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://s.ytimg.com;	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steam.tv/	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sketchfab.com	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://lv.queniujq.cn	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://mathcucom.sbs/#f	aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	aspnet_regiis.exe, 00000002.00000003.1845849529.0000000003087000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.0000000003098000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://mathcucom.sbs/	aspnet_regiis.exe, 00000002.00000003.1784100878.000000000300A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.0000000003009000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://checkout.steampowered.com/	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/apis	aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com/apir	aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.akamai.steamstatic	aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/	aspnet_regiis.exe, 00000002.00000003.1804655921.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1861062720.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiv	aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/about/	aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com//	aspnet_regiis.exe, 00000002.00000003.1839250186.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ehticsprocw.sbs/7	aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/api7	aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/8	aspnet_regiis.exe, 00000002.00000003.1860514193.000000000309B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003008000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/api	aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com//	aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/0	aspnet_regiis.exe, 00000002.00000003.1860514193.000000000309B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://passimovrt.cfd/	aspnet_regiis.exe, 00000002.00000003.1762090963.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000301C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1784100878.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839250186.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804419835.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.0000000003012000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000301C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/discussions/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	aspnet_regiis.exe, 00000002.00000003.1845681126.0000000003012000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs/	aspnet_regiis.exe, 00000002.00000003.1784100878.0000000003040000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1784100878.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://vennurviot.sbs/apis	aspnet_regiis.exe, 00000002.00000003.1839250186.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1824067435.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845681126.000000000306A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794055067.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://allocatinow.sbs/pi	aspnet_regiis.exe, 00000002.00000003.1762090963.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ehticsprocw.sbs/.	aspnet_regiis.exe, 00000002.00000003.1804655921.000000000306A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	aspnet_regiis.exe, 00000002.00000003.1839208298.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1839208298.000000000309A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1845566204.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	mathcucom.sbs	European Union	13335	CLOUDFLARENETUS	true
104.21.33.249	enlargkiw.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.30.221	ehticsprocw.sbs	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	drawwyobstacw.sbs	European Union	13335	CLOUDFLARENETUS	true
172.67.141.136	condifendteu.sbs	United States	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
104.21.28.222	passimovrt.cfd	United States	13335	CLOUDFLARENETUS	true
172.67.140.193	vennurviot.sbs	United States	13335	CLOUDFLARENETUS	true
104.21.77.78	resinedyw.sbs	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532907
Start date and time:	2024-10-14 07:09:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Solara.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@11/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 20 Number of non-executed functions: 118
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:10:04	API Interceptor	7x Sleep call for process: aspnet_regiis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	file.exe	Get hash	malicious	LummaC	Browse
	SoftWare.exe	Get hash	malicious	LummaC	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
188.114.97.3	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	host.cloudsonicwave.com/favicon.ico
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	www.avantfize.shop/q8x9/
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/fxts/
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exe	Get hash	malicious	FormBook	Browse	www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	http://embittermentdc.com	Get hash	malicious	Unknown	Browse	embittermentdc.com/favicon.ico
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3
104.21.33.249	SoftWare.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	CachemanTray_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Trojan.DownLoader47.43477.29852.19410.exe	Get hash	malicious	LummaC, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drawwyobstacw.sbs	SoftWare.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	SoftWare.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
vennurviot.sbs	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
condifendteu.sbs	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
mathcucom.sbs	SoftWare.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	SoftWare.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	ASL OTSL 2 ship's Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://totalcanterbury0.sharefile.com/public/share/web-034ada86e7d04d74	Get hash	malicious	Unknown	Browse	172.67.74.152
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	1.13.112.124
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	ASL OTSL 2 ship's Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://totalcanterbury0.sharefile.com/public/share/web-034ada86e7d04d74	Get hash	malicious	Unknown	Browse	172.67.74.152
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	1.13.112.124
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	ASL OTSL 2 ship's Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://totalcanterbury0.sharefile.com/public/share/web-034ada86e7d04d74	Get hash	malicious	Unknown	Browse	172.67.74.152
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	1.13.112.124
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	ASL OTSL 2 ship's Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://totalcanterbury0.sharefile.com/public/share/web-034ada86e7d04d74	Get hash	malicious	Unknown	Browse	172.67.74.152
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	1.13.112.124
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Compliance_Report_Final_Q3_8c3f5541a91374b5bf18ac88017a597742a1891a.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	FACTURA.cmd	Get hash	malicious	DBatLoader	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 104.21.33.249 104.21.30.221 188.114.96.3 172.67.141.136 104.102.49.254 104.21.28.222 172.67.140.193 104.21.77.78

Process:	C:\Users\user\Desktop\Solara.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\msvcp110.dll

Download File

Process:	C:\Users\user\Desktop\Solara.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	560640
Entropy (8bit):	7.12707279703137
Encrypted:	false
SSDEEP:	6144:MVAtDbXzRRyrrRwsX9xNk3jUC7hSkuZigTTu3d0rFLPjMkfaPnWPEdKR+mLSDWH+:gADbyrxWjUAEkOiUtrFEdz9FqPg
MD5:	EC307DA94525FAC6A296C5A017142841
SHA1:	646C9829A5D7BFE1CEDF32C2099BF82DF6C1744E
SHA-256:	9916C345CFF41E4336EC5E24A37DB2D971920E5B626FF3E1F60018606BDD08AD
SHA-512:	AF83F4ABBB95742E83B76AC5B03BFDAABAC0A64431FCC603B2B59474431CCA2AA274040360A8F2DBCD2B8D2AA1450E2CEA3483B6E078D6AA2D19D0ADB94695CF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................S................s...........4.......4......4...........4.....4.....Rich...........................PE..L.....g...........!...&..................................................................@.........................P%..x....%..<...............................L...................................@...@...............T............................text...#........................... ..`.rdata...m.......n..................@..@.data....d...0...X..................@....reloc..L............r..............@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.891324481518983
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Solara.exe
File size:	365'568 bytes
MD5:	c6b00ad78d1b7db6f9474502db6051a6
SHA1:	5515a67818d2b2421d5ea51283faace8c4d7f530
SHA256:	41e26eb267fcf3194f1036c30f021707a8e916bc480b5f1518d51ad7faf29ce0
SHA512:	3f58fddcfe675326b81f65f9aa19ee481ea9e83ed58de8dcba04276956ec9c874b59ebcc06999d80261c950dcaa8b9ff84fafc84dace66a092a58dff4f1ec5d0
SSDEEP:	6144:5uqr1XEbkS6ew80/0zW6SsZs80FDiRgvljRpeAhTQaS/sB5Z++rlGceseoIzt3N:cAS6eVWMsXiRMRpdUaSUPxr0cebZzt3N
TLSH:	6C74DFDD756072DFC867C4B2DEA82D68EB5434BB831B5207A42705EDAA4D887CF181F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46000a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x670BA2E8 [Sun Oct 13 10:37:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00460000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5273c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x760	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x60000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x52000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
\|Fa'xdCV	0x2000	0x4f184	0x4f200	60d7e78de0628cfcacbcaf3d19a92e59	False	1.000327063586098	data	7.999489537609034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x52000	0x9118	0x9200	b0dc61e77934988388f187829be47992	False	0.3882437928082192	data	4.702599732437166	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x760	0x800	f1414056b1275b08d42627e676988cd6	False	0.40576171875	data	3.909357465484215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	1e37c0bd08615c8250069f61ab34fa51	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x60000	0x10	0x200	320ee449aa5526dabd765a70fb725ea4	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5c0a0	0x4d0	data			0.43262987012987014
RT_MANIFEST	0x5c570	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T07:10:04.387538+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T07:10:04.387538+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.28.222	443	TCP
2024-10-14T07:10:04.394292+0200	2056570	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)	1	192.168.2.4	62366	1.1.1.1	53	UDP
2024-10-14T07:10:04.920885+0200	2056571	ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-14T07:10:05.386596+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-14T07:10:05.386596+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	188.114.97.3	443	TCP
2024-10-14T07:10:05.389269+0200	2056568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)	1	192.168.2.4	60851	1.1.1.1	53	UDP
2024-10-14T07:10:05.425246+0200	2056566	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)	1	192.168.2.4	64453	1.1.1.1	53	UDP
2024-10-14T07:10:05.958493+0200	2056567	ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)	1	192.168.2.4	49732	104.21.33.249	443	TCP
2024-10-14T07:10:06.638060+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	104.21.33.249	443	TCP
2024-10-14T07:10:06.638060+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.33.249	443	TCP
2024-10-14T07:10:06.640446+0200	2056564	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)	1	192.168.2.4	50108	1.1.1.1	53	UDP
2024-10-14T07:10:07.139869+0200	2056565	ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)	1	192.168.2.4	49733	104.21.77.78	443	TCP
2024-10-14T07:10:07.598398+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	104.21.77.78	443	TCP
2024-10-14T07:10:07.598398+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	104.21.77.78	443	TCP
2024-10-14T07:10:07.632178+0200	2056562	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)	1	192.168.2.4	62205	1.1.1.1	53	UDP
2024-10-14T07:10:08.142113+0200	2056563	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)	1	192.168.2.4	49734	172.67.140.193	443	TCP
2024-10-14T07:10:08.597694+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	172.67.140.193	443	TCP
2024-10-14T07:10:08.597694+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	172.67.140.193	443	TCP
2024-10-14T07:10:08.624468+0200	2056560	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)	1	192.168.2.4	57518	1.1.1.1	53	UDP
2024-10-14T07:10:09.129452+0200	2056561	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)	1	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T07:10:09.623731+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T07:10:09.623731+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	104.21.30.221	443	TCP
2024-10-14T07:10:09.690715+0200	2056558	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)	1	192.168.2.4	52524	1.1.1.1	53	UDP
2024-10-14T07:10:10.219440+0200	2056559	ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)	1	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T07:10:10.641390+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T07:10:10.641390+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	172.67.141.136	443	TCP
2024-10-14T07:10:10.654066+0200	2056556	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)	1	192.168.2.4	50614	1.1.1.1	53	UDP
2024-10-14T07:10:11.158743+0200	2056557	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)	1	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T07:10:11.597583+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T07:10:11.597583+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	188.114.96.3	443	TCP
2024-10-14T07:10:12.976836+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49738	104.102.49.254	443	TCP
2024-10-14T07:10:13.752381+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49739	104.21.53.8	443	TCP
2024-10-14T07:10:13.752381+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 07:10:03.308439016 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.308526039 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:03.308764935 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.312206984 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.312237024 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:03.825025082 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:03.825123072 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.882741928 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.882786036 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:03.883949041 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:03.933037043 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.957428932 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.957468987 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:03.957838058 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:04.387641907 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:04.387873888 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:04.388266087 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:04.390476942 CEST	49730	443	192.168.2.4	104.21.28.222
Oct 14, 2024 07:10:04.390532970 CEST	443	49730	104.21.28.222	192.168.2.4
Oct 14, 2024 07:10:04.407701015 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:04.407789946 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:04.408112049 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:04.408406019 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:04.408459902 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:04.920525074 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:04.920885086 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:04.924742937 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:04.924768925 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:04.925287008 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:04.927325010 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:04.927325964 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:04.927545071 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:05.386656046 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:05.386913061 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:05.387100935 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:05.387219906 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:05.387219906 CEST	49731	443	192.168.2.4	188.114.97.3
Oct 14, 2024 07:10:05.387264967 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:05.387293100 CEST	443	49731	188.114.97.3	192.168.2.4
Oct 14, 2024 07:10:05.446367979 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:05.446470022 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:05.446691036 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:05.447150946 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:05.447180033 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:05.958394051 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:05.958492994 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:05.960727930 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:05.960757017 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:05.961255074 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:05.962950945 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:05.962950945 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:05.963182926 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:06.638106108 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:06.638334036 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:06.638421059 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:06.638541937 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:06.638593912 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:06.638626099 CEST	49732	443	192.168.2.4	104.21.33.249
Oct 14, 2024 07:10:06.638642073 CEST	443	49732	104.21.33.249	192.168.2.4
Oct 14, 2024 07:10:06.654234886 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:06.654325008 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:06.654438019 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:06.654915094 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:06.654944897 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.139313936 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.139868975 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:07.141954899 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:07.142008066 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.142537117 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.144274950 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:07.144328117 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:07.144418001 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.598428965 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.598673105 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.598895073 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:07.599021912 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:07.599073887 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.599107981 CEST	49733	443	192.168.2.4	104.21.77.78
Oct 14, 2024 07:10:07.599123001 CEST	443	49733	104.21.77.78	192.168.2.4
Oct 14, 2024 07:10:07.656951904 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:07.657061100 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:07.657169104 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:07.657675982 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:07.657711983 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.141788006 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.142112970 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:08.144272089 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:08.144300938 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.144929886 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.146869898 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:08.146869898 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:08.147131920 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.597755909 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.597984076 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.598120928 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:08.598303080 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:08.598352909 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.598381042 CEST	49734	443	192.168.2.4	172.67.140.193
Oct 14, 2024 07:10:08.598397017 CEST	443	49734	172.67.140.193	192.168.2.4
Oct 14, 2024 07:10:08.639012098 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:08.639098883 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:08.639624119 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:08.639991045 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:08.640026093 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.129247904 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.129451990 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:09.131936073 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:09.131990910 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.132503033 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.134136915 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:09.134200096 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:09.134407043 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.623758078 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.623981953 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.624267101 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:09.632302999 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:09.632302999 CEST	49735	443	192.168.2.4	104.21.30.221
Oct 14, 2024 07:10:09.632371902 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.632405043 CEST	443	49735	104.21.30.221	192.168.2.4
Oct 14, 2024 07:10:09.704996109 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:09.705027103 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:09.705118895 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:09.705554008 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:09.705566883 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.219068050 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.219439983 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:10.221621037 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:10.221635103 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.222048998 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.223937988 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:10.223937988 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:10.224195004 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.641415119 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.641655922 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.641736031 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:10.642435074 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:10.642450094 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.642465115 CEST	49736	443	192.168.2.4	172.67.141.136
Oct 14, 2024 07:10:10.642472029 CEST	443	49736	172.67.141.136	192.168.2.4
Oct 14, 2024 07:10:10.671761036 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:10.671849966 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:10.672030926 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:10.672405958 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:10.672439098 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.158268929 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.158742905 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:11.160933971 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:11.160960913 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.161490917 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.163327932 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:11.163368940 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:11.163660049 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.597621918 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.597877979 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.597990036 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:11.598180056 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:11.598227024 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.598258018 CEST	49737	443	192.168.2.4	188.114.96.3
Oct 14, 2024 07:10:11.598273039 CEST	443	49737	188.114.96.3	192.168.2.4
Oct 14, 2024 07:10:11.635956049 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:11.636002064 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:11.636090994 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:11.636913061 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:11.636944056 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.351758957 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.351948023 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:12.353389025 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:12.353415966 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.353928089 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.355632067 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:12.399475098 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.976958990 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.977020025 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.977061987 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.977335930 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:12.977397919 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:12.977473974 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.110276937 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.110338926 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.110666037 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.110724926 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.111099005 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.117007971 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.117095947 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.117156982 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.117264986 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.117280960 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.117311001 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.117336035 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.117378950 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.117409945 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.117409945 CEST	49738	443	192.168.2.4	104.102.49.254
Oct 14, 2024 07:10:13.117429972 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.117449045 CEST	443	49738	104.102.49.254	192.168.2.4
Oct 14, 2024 07:10:13.153563976 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.153670073 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.154021025 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.154370070 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.154449940 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.641685009 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.641938925 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.644156933 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.644208908 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.644625902 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.645984888 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.646028996 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.646091938 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752327919 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752372980 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752402067 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752450943 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752466917 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.752533913 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752568007 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.752604961 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752666950 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.752895117 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.752929926 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.752954960 CEST	49739	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.752969027 CEST	443	49739	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.852735996 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.852766991 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:13.852849960 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.853319883 CEST	49740	443	192.168.2.4	104.21.53.8
Oct 14, 2024 07:10:13.853334904 CEST	443	49740	104.21.53.8	192.168.2.4
Oct 14, 2024 07:10:15.245560884 CEST	49740	443	192.168.2.4	104.21.53.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 07:10:03.289578915 CEST	55803	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:03.302305937 CEST	53	55803	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:04.394292116 CEST	62366	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:04.405567884 CEST	53	62366	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:05.389269114 CEST	60851	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:05.398931980 CEST	53	60851	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:05.425246000 CEST	64453	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:05.445228100 CEST	53	64453	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:06.640445948 CEST	50108	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:06.652894020 CEST	53	50108	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:07.632178068 CEST	62205	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:07.648672104 CEST	53	62205	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:08.624468088 CEST	57518	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:08.637670040 CEST	53	57518	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:09.690715075 CEST	52524	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:09.704094887 CEST	53	52524	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:10.654066086 CEST	50614	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:10.670743942 CEST	53	50614	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:11.627775908 CEST	60929	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:11.634932995 CEST	53	60929	1.1.1.1	192.168.2.4
Oct 14, 2024 07:10:13.143043995 CEST	58725	53	192.168.2.4	1.1.1.1
Oct 14, 2024 07:10:13.152657986 CEST	53	58725	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 07:10:03.289578915 CEST	192.168.2.4	1.1.1.1	0x898d	Standard query (0)	passimovrt.cfd	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:04.394292116 CEST	192.168.2.4	1.1.1.1	0x5565	Standard query (0)	mathcucom.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:05.389269114 CEST	192.168.2.4	1.1.1.1	0x18ee	Standard query (0)	allocatinow.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:05.425246000 CEST	192.168.2.4	1.1.1.1	0x8fd	Standard query (0)	enlargkiw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:06.640445948 CEST	192.168.2.4	1.1.1.1	0xbeea	Standard query (0)	resinedyw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:07.632178068 CEST	192.168.2.4	1.1.1.1	0x2b4e	Standard query (0)	vennurviot.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:08.624468088 CEST	192.168.2.4	1.1.1.1	0xa5ba	Standard query (0)	ehticsprocw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:09.690715075 CEST	192.168.2.4	1.1.1.1	0xf5b0	Standard query (0)	condifendteu.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:10.654066086 CEST	192.168.2.4	1.1.1.1	0x3f11	Standard query (0)	drawwyobstacw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:11.627775908 CEST	192.168.2.4	1.1.1.1	0xea68	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:13.143043995 CEST	192.168.2.4	1.1.1.1	0xa9a3	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 07:10:03.302305937 CEST	1.1.1.1	192.168.2.4	0x898d	No error (0)	passimovrt.cfd		104.21.28.222	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:03.302305937 CEST	1.1.1.1	192.168.2.4	0x898d	No error (0)	passimovrt.cfd		172.67.147.188	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:04.405567884 CEST	1.1.1.1	192.168.2.4	0x5565	No error (0)	mathcucom.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:04.405567884 CEST	1.1.1.1	192.168.2.4	0x5565	No error (0)	mathcucom.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:05.398931980 CEST	1.1.1.1	192.168.2.4	0x18ee	Name error (3)	allocatinow.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:05.445228100 CEST	1.1.1.1	192.168.2.4	0x8fd	No error (0)	enlargkiw.sbs		104.21.33.249	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:05.445228100 CEST	1.1.1.1	192.168.2.4	0x8fd	No error (0)	enlargkiw.sbs		172.67.152.13	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:06.652894020 CEST	1.1.1.1	192.168.2.4	0xbeea	No error (0)	resinedyw.sbs		104.21.77.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:06.652894020 CEST	1.1.1.1	192.168.2.4	0xbeea	No error (0)	resinedyw.sbs		172.67.205.156	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:07.648672104 CEST	1.1.1.1	192.168.2.4	0x2b4e	No error (0)	vennurviot.sbs		172.67.140.193	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:07.648672104 CEST	1.1.1.1	192.168.2.4	0x2b4e	No error (0)	vennurviot.sbs		104.21.46.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:08.637670040 CEST	1.1.1.1	192.168.2.4	0xa5ba	No error (0)	ehticsprocw.sbs		104.21.30.221	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:08.637670040 CEST	1.1.1.1	192.168.2.4	0xa5ba	No error (0)	ehticsprocw.sbs		172.67.173.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:09.704094887 CEST	1.1.1.1	192.168.2.4	0xf5b0	No error (0)	condifendteu.sbs		172.67.141.136	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:09.704094887 CEST	1.1.1.1	192.168.2.4	0xf5b0	No error (0)	condifendteu.sbs		104.21.79.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:10.670743942 CEST	1.1.1.1	192.168.2.4	0x3f11	No error (0)	drawwyobstacw.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:10.670743942 CEST	1.1.1.1	192.168.2.4	0x3f11	No error (0)	drawwyobstacw.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:11.634932995 CEST	1.1.1.1	192.168.2.4	0xea68	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:13.152657986 CEST	1.1.1.1	192.168.2.4	0xa9a3	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:13.152657986 CEST	1.1.1.1	192.168.2.4	0xa9a3	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false
Oct 14, 2024 07:10:20.772026062 CEST	1.1.1.1	192.168.2.4	0xd8c2	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 07:10:20.772026062 CEST	1.1.1.1	192.168.2.4	0xd8c2	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

passimovrt.cfd

mathcucom.sbs

enlargkiw.sbs

resinedyw.sbs

vennurviot.sbs

ehticsprocw.sbs

condifendteu.sbs

drawwyobstacw.sbs

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.28.222	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:03 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: passimovrt.cfd
2024-10-14 05:10:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:04 UTC	827	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ei7opjgmaln9mr8qppr8tnrg96; expires=Thu, 06 Feb 2025 22:56:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=usjWCPoAEWQbaSTUZPlzKbEDGV%2F%2F0bSq0pJFh%2Fy54O9kKPLlp2F2kWTedmzWe%2FoQ3L%2FwzMGfzJXDRcCQcr9OwnKp8v2qq0AO5TwTFT7GmFfJprjGmHbQpdSg4aHVGPROhw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250f931b7243f1-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:04 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.97.3	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:04 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mathcucom.sbs
2024-10-14 05:10:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:05 UTC	813	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6219au1ic3q17tkn0rk0j4vekb; expires=Thu, 06 Feb 2025 22:56:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qcY9RuMWqO58vyUmedjWpjOoSbTjAa88JzdTHFRVCSMSoD4E3rYWbJBnv3CaZjydoMISOXC%2BTNR336yhUCIZb30jL04iqxByYHXKtYsKJvq1CjEinuyXprDe6%2FnzzsEk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250f992d304368-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:05 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.33.249	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:05 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enlargkiw.sbs
2024-10-14 05:10:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:06 UTC	819	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0466lrgjbcfeq4bk5tfo4oeghr; expires=Thu, 06 Feb 2025 22:56:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9pMduwQJLR4NXN%2F4G4MdtFfABmCy%2FPMdoyhiPku8ga2oqcdKn0h%2F8NY2otvUKHsIK%2FLXq38VgxeB27U2nrDSQS6KYaYUvKeS9Jjix42KPjIHQHNzlkUlW%2FR4l9bvFCib"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250f9fbd247d00-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:06 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.77.78	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:07 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: resinedyw.sbs
2024-10-14 05:10:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:07 UTC	821	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7td817j2apt8l0lftdnqlbof5c; expires=Thu, 06 Feb 2025 22:56:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4qzgNcQaI%2Fhw%2FNNl0hWY8hv52tPc34z786gBhWQjtZd%2BPda18SkPnNQstE%2FpM1F%2BTc0wdgq6jUbMlFfAnZHony2vBYfVwRzv%2BoDbfb8lEvR2YtV9JzmEiitiIcuJkzC6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250fa72dd38c65-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:07 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	172.67.140.193	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:08 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vennurviot.sbs
2024-10-14 05:10:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:08 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ac6h60g8ngqg5naboqvkei6jlk; expires=Thu, 06 Feb 2025 22:56:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UVO2TPzjlxmNuTjzHOebiGa0LPHQqFMs3O9xPdiy8sCMRW4MeX7Ej3X8h2ELe%2FTQYRB8%2BpZDvJgIfOOq%2FlRqZJsZ7xPS9lXl5lHa4At8xfUW1xjvMkf0spRronl3cb07tQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250fad48194382-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:08 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.30.221	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:09 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ehticsprocw.sbs
2024-10-14 05:10:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:09 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i981f9prjgdlrc4clib6b760mt; expires=Thu, 06 Feb 2025 22:56:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ncqOodjmq0OoahDYn6yPPfEzuObxP1nDWz0c%2BZrRo2iaWsJZDaeU36ZvtQKSqdPScm%2Bj8A3GYedyFFepPkbgQ3p2JpJQ3sE%2FUgvm%2BpGxzRVTj5CwVEF10974Z7cv8kJC90%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250fb39e2c42c0-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:09 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	172.67.141.136	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:10 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: condifendteu.sbs
2024-10-14 05:10:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:10 UTC	819	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ad6dfas7o31h28aqg0kdb030qo; expires=Thu, 06 Feb 2025 22:56:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ukOsaGKe7kfZZOksGZIS8WM6%2BjUlknr8B93l7yo7x1EwUmN5yWV23jkVjyj7f3Dfw%2BHsdBarR08lC7hBP2ni%2BpTuTWU1rD2bgjoVViRM0AZ2fE4MvADnAc8uebzoSwxfwrex"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250fba4a871879-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:10 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	188.114.96.3	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:11 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawwyobstacw.sbs
2024-10-14 05:10:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:11 UTC	831	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q690ucjr0q7gmh5ivv4j4nor0k; expires=Thu, 06 Feb 2025 22:56:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wzg%2B7eR6Pq9EitlRAbG2yr1nCK17yWvSrQ5kMAqHRkWiB8xpJVG9r0kPd%2Fp%2BeT4jxsNOZfx4N5ryKpkwdbKfSsW2iRItYCP92WImEkD3nKOehP7rBy5NoSlu%2Fd1K%2F1pWq06hnA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250fc019a8333c-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 05:10:11 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 05:10:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	104.102.49.254	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:12 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-14 05:10:12 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 14 Oct 2024 05:10:12 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=85b9fb4fb34aa8db42a07078; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-14 05:10:12 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-14 05:10:13 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-14 05:10:13 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-14 05:10:13 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49739	104.21.53.8	443	7636	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 05:10:13 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-14 05:10:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 05:10:13 UTC	551	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 05:10:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qx9YOjhm3r769go4k3yb%2BmDq06ZAh71riqccHxJV2rEDkOSxchDyyNy9dB2FDH6bT3KagtRAx7PA%2FUXA3h8MGebY6qmgOER9lJ80JnKINb8kbiNZWoBjivJ1FjBR07Y0EpqbLg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d250fcfaacc41a3-EWR
2024-10-14 05:10:13 UTC	818	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-14 05:10:13 UTC	1369	IN	Data Raw: 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b Data Ascii: cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cook
2024-10-14 05:10:13 UTC	1369	IN	Data Raw: 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 Data Ascii: ent/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input
2024-10-14 05:10:13 UTC	885	IN	Data Raw: 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand
2024-10-14 05:10:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	01:10:01
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\Solara.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Solara.exe"
Imagebase:	0x2a0000
File size:	365'568 bytes
MD5 hash:	C6B00AD78D1B7DB6F9474502DB6051A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:10:01
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:10:02
Start date:	14/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0xe30000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.3%
Total number of Nodes:	1012
Total number of Limit Nodes:	8

Executed Functions

Function 6CEFB600 Relevance: 84.9, APIs: 26, Strings: 18, Instructions: 7873injectionmemorythreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CF00A11
ShowWindow.USER32 ref: 6CF00A27
VirtualAlloc.KERNELBASE ref: 6CF00C94
CreateProcessW.KERNELBASE ref: 6CF00F10
Wow64GetThreadContext.KERNEL32 ref: 6CF01108
VirtualAllocEx.KERNELBASE ref: 6CF01291
VirtualAllocEx.KERNEL32 ref: 6CF01358
WriteProcessMemory.KERNELBASE ref: 6CF01484
WriteProcessMemory.KERNELBASE ref: 6CF01772
ReadProcessMemory.KERNEL32 ref: 6CF021C5
WriteProcessMemory.KERNEL32 ref: 6CF0239B
WriteProcessMemory.KERNELBASE ref: 6CF027B0
Wow64SetThreadContext.KERNEL32 ref: 6CF02CA9
ResumeThread.KERNELBASE ref: 6CF02CBE
CloseHandle.KERNEL32 ref: 6CF02DBF
CloseHandle.KERNEL32 ref: 6CF02E58
GetConsoleWindow.KERNEL32 ref: 6CF0322A
ShowWindow.USER32 ref: 6CF03240
GetThreadContext.KERNEL32 ref: 6CF03386
VirtualAllocEx.KERNEL32 ref: 6CF033C2
ReadProcessMemory.KERNEL32 ref: 6CF03520
WriteProcessMemory.KERNEL32 ref: 6CF03598
WriteProcessMemory.KERNEL32 ref: 6CF0365B
CloseHandle.KERNEL32 ref: 6CF036CE

Strings

^,R, xrefs: 6CEFE75C
#6, xrefs: 6CEFDE7C
@, xrefs: 6CF033BA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CF00D30
#6, xrefs: 6CEFDECD
kernel32.dll, xrefs: 6CF00A2D, 6CF03246
;92g, xrefs: 6CEFF8BE
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CF00D61
D, xrefs: 6CF00CFD
6k", xrefs: 6CF007F9
;92g, xrefs: 6CEFF907
Je`x, xrefs: 6CEFE115
Je`x, xrefs: 6CEFE09F
^,R, xrefs: 6CEFE70B
5mvY, xrefs: 6CEFB620
A{t, xrefs: 6CEFF0B9
ntdll.dll, xrefs: 6CF00A41, 6CF0325A
MZx, xrefs: 6CF00A55, 6CF00A77, 6CF0326E, 6CF03290

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: Process$Memory$Write$AllocThreadVirtualWindow$CloseContextHandle$ConsoleReadShowWow64$CreateResume
String ID: 5mvY$6k"$;92g$;92g$@$A{t$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$Je`x$Je`x$MZx$^,R$^,R$kernel32.dll$ntdll.dll$#6$#6
API String ID: 540769266-745060189
Opcode ID: 95e6b0f79c615e5c790667faf069f966eebdfb2e6fff72d9dd4f3db1460cf68e
Instruction ID: fc4923293f500b422559485d25e488383a940f82d29084715616ba6d7b05051f
Opcode Fuzzy Hash: 95e6b0f79c615e5c790667faf069f966eebdfb2e6fff72d9dd4f3db1460cf68e
Instruction Fuzzy Hash: E9E3F536B442148FCB15CE3CC9A47DA7BF1AB4B314F208199D42DDBB94CA369E4A9F41

Function 6CEF9710 Relevance: 32.6, APIs: 15, Strings: 3, Instructions: 1063
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 6CEF9EC4
CreateFileA.KERNELBASE ref: 6CEF9F05
CloseHandle.KERNEL32 ref: 6CEF9FE5
MapViewOfFile.KERNELBASE ref: 6CEFA036
VirtualProtect.KERNELBASE ref: 6CEFA366
CloseHandle.KERNELBASE ref: 6CEFA687
CloseHandle.KERNEL32 ref: 6CEFA698

Strings

0P>, xrefs: 6CEFA185
@, xrefs: 6CEFA35A
n, xrefs: 6CEFA19D

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: CloseFileHandle$CreateModuleNameProtectViewVirtual
String ID: @$n$0P>
API String ID: 3065440886-2576488133
Opcode ID: a980bf64260b600276da58dc4648c980b0bb19163e28b91143828be9aa489680
Instruction ID: 39d50280e4461cc6d419948f66a077c119bc30b4679cbca7bb8e4a3d5afb96c0
Opcode Fuzzy Hash: a980bf64260b600276da58dc4648c980b0bb19163e28b91143828be9aa489680
Instruction Fuzzy Hash: 6C92F8B5E54214CFDB04CF7CC985B9DBBF1AB0A304F208199E869EB795C6349E4A8F41

Function 6CEFAEB0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?), ref: 6CEFB045

Strings

NtQueryInformationProcess, xrefs: 6CEFB04D
ntdll.dll, xrefs: 6CEFB039

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: HandleModule
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-2906145389
Opcode ID: f72d7f59f41388b09c31b3cccfe96a7e29e6bea4a2a8708647d09f36e5f99511
Instruction ID: 71ef5e2f18703728b959dce631ea958d70f11e1d1fd5b2ed28846487a7ea27de
Opcode Fuzzy Hash: f72d7f59f41388b09c31b3cccfe96a7e29e6bea4a2a8708647d09f36e5f99511
Instruction Fuzzy Hash: 5FC1CE72E852048FCB04CFBCD4917DEBBF2AB4A314F34851AE425EBB54D675894B8B01

Function 6CF0E2AE Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF0E2F5
___scrt_uninitialize_crt.LIBCMT ref: 6CF0E30F

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: b69bcff7d31841e783ecbab59c7cf0c220f8f94822fe9e0bb8646acf60e3c68e
Instruction ID: 1bf455aec3424a853b7ad24230921ea0c5ee99a46bbb106e6cab3f90b16c60fc
Opcode Fuzzy Hash: b69bcff7d31841e783ecbab59c7cf0c220f8f94822fe9e0bb8646acf60e3c68e
Instruction Fuzzy Hash: 5D41E276F00628EBDF118F95C850BAE3FB4EB81F58F20451AE8A567B40C7344D09ABE0

Function 6CF0E35E Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CF0E39B
dllmain_crt_dispatch.LIBCMT ref: 6CF0E3B2
dllmain_raw.LIBCMT ref: 6CF0E3FA
dllmain_crt_dispatch.LIBCMT ref: 6CF0E40D
dllmain_raw.LIBCMT ref: 6CF0E420

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: b376c172e7dbe267ce2f15173609e1d668150bea140ba1cb98fae1a0e5393daf
Instruction ID: 90e3c065948433550a6ce7581ba36557e5cad00c2fafecad9d56e6bbe4ed3b98
Opcode Fuzzy Hash: b376c172e7dbe267ce2f15173609e1d668150bea140ba1cb98fae1a0e5393daf
Instruction Fuzzy Hash: 0321807AF01219ABDB218E55C850AAF3E79DB81F98B114519F8A467750C3308D45ABE0

Function 6CF0E1A7 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF0E1F4

Part of subcall function 6CF0E6C3: InitializeSListHead.KERNEL32(6CF78AC0,6CF0E1FE,6CF21F40,00000010,6CF0E18F,?,?,?,6CF0E3B7,?,00000001,?,?,00000001,?,6CF21F88), ref: 6CF0E6C8

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF0E25E

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: f289a5fafbc8311bedf598b2848bb88120ce796203ec888aa24c0ef8618175dd
Instruction ID: 9069531d1a453ba050e238d53c93acbd1cd936f1a552add35c7ab8893624da7b
Opcode Fuzzy Hash: f289a5fafbc8311bedf598b2848bb88120ce796203ec888aa24c0ef8618175dd
Instruction Fuzzy Hash: 2E21FD72B992159FEF15ABB4D8217DD37A19F07A2CF24082AD4D177FC1CB320448A6E6

Function 6CF160C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CF1610D
GetFileType.KERNELBASE(00000000), ref: 6CF1611F

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 6a1840a1bf8f00dcde0710962bbb5e7ca63dca95bb02df36c451c15d2d345220
Instruction ID: bcca325eada192957f26e1820efd7d7ff6d2f750a46b204171e77ebb0b182fe7
Opcode Fuzzy Hash: 6a1840a1bf8f00dcde0710962bbb5e7ca63dca95bb02df36c451c15d2d345220
Instruction Fuzzy Hash: 5811B17260CB514ACB304E3E8C88713BAA5EB57638B36071AF0B6E7DE2C771D4869240

Non-executed Functions

Function 6CEF8320 Relevance: 6.7, Strings: 5, Instructions: 491COMMON

Download Yara Rule

Strings

fyxdyweuqtmbxdrtoekkzywkzbcitrllnchvpyhvgxigahbkuzhpqppqxsjcmtgdrsnkwnniwtxksfdnzkbrbwxlxoetochjz, xrefs: 6CEF86A9, 6CEF86C9, 6CEF86DD
nqlynzhwzvvzwnxydszwdrwjxsimpufoztvoxytupzudlummmamnvkzlyadypmqx, xrefs: 6CEF8686
ayopkxaheqqbqvgquvuculivqllhnhuowbkzfuowztpmknpiphgtlurgioxmwtobr, xrefs: 6CEF8663
#)}, xrefs: 6CEF8A34
#)}, xrefs: 6CEF894D

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: #)}$#)}$ayopkxaheqqbqvgquvuculivqllhnhuowbkzfuowztpmknpiphgtlurgioxmwtobr$fyxdyweuqtmbxdrtoekkzywkzbcitrllnchvpyhvgxigahbkuzhpqppqxsjcmtgdrsnkwnniwtxksfdnzkbrbwxlxoetochjz$nqlynzhwzvvzwnxydszwdrwjxsimpufoztvoxytupzudlummmamnvkzlyadypmqx
API String ID: 0-3592044891
Opcode ID: 273ba8f3115fec5f372902ebcd04c6e7ba690d5450d7830fcb9235946718d39d
Instruction ID: 42a30348a82723eadf77001796a86bd593f373027b330b3f01b1f2e0bbdb4590
Opcode Fuzzy Hash: 273ba8f3115fec5f372902ebcd04c6e7ba690d5450d7830fcb9235946718d39d
Instruction Fuzzy Hash: 6E02BB71614B408FC724CE3DC5C169ABBF2EB57354B208A1ED4A78BF90D635E90B8B81

Function 6CF05E10 Relevance: 6.7, Strings: 5, Instructions: 426COMMON

Download Yara Rule

Strings

B7:8, xrefs: 6CF061B9
B7:8, xrefs: 6CF06207
L{S, xrefs: 6CF06222
L{S, xrefs: 6CF06269
/"Q", xrefs: 6CF0620C

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: /"Q"$B7:8$B7:8$L{S$L{S
API String ID: 0-2017179303
Opcode ID: 77369ecc4f6eedc42a858ff0f81b3d40b5799172f1672b9a4364c770b5aae143
Instruction ID: a3f6c5291e4d6722dcac46c3e7141d660e3ca749d3ab3359f60d2b23e435c231
Opcode Fuzzy Hash: 77369ecc4f6eedc42a858ff0f81b3d40b5799172f1672b9a4364c770b5aae143
Instruction Fuzzy Hash: 15E10FB7B56105DFCB04CEACEAE47CE7BF2AB46B48F204116F810D7B58D6298A44DB44

Function 6CF0E9E2 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CF0E9EE
IsDebuggerPresent.KERNEL32 ref: 6CF0EABA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF0EAD3
UnhandledExceptionFilter.KERNEL32(?), ref: 6CF0EADD

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 36cc418c7c3ad504c9de8f33028b63b93aef45b78fd2540d77d0a1003b851531
Instruction ID: b5f826e93bf99dd05aec3b36097a9b7bf5ac96fcef910a6ac05d1e1ce86df736
Opcode Fuzzy Hash: 36cc418c7c3ad504c9de8f33028b63b93aef45b78fd2540d77d0a1003b851531
Instruction Fuzzy Hash: 5C310875E05228DBDF60DFA4C9497CDBBB8BF08704F1041AAE44CAB240EB709A84DF85

Function 6CEF5A70 Relevance: 5.7, Strings: 4, Instructions: 673COMMON

Download Yara Rule

Strings

jfbwdbkpqbwyaothubqkevjuzzrcwlfuqckhwpdqnabwaxciahmdokqbmpdxxpdwkfaford, xrefs: 6CEF5F5F, 6CEF635B
]}U1, xrefs: 6CEF5ACA
baAs, xrefs: 6CEF62BA
oLy+Or7EnH/xqpuoz3NnYpLInrrArRjIvLyCrIy4vL6KqRzcwMN8wuCswGjdvLR+qbyCrOy8vL/xUcS8uLy+kbKerKjMxMDDv9Gm9O6WqQTcwMKKiQTcwMGmqMzEwMA9EECB53i4geW9EIvRpvCJpqyozMTAwD+/0bblArG4tpS6rb7pS3DC4K6KqMzcwMN/ZoqozMTAw38Uu3EedEC8v3DC4K6KqMzIwMNnf2aKqMzEwMN/ZMHgTLS8v3EcIBi8vrGv, xrefs: 6CEF5BCE, 6CEF60AD, 6CEF63B9

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: ]}U1$baAs$jfbwdbkpqbwyaothubqkevjuzzrcwlfuqckhwpdqnabwaxciahmdokqbmpdxxpdwkfaford$oLy+Or7EnH/xqpuoz3NnYpLInrrArRjIvLyCrIy4vL6KqRzcwMN8wuCswGjdvLR+qbyCrOy8vL/xUcS8uLy+kbKerKjMxMDDv9Gm9O6WqQTcwMKKiQTcwMGmqMzEwMA9EECB53i4geW9EIvRpvCJpqyozMTAwD+/0bblArG4tpS6rb7pS3DC4K6KqMzcwMN/ZoqozMTAw38Uu3EedEC8v3DC4K6KqMzIwMNnf2aKqMzEwMN/ZMHgTLS8v3EcIBi8vrGv
API String ID: 0-4091479763
Opcode ID: e249c023c22bebd099bc108f496ee447cd44b9b825bc64c55a964dfd029e323a
Instruction ID: 9057e8826284ccc60f9d850469b08dbe1a4bf8d6da0c3d3ff4673c3fa75b70c6
Opcode Fuzzy Hash: e249c023c22bebd099bc108f496ee447cd44b9b825bc64c55a964dfd029e323a
Instruction Fuzzy Hash: B832E272712B008FD725CE3CD69538A77F5AB97318B208A1DD466CBF90D635E90ACB21

Function 6CF0C8D0 Relevance: 5.4, Strings: 4, Instructions: 427COMMON

Download Yara Rule

Strings

3[/, xrefs: 6CF0CDB6
8/)B, xrefs: 6CF0CDB1
3[/, xrefs: 6CF0CE8B
8/)B, xrefs: 6CF0CDFF

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: 3[/$3[/$8/)B$8/)B
API String ID: 0-315528896
Opcode ID: 8ef5156daa3a4a655c2f80072a8ce7c5a02470b4f7f2c42a0c4ef27816520379
Instruction ID: 4603af4c30aeda61a6e54a9d7d98cf7c9cc5e795c586bedae2718e9fba771cf9
Opcode Fuzzy Hash: 8ef5156daa3a4a655c2f80072a8ce7c5a02470b4f7f2c42a0c4ef27816520379
Instruction Fuzzy Hash: 4DE12477B111008FCF04DE7CD5A53CE7BF2AB4A755F208519E851EBB90C63A8909DB22

Function 6CEF1D20 Relevance: 5.4, Strings: 4, Instructions: 368COMMON

Download Yara Rule

Strings

ijbnehanuaurxhiuilupaumuqrczubalolkhdgtujbriwiyqxpnucqiyjdfwrcfhcpzugz, xrefs: 6CEF1F7B, 6CEF225B
bukfcetqpjtzyprfeajkvtvzsahkhndrnmexdqsnaqukpmavakuqftposjiohbygiixmrvfhlmpddgcrpvtsatuwzugyzrlh, xrefs: 6CEF1F5B, 6CEF223B
lhadsxxbflctrzmykmoqqeoaycfagtljbcqpelntpvgfumkgzuyqiqgujutwj, xrefs: 6CEF1F3A, 6CEF1FE1, 6CEF1FF5, 6CEF221A
! tW, xrefs: 6CEF1D3E

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: ! tW$bukfcetqpjtzyprfeajkvtvzsahkhndrnmexdqsnaqukpmavakuqftposjiohbygiixmrvfhlmpddgcrpvtsatuwzugyzrlh$ijbnehanuaurxhiuilupaumuqrczubalolkhdgtujbriwiyqxpnucqiyjdfwrcfhcpzugz$lhadsxxbflctrzmykmoqqeoaycfagtljbcqpelntpvgfumkgzuyqiqgujutwj
API String ID: 0-4273801489
Opcode ID: e463d7cf87974242398097f36bb1b7790a46356621111d664b7ec34cbe5f0dff
Instruction ID: 27dd9c0acd6ee2a14573a9f89415371599ff9692cd18c1ce477a2fd34481d5ca
Opcode Fuzzy Hash: e463d7cf87974242398097f36bb1b7790a46356621111d664b7ec34cbe5f0dff
Instruction Fuzzy Hash: 5FE103B1614B40CFCB24DF7CC595656BBF1AB5A708B204A2EC4A687F54D734F90ACB42

Function 6CEF5620 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

,Z8k, xrefs: 6CEF592B
AgJ+DHIjQwAgeHSgwAYgfECgQwINXqhqGuJzyHHMciNBHj+wIiEHGZA6fVDTYH7qr8WCnW1x0QkGAUEUF7HRCQcBABSUsdEJCAFUEpXx0QkJDMmLyrHRCQoMjMvcsdEJCxZRw04x0QkMD41Jz3HRCQ0KGAaPsdEJDgjISUgx0QkPDUhNyjHRCRALmN6NcdEJEQTFxNSx0QkSAwAHgLHRCRMV00YDsdEJFAdBC9JxkQkVHTHRCRVAAAAAMdEJFgAAAAAu, xrefs: 6CEF56B5, 6CEF58E2
C, xrefs: 6CEF57C2
oddzcpehfgdmfk, xrefs: 6CEF59FF

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: ,Z8k$AgJ+DHIjQwAgeHSgwAYgfECgQwINXqhqGuJzyHHMciNBHj+wIiEHGZA6fVDTYH7qr8WCnW1x0QkGAUEUF7HRCQcBABSUsdEJCAFUEpXx0QkJDMmLyrHRCQoMjMvcsdEJCxZRw04x0QkMD41Jz3HRCQ0KGAaPsdEJDgjISUgx0QkPDUhNyjHRCRALmN6NcdEJEQTFxNSx0QkSAwAHgLHRCRMV00YDsdEJFAdBC9JxkQkVHTHRCRVAAAAAMdEJFgAAAAAu$C$oddzcpehfgdmfk
API String ID: 0-366193392
Opcode ID: e5e9f5b3b321b6d817ef19958ae685881f02235fa3e757e25c6de4a4855293f1
Instruction ID: 9dbbee02c183a5dcfabba2bc91bdf5dea083f298a9db2fa898d15f844a6eebb3
Opcode Fuzzy Hash: e5e9f5b3b321b6d817ef19958ae685881f02235fa3e757e25c6de4a4855293f1
Instruction Fuzzy Hash: ADA1D272A56645CFCB04CEACD5D43DE7BF2BB63328F34921AD4349BB94D6254A078B01

Function 6CF1297C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF12A74
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF12A7E
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CF12A8B

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e07d44529d2debd9cdeab84fae470ca1d97fab36033cff3d9e518b838a71e7ed
Instruction ID: 7f82a487feaba8a57ebceb061f794bed04cd576d005f659426949d9516eded8b
Opcode Fuzzy Hash: e07d44529d2debd9cdeab84fae470ca1d97fab36033cff3d9e518b838a71e7ed
Instruction Fuzzy Hash: 4531E374E1122C9BCB21DF68D8887CDBBB8BF08714F5042EAE41CA7650EB709B858F44

Function 6CF0A800 Relevance: 3.2, Strings: 2, Instructions: 724COMMON

Download Yara Rule

Strings

o6<<, xrefs: 6CF0AE9A
o6<<, xrefs: 6CF0AE21

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: o6<<$o6<<
API String ID: 0-292878874
Opcode ID: ff720ff36198df7a86686c19cfe0c6222fd3bf2af7b497fefa06018417875115
Instruction ID: 559c2046bc7507bb9fcfb0b26d3f997a26e5b2c013b96aa48f620daa4196691b
Opcode Fuzzy Hash: ff720ff36198df7a86686c19cfe0c6222fd3bf2af7b497fefa06018417875115
Instruction Fuzzy Hash: 6C320436F551009FCB09CEBCE5E47DE77F2AB46724F219619E421DBBA4C6298D09EB00

Function 6CF0C220 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

Unknown exception, xrefs: 6CF0C6E0
wz1, xrefs: 6CF0C4EF

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: Unknown exception$wz1
API String ID: 0-3635849324
Opcode ID: 3897833ea7bac1fbc3616ae3f56e6f138b6ef2b9632c6ba1cc30448f20639b2b
Instruction ID: 3154868aa6234eaf5c2c3696ae44bf801db8be96dcea3aa6f43b70ab3aed6b91
Opcode Fuzzy Hash: 3897833ea7bac1fbc3616ae3f56e6f138b6ef2b9632c6ba1cc30448f20639b2b
Instruction Fuzzy Hash: A2E1F336F502058FCF04DE7CD5E83DE7BF2BB0A324F119119D911ABB94C62A4909AB65

Function 6CF08AA0 Relevance: 2.9, Strings: 2, Instructions: 398COMMON

Download Yara Rule

Strings

9C#^, xrefs: 6CF08E52
9C#^, xrefs: 6CF08EC3

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: 9C#^$9C#^
API String ID: 0-4070370123
Opcode ID: 6183525682befa1fbb0ff6eb891362f34cd4770bad131c85f55a2f1f59a04f0e
Instruction ID: 366f0dd64542be0730e10f153b2794f5c478833da70e6d3b40283c86dc299bef
Opcode Fuzzy Hash: 6183525682befa1fbb0ff6eb891362f34cd4770bad131c85f55a2f1f59a04f0e
Instruction Fuzzy Hash: 9BD1C172B466158FCB08DE7CD5E57CE77F3AB4A721F205116E811ABB90C62A8E05DB10

Function 6CF075F0 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

~(K, xrefs: 6CF0778C
~(K, xrefs: 6CF07738

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: ~(K$~(K
API String ID: 0-4076149878
Opcode ID: 21616cd74b169971d4b8683d976ce49b068b9008e007a113713f9adfe7d0d4f0
Instruction ID: bd7cfa9bb4fe648f4378c95c0eafbd5aaccb523b2c93d03ff1e7ccf8203fd0ab
Opcode Fuzzy Hash: 21616cd74b169971d4b8683d976ce49b068b9008e007a113713f9adfe7d0d4f0
Instruction Fuzzy Hash: 3C719B72B502158FCF058EBCD9A4BDEBBF6BB4A760F20415AD811EB740C73A9905DB60

Function 6CF0D800 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

a3r, xrefs: 6CF0DA34
a3r, xrefs: 6CF0D901

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: a3r$a3r
API String ID: 0-948694567
Opcode ID: ccc738b12bb5c7fb044642aed589fbe58c9776e0c45e343e18d99c848c6791a1
Instruction ID: b74721e591c0ee45fb670d1d3a3aa70e88aab53476a065e1030c93a4212b212d
Opcode Fuzzy Hash: ccc738b12bb5c7fb044642aed589fbe58c9776e0c45e343e18d99c848c6791a1
Instruction Fuzzy Hash: 8161CFB6F452098FCF04CFACC5A57EEBBF1AB4A714F20411AE850AB791C23A9905DB51

Function 6CF1ACF5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CF1ACF0,?,?,00000008,?,?,6CF1A8F3,00000000), ref: 6CF1AF22

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: fccb45cd2390d5af6b9b64b65a2ffd984d642640a967dfa7745f13c7cbd95e38
Instruction ID: 1eb815fcc6ebb12640737068cbd5edc9720108442d9c2c70f940abe0f0dba854
Opcode Fuzzy Hash: fccb45cd2390d5af6b9b64b65a2ffd984d642640a967dfa7745f13c7cbd95e38
Instruction Fuzzy Hash: 77B18E72214608DFD705CF28C486B957BE0FF45369F258698E8A9CFAA1C335E995CB40

Function 6CF066A0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

Pcc, xrefs: 6CF06A26

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: Pcc
API String ID: 0-87343699
Opcode ID: c06e6c2d481b5f4109693bd3465333ce8db38515a09978ff9ec5b2d7317f5661
Instruction ID: 3a1902d820e62d06cedf628f7e710bacb3fa9318af4c4cb03abde8744818fdb4
Opcode Fuzzy Hash: c06e6c2d481b5f4109693bd3465333ce8db38515a09978ff9ec5b2d7317f5661
Instruction Fuzzy Hash: FF12CD76F052088FCB04DFACD5A17DEBBF1AF49704F208429E809EB754D6359A48DB51

Function 6CEFA7D0 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

l8H, xrefs: 6CEFAC55

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: l8H
API String ID: 0-920087761
Opcode ID: 5f3c00207a4cce84208933aa4fbbeb9c4ba3fd6f89bf6d3f0aca8db5ecfc2395
Instruction ID: b8080aac88cd6efd9f235a06dfb34493a37ec8aa228a334e1a86f3066d9d6f39
Opcode Fuzzy Hash: 5f3c00207a4cce84208933aa4fbbeb9c4ba3fd6f89bf6d3f0aca8db5ecfc2395
Instruction Fuzzy Hash: 1F023875E843098FCB19CFACD58469CBBF1AB4A304F304529E825EFB58D6359947CB11

Function 6CF09DF0 Relevance: 1.7, Strings: 1, Instructions: 470COMMON

Download Yara Rule

Strings

9M#}, xrefs: 6CF0A0FB

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: 9M#}
API String ID: 0-1144523844
Opcode ID: 4c93357c7a2b62949aa4ec7a52e5abc7b78856c15057ae8a558dbbac8dcc71f5
Instruction ID: 70df6e76700b2fe1cc8b59a1c55e51acb44a86e1be03f5cc52e4892a704c5856
Opcode Fuzzy Hash: 4c93357c7a2b62949aa4ec7a52e5abc7b78856c15057ae8a558dbbac8dcc71f5
Instruction Fuzzy Hash: 4FF1253AB451259FCB04CEBCE9A47CE7BF1BB46710F10521AE811EBB64C73989459B11

Function 6CF0DA80 Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

BV+M, xrefs: 6CF0DCEE

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: BV+M
API String ID: 0-108387820
Opcode ID: d88418bce020a6b8cbf2dfcb93c1d6a87f869530a9973ad1ffb8a22454e7cd7f
Instruction ID: aa51ce7f08cea0488f96cd21d60b880b5949c66f811379d5f0d87967e0281910
Opcode Fuzzy Hash: d88418bce020a6b8cbf2dfcb93c1d6a87f869530a9973ad1ffb8a22454e7cd7f
Instruction Fuzzy Hash: CBE13472B152058FCF04CE7CD5E57DE7BF2AB4A760F24611AE821EBB90C23A8805DB55

Function 6CF0EBA8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF0EBBE

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: bcedef70dfef2ba50c9f151e7c60ec8457a3e4d4e2ff3a300626a04dcb386368
Instruction ID: 5540ef054719cf0911096f861a2c177a9a12eda67048493a82968b78eb13ae8e
Opcode Fuzzy Hash: bcedef70dfef2ba50c9f151e7c60ec8457a3e4d4e2ff3a300626a04dcb386368
Instruction Fuzzy Hash: 4151ADB1F266258FEB56CF58D89179EBBF1FB49708F24852AC490EB240D3759900CBA0

Function 6CF0BD60 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

%L, xrefs: 6CF0C0D2

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: %L
API String ID: 0-679821887
Opcode ID: 58277d04bc0c7572b752cbb0b2140597db44c43068832920a33fb752b05032fc
Instruction ID: b2db0b6f9c804b42ef89676372b44fa092c931ba37acae269cde4ddd39ccfd6e
Opcode Fuzzy Hash: 58277d04bc0c7572b752cbb0b2140597db44c43068832920a33fb752b05032fc
Instruction Fuzzy Hash: 16C1FC76B452058FCF04CEACD5E07DEBBF2EB0A764F205516E811E7B40D2398909EB25

Function 6CF055B0 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

GdO, xrefs: 6CF05836

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: GdO
API String ID: 0-1628042003
Opcode ID: 9cad167a91f013a7faf61d17fe7304eea7a9f5c2a940fcfb48b6bc7cc5af28d3
Instruction ID: 7a4ec23d4852c78a09d59044a66bbcc9552c58db0694c2ee0f9917c56bfbda3c
Opcode Fuzzy Hash: 9cad167a91f013a7faf61d17fe7304eea7a9f5c2a940fcfb48b6bc7cc5af28d3
Instruction Fuzzy Hash: 2A710476F401158FCF08CE7CC8F53EF7BF2AB46720F104519C8119BB94C62A8909AB68

Function 6CF15FF0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CF15FF0

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 98b4e3e2f6a35117d41456de42efd9b930b564629785081a9811087af4d71f10
Instruction ID: 6dd464dd78e8331b0dbfd781a05d67f242686ffb8e1dfad5b40e4aea1bb29177
Opcode Fuzzy Hash: 98b4e3e2f6a35117d41456de42efd9b930b564629785081a9811087af4d71f10
Instruction Fuzzy Hash: 82A01230B112008F5BC0AF34420630836BA55065D030740259400D0010D62440409600

Function 6CF036F0 Relevance: .5, Instructions: 530COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8d0813d975cd0c15b82fb68bc3e8e27b1726504b2e47bdc80ca9bcf575f80c
Instruction ID: cb53e3a816ad6f0cf178ebb15548a0033dc77cc7644f42c9902dc8cf3f1bbc8c
Opcode Fuzzy Hash: de8d0813d975cd0c15b82fb68bc3e8e27b1726504b2e47bdc80ca9bcf575f80c
Instruction Fuzzy Hash: BC021576B445059FCF04CE6CD5E8BDE7BF2AB46720F24521DE921EBB84C639884DAB10

Function 6CF093A0 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c4accdac6e23fab047fd9aab12cb197375858f893d134fe8f04f18f5370035
Instruction ID: 3e6b7144b5abb6571689a614de9a18daddf2772c97f22b02947ba874686d2fcd
Opcode Fuzzy Hash: 68c4accdac6e23fab047fd9aab12cb197375858f893d134fe8f04f18f5370035
Instruction Fuzzy Hash: 0412CC36F08205CFCF08DFACD9A16DEBBF2AB4A714F20411AE411EB754EA359A45DB01

Function 6CF086A0 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9bed9e724fcf351b766970c06a9b3d3358a7c54fe3b03815347edf29a6b15d
Instruction ID: a798028dbac40e88722d702dc2acae1f1d668a49faf342ee6346578868ea153d
Opcode Fuzzy Hash: 3d9bed9e724fcf351b766970c06a9b3d3358a7c54fe3b03815347edf29a6b15d
Instruction Fuzzy Hash: DFA13936F406118FCF08CE7CC5A53DF77F2AB0B735F245216C521ABB94D62A8A0A9B50

Function 6CF07D80 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9bea199cecdd92f0dc18de974dba4a9c0af93fdba7c0f75626f20a503d10c1
Instruction ID: b8f286b96f705a749504fa7fba46a0b5e2de7877a876280ff1e6b44becdd8eea
Opcode Fuzzy Hash: 0c9bea199cecdd92f0dc18de974dba4a9c0af93fdba7c0f75626f20a503d10c1
Instruction Fuzzy Hash: 0A91AE76B112058FDB04CF7CD8A17DEBBF2AB4A310F10806AE805A7750DA3A9909DB91

Function 6CF05290 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73b227bef4adcb12d163c9ded6b01851c8873099555a4110909f3895cbd862b
Instruction ID: 2325315306f9e7c9ff44f63cf8e51d863141fd34cd1030c49c4ca83150396977
Opcode Fuzzy Hash: b73b227bef4adcb12d163c9ded6b01851c8873099555a4110909f3895cbd862b
Instruction Fuzzy Hash: BF814776F142088FCF05CEBCD5A43EF7BF2AB0A324F245119D811EB781C2669909DB28

Function 6CF0A500 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239cb89f67c00d8fbe3526ebc37dafdd6cac300703cd60865f05ba67ac39e9ae
Instruction ID: 35005d78065a0be70d235bdc8daf822512364c215dbe7f17cfb94d8dce6d92a1
Opcode Fuzzy Hash: 239cb89f67c00d8fbe3526ebc37dafdd6cac300703cd60865f05ba67ac39e9ae
Instruction Fuzzy Hash: 8C712776B502458FCF05CE7CC9A53EF7BF2EB46324F209218C521AB7D0C62A8649DB61

Function 6CF0BA60 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e38aa1cc4a6309ee3b8d56b6be1c9ee68e861298c612cc63469df39786085a
Instruction ID: 4f5333a93fe5babc91cb8d58e92c0964331e8a6230051ed424afbf56e36c2bd0
Opcode Fuzzy Hash: 13e38aa1cc4a6309ee3b8d56b6be1c9ee68e861298c612cc63469df39786085a
Instruction Fuzzy Hash: 2771FF76B542068FCF09CF6CD5E17DEBBF2EB4A314F204A19D810A7790C63A9A09DB54

Function 6CF078F0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4831b0a8ce2ab3803b35a872f6d38a72844db294ce2027f046f954ead0fc0a
Instruction ID: ae39964b96957b47ba8f9cbf4def7a89cf99edb5d95cf26d95d18d5204090a5f
Opcode Fuzzy Hash: cb4831b0a8ce2ab3803b35a872f6d38a72844db294ce2027f046f954ead0fc0a
Instruction Fuzzy Hash: 7D71CBB2B106158FCF04CEACD5E17DEBBF2AB4A320F10952AE815E7754C63A8905DB61

Function 6CF08370 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5390f285112038c36213bf6555343a1a66dc03ced7ef54b8f99cb2a7eae9ecf8
Instruction ID: 4d24284d84c73e88b1d4e5dfe5d22ffb5d4c5585a9e2dd0932be32bd930fff2a
Opcode Fuzzy Hash: 5390f285112038c36213bf6555343a1a66dc03ced7ef54b8f99cb2a7eae9ecf8
Instruction Fuzzy Hash: DE61D176F441158FCF08CEBCD5A13EF7BF2AB4A324F21511AE811E7750C62A4A099B60

Function 6CF04DF0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7f21c8b639e0d0c9e4b60d88c7b40a05fc4dbff6eaddd0d0b5d2c13557ac2d
Instruction ID: 460d21eb2ceab3562e6c5cd802c5a69652685c12a92fdd222d427f4397215a18
Opcode Fuzzy Hash: 2c7f21c8b639e0d0c9e4b60d88c7b40a05fc4dbff6eaddd0d0b5d2c13557ac2d
Instruction Fuzzy Hash: FF512573B541168FCF04CFACD8A57EF7BF1AB0A754F244519D422DBB91C62A490897A0

Function 6CF058A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c5adf6182c2a3a0dec493bb1a930a2aff7e4df968d4c2e5ef90f47603497be
Instruction ID: c35983d9f99573ded4f67644b8ec2bd0a38ee97128e421199357bd94440caa2b
Opcode Fuzzy Hash: 87c5adf6182c2a3a0dec493bb1a930a2aff7e4df968d4c2e5ef90f47603497be
Instruction Fuzzy Hash: CE51BA72F402199FCB08CFACD4E5BEEBBF1EB0A724F245119E811AB740C2395805DB69

Function 6CEFB3B0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695396669b6abd2385604e61b04305938781a9481250b26adaee959420a79c5e
Instruction ID: 7afd027694be24c94a93f839f4cf4f0c25b8fa8e75673484122eefb378c2342a
Opcode Fuzzy Hash: 695396669b6abd2385604e61b04305938781a9481250b26adaee959420a79c5e
Instruction Fuzzy Hash: 2B51F472E101158FCB08CFBCD9907EEBBF2AB4A320F244219E535EBBD0D63589068B10

Function 6CF04480 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93bbf4dc967704ab8f11b4219643792daadc31af6f10256b3f1bbd347ea9df3d
Instruction ID: 51e0be4dbfa9386dd7146e325ab1bb54ed18cc9720f96574cba779ec5e081e79
Opcode Fuzzy Hash: 93bbf4dc967704ab8f11b4219643792daadc31af6f10256b3f1bbd347ea9df3d
Instruction Fuzzy Hash: E951DD72F102098FDF04CFACC5A17EEBFF6AB5A718F204519D810ABB80C6365A09DB51

Function 6CF0D630 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc966171bf11b25dbe6c54d6c0465a874052c3ff6d0962d439ece3e7dd81173
Instruction ID: 4ba9a2ef20a34bf2efb4374b3f2e66760d8f830de44b9635bd6ffa5dc820cdec
Opcode Fuzzy Hash: cbc966171bf11b25dbe6c54d6c0465a874052c3ff6d0962d439ece3e7dd81173
Instruction Fuzzy Hash: 9C41E276F012158FCF04CF6CC4A57DFBBF1AB46720F20861AD8259B794C23A9946DB90

Function 6CF04A70 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056e9aef5a8c249ebc9cd7f7bfb68849ec49056790c5824b2d2605f2ce001011
Instruction ID: 42cf8a02945f1ca96014a80acbe147301aecf42f222738b9f168560241e851b0
Opcode Fuzzy Hash: 056e9aef5a8c249ebc9cd7f7bfb68849ec49056790c5824b2d2605f2ce001011
Instruction Fuzzy Hash: A8416A77B411154FCF048E7CC5A53EF3FF1EB13320F245219D920ABAD4C2268A0AAB55

Function 6CF11C5A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CF11D79
___TypeMatch.LIBVCRUNTIME ref: 6CF11E87
_UnwindNestedFrames.LIBCMT ref: 6CF11FD9
CallUnexpected.LIBVCRUNTIME ref: 6CF11FF4

Strings

csm, xrefs: 6CF11DB0
csm, xrefs: 6CF11D04
csm, xrefs: 6CF11C97

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 56f188357b577ec8ba90721201202dcce5f6cd41634ccd98e2c80ab2b9dd7704
Instruction ID: 4012790187a71407a74c36bf2c16a992c1cfd5c183fad3a59ee8aff1cb1f4907
Opcode Fuzzy Hash: 56f188357b577ec8ba90721201202dcce5f6cd41634ccd98e2c80ab2b9dd7704
Instruction Fuzzy Hash: 5FB18B72808219DFCF14CFA5D880AEEB7B5FF24318F14865AE8106BE15D331EA55CB91

Function 6CF15C1F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,6CF15D2E,00000000,6CF13827,00000000,00000000,00000001,?,6CF15EA7,00000022,FlsSetValue,6CF1E540,6CF1E548,00000000), ref: 6CF15CE0

Strings

ext-ms-, xrefs: 6CF15C8A
api-ms-, xrefs: 6CF15C76

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 292c76bd0ff59740f1d69f3f992b1d17a97ba1dda1a92c6c2180878cb4cd21df
Instruction ID: 3de88fec750236780baa2593c1f253fa69aae30e9eadb12003051c348c2b8401
Opcode Fuzzy Hash: 292c76bd0ff59740f1d69f3f992b1d17a97ba1dda1a92c6c2180878cb4cd21df
Instruction Fuzzy Hash: 8021B772E19220ABD712DF75DC45B4A3779EB423A8F260522E915B7E80E730E900C6E0

Function 6CF112AC Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000001,?,6CF10EE1,6CF0E7B8,6CF0E17F,?,6CF0E3B7,?,00000001,?,?,00000001,?,6CF21F88,0000000C,6CF0E4B0), ref: 6CF112BA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF112C8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF112E1
SetLastError.KERNEL32(00000000,6CF0E3B7,?,00000001,?,?,00000001,?,6CF21F88,0000000C,6CF0E4B0,?,00000001,?), ref: 6CF11333

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9142c3576d55fa4917fa77dace4ad7f16c0ff97654ad06a9ba430b95ae95904d
Instruction ID: 94228fb66957b1d0560b335a48c1d551dd9357c5f1fc160c7aaa751e4d569860
Opcode Fuzzy Hash: 9142c3576d55fa4917fa77dace4ad7f16c0ff97654ad06a9ba430b95ae95904d
Instruction Fuzzy Hash: D601D43272D2215EBA4657B56C847CB3A75DB227BCB70832AE52481ED0EFD2CC089154

Function 6CF14E53 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Solara.exe, xrefs: 6CF14E6F

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Solara.exe
API String ID: 0-3879318298
Opcode ID: 798f489c50deedab651a7af16efdc4445b90d08965a100f6564f121c916e6b94
Instruction ID: 68415c3f28f59baddb4bb0cc69ea3d131239655961706b3133955bd0d33c0f7c
Opcode Fuzzy Hash: 798f489c50deedab651a7af16efdc4445b90d08965a100f6564f121c916e6b94
Instruction Fuzzy Hash: 8121817260C205AFDB119FA6DC90A8B7FB9AF8576C7058614E918D7F40D731EC148BA0

Function 6CF13155 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,997DF8DE,00000000,?,00000000,6CF1B5A2,000000FF,?,6CF130EF,?,?,6CF130C3,?), ref: 6CF1318A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF1319C
FreeLibrary.KERNEL32(00000000,?,00000000,6CF1B5A2,000000FF,?,6CF130EF,?,?,6CF130C3,?), ref: 6CF131BE

Strings

CorExitProcess, xrefs: 6CF13194
mscoree.dll, xrefs: 6CF13183

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7a5a94e7dcfbe4f53d73a9594361999ca96a3b3e851de88f484bab1f479b3a8
Instruction ID: a9b70153892ab6d3ec54de5a914582dc61d74ac2860ac54b3f501e2abe78c81c
Opcode Fuzzy Hash: a7a5a94e7dcfbe4f53d73a9594361999ca96a3b3e851de88f484bab1f479b3a8
Instruction Fuzzy Hash: E1014F71E58525EFDB029B54CC09BAEBBB8FB05724F014525E821A2E90DB759904CA90

Function 6CF179D4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CF17A59
__alloca_probe_16.LIBCMT ref: 6CF17B22
__freea.LIBCMT ref: 6CF17B89

Part of subcall function 6CF143C2: HeapAlloc.KERNEL32(00000000,6CF153CC,?,?,6CF153CC,00000220,?,00000000,?), ref: 6CF143F4

__freea.LIBCMT ref: 6CF17B9C
__freea.LIBCMT ref: 6CF17BA9

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: a2b614c312becd8d082a0d61cea86e90178df126847d1ff698dd2789f6b205f7
Instruction ID: 794d24bed5f87ea72843f12f63e8b71a4f7ece5c3f4deb98e43d29217d8afd2a
Opcode Fuzzy Hash: a2b614c312becd8d082a0d61cea86e90178df126847d1ff698dd2789f6b205f7
Instruction Fuzzy Hash: AE51B3B2609206AFEB01DF65CC80EAB37A9EF84718F25052AFD1CD7E54E731DE548660

Function 6CF11882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF11833,00000000,?,00000001,?,?,?,6CF11922,00000001,FlsFree,6CF1D778,FlsFree), ref: 6CF1188F
GetLastError.KERNEL32(?,6CF11833,00000000,?,00000001,?,?,?,6CF11922,00000001,FlsFree,6CF1D778,FlsFree,00000000,?,6CF11381), ref: 6CF11899
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF118C1

Strings

api-ms-, xrefs: 6CF118A6

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: c75c4a5914431615c0dcee5c8c8405d3e3823b480d0be30e0e8c0742d9ddf5a9
Instruction ID: 887c165a34724277eb3b2dd494aa0be5585684f1be714d01bbb426d45109e6c6
Opcode Fuzzy Hash: c75c4a5914431615c0dcee5c8c8405d3e3823b480d0be30e0e8c0742d9ddf5a9
Instruction Fuzzy Hash: F0E04830B48204BBEF002A61DC06B883B79AB11798F168030F90DE4C94E762D5149684

Function 6CF180E1 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(997DF8DE,00000000,00000000,?), ref: 6CF18144

Part of subcall function 6CF15A21: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF17B7F,?,00000000,-00000008), ref: 6CF15A82

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF18396
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF183DC
GetLastError.KERNEL32 ref: 6CF1847F

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 1f18031af044714e03434a7d3eb1aea5200e5a438f969e43b118db33eb29fb61
Instruction ID: 26f6e2c84a0a920a0c634878dc17aa0d4ed5000f099be15d6572cce31b71cdf1
Opcode Fuzzy Hash: 1f18031af044714e03434a7d3eb1aea5200e5a438f969e43b118db33eb29fb61
Instruction Fuzzy Hash: 2BD18A75E082589FCF01CFE9C980AEDBBB5EF09314F29452AE465EBB41D730A942CB50

Function 6CF11A03 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CF11ACA
___AdjustPointer.LIBCMT ref: 6CF11AED
___AdjustPointer.LIBCMT ref: 6CF11B89

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: fb06bc54d4a1ac049c7d0f5c5bf83c1026ef9b412f6573003c4ca8c679433dd0
Instruction ID: 63017a6719f536c23c0a6c5ebce37b26e6db85e3c3b8e0a6045e018e760e570f
Opcode Fuzzy Hash: fb06bc54d4a1ac049c7d0f5c5bf83c1026ef9b412f6573003c4ca8c679433dd0
Instruction Fuzzy Hash: AE510472A0D2069FEB19CF50D890BAA77B5FF21718F20852DE85547EA0F731EA94C790

Function 6CF1466D Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CF15A21: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF17B7F,?,00000000,-00000008), ref: 6CF15A82

GetLastError.KERNEL32 ref: 6CF146D1
__dosmaperr.LIBCMT ref: 6CF146D8
GetLastError.KERNEL32(?,?,?,?), ref: 6CF14712
__dosmaperr.LIBCMT ref: 6CF14719

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: bba97818ec0a8d7fab2206cae58d1df6d964ac6fad3e109e34779131f47779bb
Instruction ID: c54860cff29bb2aac3e6e4e18f2aaabbedef716d70537d035dcfe81e0e4d4d53
Opcode Fuzzy Hash: bba97818ec0a8d7fab2206cae58d1df6d964ac6fad3e109e34779131f47779bb
Instruction Fuzzy Hash: B721927260C215AFDB109F66D890D5BBFB9FF8536D7058619E818D7E40D731EC118BA0

Function 6CF15AC4 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CF15ACC

Part of subcall function 6CF15A21: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF17B7F,?,00000000,-00000008), ref: 6CF15A82

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF15B04
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF15B24

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 6a5e0942b640242ec4f33cb79053285f1d76845ae309c3bf07fa1aebdb71d973
Instruction ID: 00db5f13e127befc67afe559314fe19f5437727ae16afda434c00cf804d3413f
Opcode Fuzzy Hash: 6a5e0942b640242ec4f33cb79053285f1d76845ae309c3bf07fa1aebdb71d973
Instruction Fuzzy Hash: 161104F2F591097F670157B64CCADAF7A6CDE866AC3010424F801D2E00FB24DE0086B0

Function 6CF197E6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CF18FA5,00000000,00000001,00000000,?,?,6CF184D3,?,00000000,00000000), ref: 6CF197FD
GetLastError.KERNEL32(?,6CF18FA5,00000000,00000001,00000000,?,?,6CF184D3,?,00000000,00000000,?,?,?,6CF18A76,00000000), ref: 6CF19809

Part of subcall function 6CF197CF: CloseHandle.KERNEL32(FFFFFFFE,6CF19819,?,6CF18FA5,00000000,00000001,00000000,?,?,6CF184D3,?,00000000,00000000,?,?), ref: 6CF197DF

___initconout.LIBCMT ref: 6CF19819

Part of subcall function 6CF19791: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF197C0,6CF18F92,?,?,6CF184D3,?,00000000,00000000,?), ref: 6CF197A4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CF18FA5,00000000,00000001,00000000,?,?,6CF184D3,?,00000000,00000000,?), ref: 6CF1982E

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2aa56bedbaf06113918905a20c9a3bfa2665960d8aab4fb791d164bdf3550d67
Instruction ID: b2cac1ddf32520b14093863a6ce52742efb39de69b182f480186e958ca5a1027
Opcode Fuzzy Hash: 2aa56bedbaf06113918905a20c9a3bfa2665960d8aab4fb791d164bdf3550d67
Instruction Fuzzy Hash: D3F01236914115BBCF522FD5DC09A893F76FF453B5F164014FA1995910CB328920DBD0

Function 6CF10D00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6CF10D3F
__IsNonwritableInCurrentImage.LIBCMT ref: 6CF10DF3

Strings

csm, xrefs: 6CF10DDD

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9593c19cbd1303451f75c0600410b547afbc79e52e312071497dcc566dff5f0c
Instruction ID: 71c426d02115bef242e1b34da40d3f8d12198000901f4b4ac785dd3effe42e39
Opcode Fuzzy Hash: 9593c19cbd1303451f75c0600410b547afbc79e52e312071497dcc566dff5f0c
Instruction Fuzzy Hash: A841A530A19158EBCF00DF69C840BDEBBB5EF45328F148555E814ABF91DB71E925CB90

Function 6CF11FFF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CF12024

Strings

RCC, xrefs: 6CF1203E
MOC, xrefs: 6CF12036

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 13e5cf3ca303c74920790717ede5ea47d792a275e095124dd20c5841a26cc0b5
Instruction ID: 916e5fc155bf22c3a4b285d997ffc2b7e6ae20193bd1840d63e3a855ab6c0d26
Opcode Fuzzy Hash: 13e5cf3ca303c74920790717ede5ea47d792a275e095124dd20c5841a26cc0b5
Instruction Fuzzy Hash: CB415832904209AFCF06CF94CC85AEE7BB5FF09318F258199FA14A7A20D3369950DB51

Function 6CF07480 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF0757B

Strings

string too long, xrefs: 6CF07572, 6CF075D2

Memory Dump Source

Source File: 00000000.00000002.1752645666.000000006CEF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1752605896.000000006CEF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752741763.000000006CF1C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752776300.000000006CF23000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1752937084.000000006CF7A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_Solara.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 82b72f225355b149630daf95e69558411483a18cb2730fa5781bc89b90aa54d9
Instruction ID: 8c5563f52e2265467839a55d40badba17b44301d67154a775ec445c3739b96c0
Opcode Fuzzy Hash: 82b72f225355b149630daf95e69558411483a18cb2730fa5781bc89b90aa54d9
Instruction Fuzzy Hash: 8931E437B081558FCB04DF7CC5A17EF7BE2AB02B24F100656C8619BB80C6669A09D752

Analysis Process: aspnet_regiis.exePID: 7636, Parent PID: 7548COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60.2%
Total number of Nodes:	98
Total number of Limit Nodes:	6

Executed Functions

Function 00411183 Relevance: 36.3, APIs: 2, Strings: 18, Instructions: 1275COMMON

Download Yara Rule

Strings

SQ, xrefs: 00411CB9
abv>, xrefs: 00411ADD
[Y, xrefs: 00411CA3
WU, xrefs: 00411CAE
KJML, xrefs: 00412275
elyx, xrefs: 00411A7B
sergei-esenin.com, xrefs: 00411551, 00411DD4
)5*, xrefs: 00411B7E
9624C1592BF0BB8F90C03F9E7B99FFA9, xrefs: 00411183
ft`., xrefs: 00411A91
tp~&, xrefs: 00411AA7
;&1, xrefs: 00411A9C
/=-, xrefs: 00411CC4
hi, xrefs: 004114A0
mjk), xrefs: 00411A86
B#A, xrefs: 00412336
c`rX, xrefs: 00411A70
:+*), xrefs: 00411CCF

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ;&1$9624C1592BF0BB8F90C03F9E7B99FFA9$:+*)$B#A$KJML$abv>$c`rX$elyx$ft`.$hi$mjk)$sergei-esenin.com$tp~&$)5*$/=-$SQ$WU$[Y
API String ID: 0-1378136920
Opcode ID: ea86ca9daff62e6a61934ca8e0e89155f3254d41e330685a7924b14f1897c192
Instruction ID: 1ab48516a69e41e5a5d48a26003f25f5f4dfab9b2bb2c9dfc8c5748784172516
Opcode Fuzzy Hash: ea86ca9daff62e6a61934ca8e0e89155f3254d41e330685a7924b14f1897c192
Instruction Fuzzy Hash: 0A9234B15093908BD3209F25D8917EFBBE1AFD2308F18492DE4C95B392DB794905CB8B

Function 0043C516 Relevance: 19.9, APIs: 9, Strings: 2, Instructions: 606
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 0043C5B4
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,00000000), ref: 0043C5F7
SysAllocString.OLEAUT32(?), ref: 0043C637
SysAllocString.OLEAUT32(00000018), ref: 0043C70B
VariantInit.OLEAUT32(?), ref: 0043C781
VariantClear.OLEAUT32(00000019), ref: 0043C8FA
VariantClear.OLEAUT32(00000019), ref: 0043C911
SysFreeString.OLEAUT32(?), ref: 0043C992
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043C9CB

Strings

K*, xrefs: 0043C700
Lgfe, xrefs: 0043C610

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocVariant$Clear$BlanketFreeInformationInitProxyVolume
String ID: K*$Lgfe
API String ID: 166343141-1944196812
Opcode ID: 92e96b66aff5ce9aaef89e422022859700a6dbda2e10e98f07d9ed25b8de3740
Instruction ID: 9bbedc36a9c05e1e6ed74e899277d5afd5f395ce79edc15d664a50c967b996af
Opcode Fuzzy Hash: 92e96b66aff5ce9aaef89e422022859700a6dbda2e10e98f07d9ed25b8de3740
Instruction Fuzzy Hash: 8F122179604700CFD724CF29D891B6AB7F1FB8A315F14992DE5868B3A2D738E406CB48

Function 0040CF50 Relevance: 7.9, APIs: 5, Instructions: 416
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,B726891B,0044A3DA,?,00000000,00000005), ref: 0040D209
GetCurrentThreadId.KERNEL32 ref: 0040D21C
GetInputState.USER32 ref: 0040D34B
GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0040D355
ExitProcess.KERNEL32 ref: 0040D41C

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExecuteExitInputShellStateThread
String ID:
API String ID: 288744916-0
Opcode ID: 06c3bc9e55a8e77195fefe671e4c61179e53e110d77dd770e7b890816a0fce40
Instruction ID: 0fd37e766399452ea79ea1ecf89dbf4f21738cee6a7900bf6f7899c6cc0f7193
Opcode Fuzzy Hash: 06c3bc9e55a8e77195fefe671e4c61179e53e110d77dd770e7b890816a0fce40
Instruction Fuzzy Hash: 23C17836E483504BD3049F69C88536BFBD3EBD6325F19893DD4C4D7385DAB8884A8786

Function 0040E9B5 Relevance: 7.6, Strings: 6, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

yE, xrefs: 0040E9FB
}{[a, xrefs: 0040EA87
GA, xrefs: 0040E9ED
KC, xrefs: 0040E9F4
{[a, xrefs: 0040EAC1
GA, xrefs: 0040EA90, 0040EAB3, 0040EABD, 0040EACA

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: GA$GA$KC$yE$}{[a${[a
API String ID: 0-2277813210
Opcode ID: 33dcb3a76e6969f6d6fe45914719672561f7cb1c3dc492d1340dc5c8cf3bb303
Instruction ID: ee125bc528aba6d56bb129c4200fab81ce282c5241c1ad6e2daef603022604aa
Opcode Fuzzy Hash: 33dcb3a76e6969f6d6fe45914719672561f7cb1c3dc492d1340dc5c8cf3bb303
Instruction Fuzzy Hash: 533132B4921244CFC758CF26C69496ABFB1BB66310B2A81D8D101AF376D738C941CF99

Function 0043C420 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00449B30,00000000,00000001,00449B20,00000000), ref: 0043C500

Strings

r{, xrefs: 0043C45D
dw, xrefs: 0043C44F
e}, xrefs: 0043C448

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: CreateInstance
String ID: dw$e}$r{
API String ID: 542301482-3703138658
Opcode ID: 71f09e7f722b90aa92155097f3e821371f5e693580c49e44e9ca9d25b534b0d0
Instruction ID: 134d8b67cf6fba851e764faf473082ad9ea46f13c3d2b40a5f02dec076a238a6
Opcode Fuzzy Hash: 71f09e7f722b90aa92155097f3e821371f5e693580c49e44e9ca9d25b534b0d0
Instruction Fuzzy Hash: C121B0B4150B009FE3308F25D949B63BBF4FB46B44F000A1CE1C24BA90D7B9B509CBA6

Function 004431C3 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[e\c, xrefs: 004431EB
@, xrefs: 0044356D

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: @$[e\c
API String ID: 0-444498393
Opcode ID: cf95c1a8dc0acaaa058ec7118f14d8a5731c25098cba9fa33136dfa9335819df
Instruction ID: c4707bdc3be2f1bf48f5f01bd11900847b3aa0246f70c81749ac7adceba80bd5
Opcode Fuzzy Hash: cf95c1a8dc0acaaa058ec7118f14d8a5731c25098cba9fa33136dfa9335819df
Instruction Fuzzy Hash: 3E51E1716193428BE710DF65C881327B7E2FFC1746F18492EE1859B351EBB8C6098B5A

Function 00442CC0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00445ECD,005C003F,00000006,?,?,00000018,?,?,?), ref: 00442CEE

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00442F0D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 902349fb7c94823cbaed35226d9ac129c474a041ee86e3bb1864b24f72cfc174
Instruction ID: 684b29da006afcc7362401d10caeb36d1ac9a5791a635b2df50957aedbbf84e8
Opcode Fuzzy Hash: 902349fb7c94823cbaed35226d9ac129c474a041ee86e3bb1864b24f72cfc174
Instruction Fuzzy Hash: B8110A30B093015BF3148E58CD5472776E2EFD1326F98952EF4C1973D6DAF888449649

Function 0043FC00 Relevance: 1.6, APIs: 1, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043FC86

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5192fc5040beb1fd904ed67ad98f239ee3a91b63eb10178b7da733c57bcd17cc
Instruction ID: 211aead1c6f4c1a4add12b08c5dc655b0fa0cf25a90231986e6a0d288bf32465
Opcode Fuzzy Hash: 5192fc5040beb1fd904ed67ad98f239ee3a91b63eb10178b7da733c57bcd17cc
Instruction Fuzzy Hash: AC01F2327852109BD7015E1CD896BDBBBE8DBDA326F051838E4C487392C228D81AD796

Function 0043FBA0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043FBEA

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d8d22724137fb9171bc0a9ac214c8e2644c51d3818145ec9add48bd8f9ac906
Instruction ID: a26e58627158a810960647125980d2bc04f80f1c0e575f0ecd98f7289f5fddd5
Opcode Fuzzy Hash: 0d8d22724137fb9171bc0a9ac214c8e2644c51d3818145ec9add48bd8f9ac906
Instruction Fuzzy Hash: E4F055717483008BC7189F64ED65A2BBB92DFC6714F188A3DE8C18B390C6340C26C39B

Function 0044317A Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0044317A

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 678f4db94619e1c1dd7ea38649d2fe8f8dc404061e84bbb59792b04ab113a243
Instruction ID: b8defc69bd823d4044ced74595fe230618df8aff12cc3d2489d32f3e0cf58ab8
Opcode Fuzzy Hash: 678f4db94619e1c1dd7ea38649d2fe8f8dc404061e84bbb59792b04ab113a243
Instruction Fuzzy Hash: 88D0A73B504150ABD7009B19FDA65A57390D702216B040439F083D2263D6299968CB5B

Function 00411161 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411173

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 059d275a806f9d62fff9768a1beefd4dac1c7a2b1f228c0798f03bca34e6de7b
Instruction ID: 865ce25ffa8f754c27bf895717889af42b622a4e25707abf040f66898e2eda9c
Opcode Fuzzy Hash: 059d275a806f9d62fff9768a1beefd4dac1c7a2b1f228c0798f03bca34e6de7b
Instruction Fuzzy Hash: 57D092383C8305F6F2700B58AC17F0431106303F22F300325F360BC1E08AE031508A1E

Function 00411140 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00411151

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5a3d1a269e2983305301fe5ced36788ecee0a0609dde5c991efc6f78fa4d167c
Instruction ID: a503d282d0a39757e827032928b53d3e56d75d1186f539017d1813aa49ff0952
Opcode Fuzzy Hash: 5a3d1a269e2983305301fe5ced36788ecee0a0609dde5c991efc6f78fa4d167c
Instruction Fuzzy Hash: 1EC08C34454208BBE210272DAE0AF033A2C9303761F400331B9A0440D1AA602420C5BF

Non-executed Functions

Function 00428D20 Relevance: 23.1, Strings: 18, Instructions: 603COMMON

Download Yara Rule

Strings

.o8m, xrefs: 004293B1
;s"q, xrefs: 00429390
b/`), xrefs: 00429059
*W,U, xrefs: 00429343
*g/e, xrefs: 004293C7
X+[), xrefs: 004292F6
cSam, xrefs: 004299FD
_#o-, xrefs: 0042904E
ec, xrefs: 00429246
+c(a, xrefs: 004293BC
us, xrefs: 00429267
(), xrefs: 00429843
$k>i, xrefs: 004293A6
X+V5, xrefs: 00429064
G7K1, xrefs: 0042906F
QS, xrefs: 00428FA9
w!u, xrefs: 0042939B
Y'_!, xrefs: 00429043

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: w!u$$k>i$()$*W,U$*g/e$+c(a$.o8m$;s"q$G7K1$QS$X+V5$X+[)$Y'_!$_#o-$b/`)$cSam$ec$us
API String ID: 0-4145598191
Opcode ID: fd2a503eeb27c23a339b6796bd6ab6dac7eb8ab26d8934e888d479e704feb7f0
Instruction ID: ec649590767d7447abcd29ac8d28183f61c2d1e7eacdcc35cfa09e4b08f04cb8
Opcode Fuzzy Hash: fd2a503eeb27c23a339b6796bd6ab6dac7eb8ab26d8934e888d479e704feb7f0
Instruction Fuzzy Hash: 1C622FB450D3858BE334CF15D881B9FBBE1BB92704F108A2DE5E99B251DBB480468F93

Function 00428EB0 Relevance: 23.1, Strings: 18, Instructions: 551COMMON

Download Yara Rule

Strings

.o8m, xrefs: 004293B1
;s"q, xrefs: 00429390
b/`), xrefs: 00429059
*W,U, xrefs: 00429343
*g/e, xrefs: 004293C7
X+[), xrefs: 004292F6
cSam, xrefs: 004299FD
_#o-, xrefs: 0042904E
ec, xrefs: 00429246
+c(a, xrefs: 004293BC
us, xrefs: 00429267
(), xrefs: 00429843
$k>i, xrefs: 004293A6
X+V5, xrefs: 00429064
G7K1, xrefs: 0042906F
QS, xrefs: 00428FA9
w!u, xrefs: 0042939B
Y'_!, xrefs: 00429043

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: w!u$$k>i$()$*W,U$*g/e$+c(a$.o8m$;s"q$G7K1$QS$X+V5$X+[)$Y'_!$_#o-$b/`)$cSam$ec$us
API String ID: 0-4145598191
Opcode ID: 0619b4cfa0240b4da6efff57853c527d94ea10218dbbd835c86a345b8b0975fc
Instruction ID: a36b9050c165af0e516547c0958bcec90388701dcdb2e7e6912bbd98595ee8c6
Opcode Fuzzy Hash: 0619b4cfa0240b4da6efff57853c527d94ea10218dbbd835c86a345b8b0975fc
Instruction Fuzzy Hash: 68521DB454D3858BE374CF219881B9FBBE1FB92704F108A2DD5E99B251DBB080468F97

Function 0041F980 Relevance: 21.4, Strings: 16, Instructions: 1408COMMON

Download Yara Rule

Strings

tk, xrefs: 00420ADC
SRQP, xrefs: 0041FC64
[NC, xrefs: 0041FC7A
4, xrefs: 0041FE71
"5, xrefs: 004209AD
>)kf, xrefs: 0041FC0C
7654, xrefs: 0041FC17
HKJM, xrefs: 0041FDA0
zvF4, xrefs: 0041FE90
(, xrefs: 004204BA
+*)$, xrefs: 0041FC4E
x{zU, xrefs: 0041FDCC
;=3F, xrefs: 0041FBBF
'&%$, xrefs: 0041FC43
d, xrefs: 00420BF0
.sq, xrefs: 00420ACC

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "5$'&%$$($+*)$$.sq$4$7654$;=3F$>)kf$HKJM$SRQP$[NC$d$tk$x{zU$zvF4
API String ID: 0-4049772501
Opcode ID: 803b7932d6ac417fe385105927a6b66042594f7b0cae3775f1d7941c9cbdaacd
Instruction ID: 264d658b36381c54fff28a44ab99085b8236c7e4026cc2de60eed8da418b3ee1
Opcode Fuzzy Hash: 803b7932d6ac417fe385105927a6b66042594f7b0cae3775f1d7941c9cbdaacd
Instruction Fuzzy Hash: B1A2F3716083818FE334CF25D8917ABBBE1AFD6304F58892EE1D98B392D7798405CB56

Function 00436290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 134clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004362A4
GetWindowLongW.USER32 ref: 004362C9
GetClipboardData.USER32 ref: 004362D9
GlobalLock.KERNEL32 ref: 004362F2
GlobalUnlock.KERNEL32 ref: 00436433
CloseClipboard.USER32 ref: 0043643C

Strings

[, xrefs: 00436359
9, xrefs: 00436345

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: 9$[
API String ID: 2832541153-3651825367
Opcode ID: 72ae155242bbea7cf0065f4d130a9ffe3b1a06b032e4cc37a3cb74d2e624b145
Instruction ID: 23988804b27922a47d596ddb492acdd4ef3492fb0f623715efa0a33efecc4b80
Opcode Fuzzy Hash: 72ae155242bbea7cf0065f4d130a9ffe3b1a06b032e4cc37a3cb74d2e624b145
Instruction Fuzzy Hash: 1741F57290C3914ED310EF7C858821FBED05B96220F198B3DE8E5972C6D6758909C39B

Function 0042B780 Relevance: 11.5, Strings: 9, Instructions: 259COMMON

Download Yara Rule

Strings

A+i-, xrefs: 0042BFE2
C;D=, xrefs: 0042BFBA
^/i!, xrefs: 0042BFEC
r7B), xrefs: 0042BFD8
0_+Q, xrefs: 0042C00E
E3C5, xrefs: 0042BFCE
L#T%, xrefs: 0042BFF6
{?R1, xrefs: 0042BFC4
HK, xrefs: 0042C023

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 0_+Q$A+i-$C;D=$E3C5$HK$L#T%$^/i!$r7B)${?R1
API String ID: 0-2751585519
Opcode ID: 7e5d07f26d5111386fab261639725779ce38784954a16fac21b72aa9b501944d
Instruction ID: 3a8eb43d421a5e541724b6472a13629b8974dc3b4cafebab6d171b7ebe809d5c
Opcode Fuzzy Hash: 7e5d07f26d5111386fab261639725779ce38784954a16fac21b72aa9b501944d
Instruction Fuzzy Hash: 3991BBB4D003288BDB24DF65DC827AEBB70FF06314F54829AD4496B351E7348A86CF96

Function 0042BE90 Relevance: 11.5, Strings: 9, Instructions: 253COMMON

Download Yara Rule

Strings

A+i-, xrefs: 0042BFE2
C;D=, xrefs: 0042BFBA
^/i!, xrefs: 0042BFEC
r7B), xrefs: 0042BFD8
0_+Q, xrefs: 0042C00E
E3C5, xrefs: 0042BFCE
L#T%, xrefs: 0042BFF6
{?R1, xrefs: 0042BFC4
HK, xrefs: 0042C023

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 0_+Q$A+i-$C;D=$E3C5$HK$L#T%$^/i!$r7B)${?R1
API String ID: 0-2751585519
Opcode ID: b4ce3d0ff0b136ea552590c10a5e08cdd96db756ec1cdfb4e28af829b04cf1f0
Instruction ID: b44420930cfc595a94b4d603bcc6d05f6dac3ddd5ac77c39de16d49cae7ec233
Opcode Fuzzy Hash: b4ce3d0ff0b136ea552590c10a5e08cdd96db756ec1cdfb4e28af829b04cf1f0
Instruction Fuzzy Hash: 4C91ABB5D003288BDB24DFA5D8867AEBB70FF06314F148299D449AB351E7344A86CF96

Function 0042A920 Relevance: 10.7, Strings: 8, Instructions: 719COMMON

Download Yara Rule

Strings

AG, xrefs: 0042A9B9
KJML, xrefs: 0042AF2A
O=N?, xrefs: 0042ADF3
KJML, xrefs: 0042AC1A
!A7C, xrefs: 0042AE0B
vItf, xrefs: 0042B252
L9[;, xrefs: 0042ADFB
!MNO, xrefs: 0042AE13

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: !A7C$!MNO$KJML$KJML$L9[;$O=N?$vItf$AG
API String ID: 0-82243277
Opcode ID: 98b50d6869d296e1cf30ba6311fe32dab49c793a9cddcad59e7ebcbb764e85d3
Instruction ID: f4e79cf57779696b527ad8831ab85e9393b5edf86aebb1d75cf0b777bd663d3d
Opcode Fuzzy Hash: 98b50d6869d296e1cf30ba6311fe32dab49c793a9cddcad59e7ebcbb764e85d3
Instruction Fuzzy Hash: B632ED75608351CBE720CF25E88166BBBE1FB96304F54892EE5C587391E738D805CB9B

Function 0041DA30 Relevance: 9.9, Strings: 7, Instructions: 1143COMMON

Download Yara Rule

Strings

f, xrefs: 0041E560
KJML, xrefs: 0041DE77
KP, xrefs: 0041DCC0
rA, xrefs: 0041E765
n, xrefs: 0041E1CB
6A, xrefs: 0041DCCB
]_, xrefs: 0041DCB5

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 6A$KJML$KP$]_$f$n$rA
API String ID: 0-3558286288
Opcode ID: 07497227aad9b0d30c4f976ebd567037a040053a94f42ff1ea623b30d42d7f07
Instruction ID: ceb5684404fc071c0ff1e9991d9d414612f2b6aa5616f415198be639230c1dff
Opcode Fuzzy Hash: 07497227aad9b0d30c4f976ebd567037a040053a94f42ff1ea623b30d42d7f07
Instruction Fuzzy Hash: 3D8236B5908340CBD720DF15D881BABB7E2FF85314F04892DE99997392E7388945CB9B

Function 0042B963 Relevance: 8.0, Strings: 6, Instructions: 545COMMON

Download Yara Rule

Strings

Ybl`, xrefs: 0042BDF2
wrOq, xrefs: 0042BE0A
]ZSo, xrefs: 0042BDEA
Yl5[, xrefs: 0042BE02
/BfV, xrefs: 0042BDFA
p, xrefs: 0042BE1A

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: /BfV$Ybl`$Yl5[$]ZSo$p$wrOq
API String ID: 0-1944318820
Opcode ID: 353af23579b3ce35b2e9ad5c5847b8eee65d91284f734e5bd3e88e0d16b0ee63
Instruction ID: 2d7bd3801d536c5826b5fbb93414904ccf25f40a15c7a5ee9af749fb12e5bec3
Opcode Fuzzy Hash: 353af23579b3ce35b2e9ad5c5847b8eee65d91284f734e5bd3e88e0d16b0ee63
Instruction Fuzzy Hash: EC0246B1A083618FC714CF25E49166BBBE1FF96308F58896EE4C55B342D338E905CB96

Function 0042FDD7 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 617COMMON

Download Yara Rule

Strings

{)x+, xrefs: 004312A6
zE*, xrefs: 00431164

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: zE*${)x+
API String ID: 0-470808375
Opcode ID: 2a4b898a0bded25a0d7bd731136e161f7c857efe40521d592f1e5a0fcfeae8ad
Instruction ID: 4dfdc88212276a6e7d2886bfcb55bc526d23f4ee88b632c399f4801d7418444e
Opcode Fuzzy Hash: 2a4b898a0bded25a0d7bd731136e161f7c857efe40521d592f1e5a0fcfeae8ad
Instruction Fuzzy Hash: 401226716047418FD3258F29C890763BBE2EF9A314F18C65ED4E64B7A2C778E806CB95

Function 004304A1 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 585COMMON

Download Yara Rule

Strings

{)x+, xrefs: 004312A6
zE*, xrefs: 00431164

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: zE*${)x+
API String ID: 0-470808375
Opcode ID: 6422f25c51f290c329255681964c32038084f14ff16787bf663d30e85cec32de
Instruction ID: 683beb8edce4d48fce2f171467d1da92105bfdf725bb3a484147bc17d9484a2f
Opcode Fuzzy Hash: 6422f25c51f290c329255681964c32038084f14ff16787bf663d30e85cec32de
Instruction Fuzzy Hash: FF0237702047418FE3258F29C891B63BBE1EF96314F18C56ED0E68B7A2D779D406CB55

Function 00430FE2 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 557COMMON

Download Yara Rule

Strings

{)x+, xrefs: 004312A6
zE*, xrefs: 00431164

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: zE*${)x+
API String ID: 0-470808375
Opcode ID: 2eec441c722a430d3979b06d5c7e5e6492a03ac5ef8abcf01376e6e80e665ca5
Instruction ID: a333fd5c15de003d0da34ded1e8a08ef2b191533e839a348efc40e4df4189c3a
Opcode Fuzzy Hash: 2eec441c722a430d3979b06d5c7e5e6492a03ac5ef8abcf01376e6e80e665ca5
Instruction Fuzzy Hash: 060235706047418FE3258F29C890B63BBE1EF96314F18C55ED4EA8B7A2C779E406CB55

Function 004283C0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 486COMMON

Download Yara Rule

Strings

*w, xrefs: 004286BE
xy, xrefs: 0042883E

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: *w$xy
API String ID: 0-1364878931
Opcode ID: 460ce5924cddd8657541fe55a7b34834bcc2a45b7a79476a92b5a347a507da92
Instruction ID: a5bb7b2153112ba927e9dd1cf55a408020d899a35eea8af5c3c596f031079af1
Opcode Fuzzy Hash: 460ce5924cddd8657541fe55a7b34834bcc2a45b7a79476a92b5a347a507da92
Instruction Fuzzy Hash: 6EF1EDB56093508FD300DF55E88165BBBE0EF82754F50892DE8D59B351E7B88909CB8B

Function 00420D85 Relevance: 5.6, Strings: 4, Instructions: 619COMMON

Download Yara Rule

Strings

efg, xrefs: 0042115B
|w, xrefs: 00421428
(lPL, xrefs: 0042106E
(lPL, xrefs: 00421467

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: (lPL$(lPL$|w$efg
API String ID: 0-2680157272
Opcode ID: b3d5e6425ce3f3882059992aa87f09437cc3b40181d0ffa711c08c1842fd7046
Instruction ID: fe9033420d0979f2a9fdc82578518aad40a36a13dfc955e7f4e1b44c148f2a08
Opcode Fuzzy Hash: b3d5e6425ce3f3882059992aa87f09437cc3b40181d0ffa711c08c1842fd7046
Instruction Fuzzy Hash: 842247B2D002258FCB14CFA4C8816AEBBB1FF55310F19826ED855AF356D7789906CB84

Function 00444DC0 Relevance: 4.7, Strings: 3, Instructions: 943COMMON

Download Yara Rule

Strings

"WD, xrefs: 0044570D
XD, xrefs: 0044574B
"OD, xrefs: 00444F14

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "OD$"WD$XD
API String ID: 0-1088106142
Opcode ID: a98998d136bcc4a194447ce1db46a6efbffa8c66ec98d6a4db09ca6fc6d13972
Instruction ID: 5af832274502cfa1fd96d347f514d15b18fbd451352208c449ede07d16317c80
Opcode Fuzzy Hash: a98998d136bcc4a194447ce1db46a6efbffa8c66ec98d6a4db09ca6fc6d13972
Instruction Fuzzy Hash: 4E52EE75A05211CFDB18CF28E8A07AAB7F2FB8A315F1A897ED44597362D734D805CB84

Function 004309D7 Relevance: 4.3, Strings: 3, Instructions: 547COMMON

Download Yara Rule

Strings

KJML, xrefs: 00430ED2
84N?, xrefs: 00430E2F
?1>0, xrefs: 00430CDF

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 84N?$?1>0$KJML
API String ID: 0-3517922109
Opcode ID: 74f979afedbd4e8a532ba39d7555e23a46da0b6b368afc82043d95401a895028
Instruction ID: 327fb9217243c762480ec2521c53d89e3517db4b64c61d3e8518e508b1394e73
Opcode Fuzzy Hash: 74f979afedbd4e8a532ba39d7555e23a46da0b6b368afc82043d95401a895028
Instruction Fuzzy Hash: 81F1F4716087818FE7298F39C460722FBE1AF57310F1896AEC4DA8B792C779D846CB54

Function 0042C204 Relevance: 4.2, Strings: 3, Instructions: 456COMMON

Download Yara Rule

Strings

KJML, xrefs: 0042C74F
]1wTU_, xrefs: 0042C79D, 0042C38E, 0042C2B6
wTU_, xrefs: 0042C5B8

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML$]1wTU_$wTU_
API String ID: 0-2536373194
Opcode ID: cdaba1089c2a396c092714b99f87c591f818f44904e59b66804296deff946a1a
Instruction ID: 93385df08977b2d4fc25bb92ae5eb0afd377cf68a4ce0e485ff28707600d948c
Opcode Fuzzy Hash: cdaba1089c2a396c092714b99f87c591f818f44904e59b66804296deff946a1a
Instruction Fuzzy Hash: 5BF12275E00255CFDB14CFA9D8907AEBBB2FF4A314F1881A9D4516B3A1C739AD01CB98

Function 0042D1D1 Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

??;4, xrefs: 0042D4E3
KJML, xrefs: 0042D462
FHFA, xrefs: 0042D4DC

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ??;4$FHFA$KJML
API String ID: 0-1015406819
Opcode ID: 974765d5307f38d9a37e8a830b149da383e6b6941c0311d0ac8549cd3414f762
Instruction ID: 19675871241f5ccdce13e8c7c8d171f8bea98ddc876ad241f8c25927d112324b
Opcode Fuzzy Hash: 974765d5307f38d9a37e8a830b149da383e6b6941c0311d0ac8549cd3414f762
Instruction Fuzzy Hash: C2E158B4E00226CFDB14CF58D8917AEB7B1FF4A304F1441AAD415AB392E778AD41CB99

Function 0042B2D0 Relevance: 4.2, Strings: 3, Instructions: 400COMMON

Download Yara Rule

Strings

KJML, xrefs: 0042B3CC
i!fy, xrefs: 0042B6A1
cjkf, xrefs: 0042B699

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: KJML$cjkf$i!fy
API String ID: 2994545307-1317482915
Opcode ID: 7bc42e580c91a383bcd02ea3a91d37dfd5b4d4567b50ae69bf2a4c190187bf0e
Instruction ID: d8ee5b785f6405f0ad0fa8ab20a5ebf0fccd15df3b054236a1951f4df92bc7e3
Opcode Fuzzy Hash: 7bc42e580c91a383bcd02ea3a91d37dfd5b4d4567b50ae69bf2a4c190187bf0e
Instruction Fuzzy Hash: AFC15A72B043218BD714DF24E88162BB7A2EFC5704F59852EE8859B395E738DC06C7DA

Function 004452A0 Relevance: 3.2, Strings: 2, Instructions: 723COMMON

Download Yara Rule

Strings

"WD, xrefs: 0044570D
XD, xrefs: 0044574B

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "WD$XD
API String ID: 0-408183626
Opcode ID: 709341e37fffac0385dc8886cba6f6bfba1a8c3e324d28a20b442d3061128633
Instruction ID: c8ff928c3e5cdbb719229a74855c4473aeed94adffebadf5af6340452073c376
Opcode Fuzzy Hash: 709341e37fffac0385dc8886cba6f6bfba1a8c3e324d28a20b442d3061128633
Instruction Fuzzy Hash: 0322EF72A09215CFDB08CF68D8912AEB7F2AF89314F19856ED455E7392DB38D901CB84

Function 004408D0 Relevance: 3.0, Strings: 2, Instructions: 537COMMON

Download Yara Rule

Strings

KJML, xrefs: 00440925
f, xrefs: 00440A90

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: KJML$f
API String ID: 2994545307-2212088427
Opcode ID: a6953bf554a5a5f327900a360bbd01eff89d38fab8d3eed6c1a60ac3c8c8a3df
Instruction ID: 0b33802546e2aab595f3a42b6787acbe00ea38ebf504a6ea990ca99cd9bf722d
Opcode Fuzzy Hash: a6953bf554a5a5f327900a360bbd01eff89d38fab8d3eed6c1a60ac3c8c8a3df
Instruction Fuzzy Hash: 3512C0716083419FE714CF28C890A2BBBE1EFC5314F148A2EF69587392D778E855CB5A

Function 00422E90 Relevance: 3.0, Strings: 2, Instructions: 513COMMON

Download Yara Rule

Strings

h, xrefs: 004230A1
YZ/-, xrefs: 00423345

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: YZ/-$h
API String ID: 0-2460306913
Opcode ID: ccd8e6205953157d93298296412cdee330d7bb5d06ea662ebf6f4e37c4eceb2b
Instruction ID: 3b8e0abaceefc36510a823e3c29801d1cd02138934cda543847c8a9294aeef2c
Opcode Fuzzy Hash: ccd8e6205953157d93298296412cdee330d7bb5d06ea662ebf6f4e37c4eceb2b
Instruction Fuzzy Hash: 13F11572608311ABE310DF25D981B6BBBE5EFC5704F08893EF88497391E678D9058B97

Function 0042FDE1 Relevance: 3.0, Strings: 2, Instructions: 506COMMON

Download Yara Rule

Strings

jfm`, xrefs: 0042FE3A
W8m, xrefs: 0043008B

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: jfm`$W8m
API String ID: 0-2495801694
Opcode ID: d2fd6c6dccca46f58157018f07e5f3e0f66b0ef15cb9074ccb691f6337a7565a
Instruction ID: 63bd62d5833709707c21caddd0b49579b2796a7a6c8ff8e57996385b85c75fdf
Opcode Fuzzy Hash: d2fd6c6dccca46f58157018f07e5f3e0f66b0ef15cb9074ccb691f6337a7565a
Instruction Fuzzy Hash: 9FD1F4742047918BD72A8F2AD4A0723BFE1FF5B304F18969ED0D64B792C7399806CB55

Function 00424CF1 Relevance: 3.0, Strings: 2, Instructions: 456COMMON

Download Yara Rule

Strings

WT, xrefs: 00424E80
-+, xrefs: 00424DA8

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: WT$-+
API String ID: 0-882804157
Opcode ID: 38fef336118ec33b7226c1cc4cbb7671074636a906bb393d9958f963bfe93745
Instruction ID: 8c4bcc8df420f127d5bf968a03d4dbc2a4c0baf9374a6cc51af388f7880e37cf
Opcode Fuzzy Hash: 38fef336118ec33b7226c1cc4cbb7671074636a906bb393d9958f963bfe93745
Instruction Fuzzy Hash: 66C126B1A00322CBCB24CF14D892673B7B0FF96324B498699D8925F396E378D841CBD4

Function 004251A6 Relevance: 2.9, Strings: 2, Instructions: 436COMMON

Download Yara Rule

Strings

-+, xrefs: 0042525F
WT, xrefs: 00425330

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: WT$-+
API String ID: 0-882804157
Opcode ID: 32a0392d1787dbbc7b89b2bb0897d90e3a71d04d2a11b510bed33e9188074b88
Instruction ID: 356114a6077ac564a7fe6e609bc831d836c8bcad743f9935920156e502615973
Opcode Fuzzy Hash: 32a0392d1787dbbc7b89b2bb0897d90e3a71d04d2a11b510bed33e9188074b88
Instruction Fuzzy Hash: 30C123B1A017218BCB24CF24C891677BBB1FF56324B99828DC8965F395E339D881CBD4

Function 00429D54 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

KJML, xrefs: 0042A220
tk, xrefs: 00429F6C

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML$tk
API String ID: 0-2859812500
Opcode ID: dbc60441945cf9e1967f44465f1ef71324a53f198c09847ad34bb7f8df11b8bb
Instruction ID: 29eed480706aaebf2141eb91c1a78785de5ef132ebb3aea559bbc987866c7be6
Opcode Fuzzy Hash: dbc60441945cf9e1967f44465f1ef71324a53f198c09847ad34bb7f8df11b8bb
Instruction Fuzzy Hash: 83E14075A083228BC724CF24D88056BB3F2FF85750F59892EE8C597350E779AD15CB8A

Function 00403630 Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

NaN, xrefs: 00403695
Inf, xrefs: 0040368E

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 862ec2ab933a25227db7fa9215c768e5b681cdcc29266887603bf55694ea6af6
Instruction ID: e449c9e2ccc97afd5d9be602a0fb0bcaf08fc3074b12e7987d036dbe93e41533
Opcode Fuzzy Hash: 862ec2ab933a25227db7fa9215c768e5b681cdcc29266887603bf55694ea6af6
Instruction Fuzzy Hash: F7D1E672A183019BC704CF28C88061FBBE5EBC8710F158A3EF999A73D0E675DD058B86

Function 0043250E Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

;01", xrefs: 00432624
>2K4, xrefs: 0043262B

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ;01"$>2K4
API String ID: 0-3132311252
Opcode ID: 2b5ef47124ab562b5b31fcbfa6b9766aab39ea6d907b0028eafbee62dd8e1557
Instruction ID: cf68b5f938d7d94a2a8a6e2edbdd0c070244593f5d46e8efd776733f4831bf0f
Opcode Fuzzy Hash: 2b5ef47124ab562b5b31fcbfa6b9766aab39ea6d907b0028eafbee62dd8e1557
Instruction Fuzzy Hash: 2F71DEB41047818FD325CF2AC5A0A22BFA1BF56310B1966DED4D64F766C378E406CB95

Function 00410AD1 Relevance: 2.6, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

01[5^3, xrefs: 00410C6E
[5^3, xrefs: 00410C03

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 01[5^3$[5^3
API String ID: 0-2583118205
Opcode ID: c4e8537019678f3e9ef549c247b9b3275905c767fa5e391bdc1a0742152738ee
Instruction ID: f863a96f43ea80462a18e6a4439acd757cf66898281234ce7aaaf70316137065
Opcode Fuzzy Hash: c4e8537019678f3e9ef549c247b9b3275905c767fa5e391bdc1a0742152738ee
Instruction Fuzzy Hash: 67412436A40711DFCB25CF64C890BABBBE1EF99300F19805DD496AB352C775A842CB98

Function 00440780 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

KJML, xrefs: 00440865
uxVd, xrefs: 00440890

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML$uxVd
API String ID: 0-3416864494
Opcode ID: 845918bc59ae1f3f73b88506ff4cf99c7bce6720a099312221a1cbd613bb4ba3
Instruction ID: 933fd9a6b269e0b213bb936cc4f722f1f1537e486b7652f8351aeefb2b915f7c
Opcode Fuzzy Hash: 845918bc59ae1f3f73b88506ff4cf99c7bce6720a099312221a1cbd613bb4ba3
Instruction Fuzzy Hash: A1413631904304ABEB20DF14CE41A6BB7B6EF85300F10882EFA5987352D338DC64DB9A

Function 004319E7 Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

?026, xrefs: 00431DF8

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ?026
API String ID: 0-2410484627
Opcode ID: 528e1150e7b9ac56716fa2b8a7103c69ca38bc5898752be30f05d7e73f21c4e6
Instruction ID: 3ec38c75b13debbe1b51677c28544c8b60241dac7717bc27087e604fe700511c
Opcode Fuzzy Hash: 528e1150e7b9ac56716fa2b8a7103c69ca38bc5898752be30f05d7e73f21c4e6
Instruction Fuzzy Hash: 75029D742047408FD7258F25C491B62BBE2EF9A314F18D59DC8D68B7A3C739E80ACB65

Function 00427180 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00449A60,00000000,00000001,00449A50), ref: 004271A9

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 20868e8003decff1a9ecf477be7ace546b56c8bff2e81e52a765b56acc0f52a7
Instruction ID: 03f1ceda27a7c5f158b96155b21c97f43afc36611610cfc71dde0e6564a1cf1f
Opcode Fuzzy Hash: 20868e8003decff1a9ecf477be7ace546b56c8bff2e81e52a765b56acc0f52a7
Instruction Fuzzy Hash: 3C51BFB17083209BDB20DB64DC82BB733B4EF81368F544559F9858B391E379E801D76A

Function 0041D610 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

KJML, xrefs: 0041D743, 0041D747, 0041D752, 0041D7D9

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML
API String ID: 0-719402181
Opcode ID: e5e581602bc2a55ccfb37693403efe0759c5118dbecf5eed7a7c302b9fb27ebb
Instruction ID: 61f755d52da95e828a53ea8c4cecfda00ba2d2134aed331069b02e650f1cae05
Opcode Fuzzy Hash: e5e581602bc2a55ccfb37693403efe0759c5118dbecf5eed7a7c302b9fb27ebb
Instruction Fuzzy Hash: 33A122B5E00214DBD720AF14CC526B373B1FF96359F08452EE8868B3A1F738A955C75A

Function 00444900 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

P, xrefs: 00444A9C

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: ba6f5292d06f699f4070dd606d537ba549fbfacdbe936725bfe82cd68789bd9a
Instruction ID: 05e2c835aca4e79af45d04209860e11c8451a35dcc984c576ca4a17cae12bb72
Opcode Fuzzy Hash: ba6f5292d06f699f4070dd606d537ba549fbfacdbe936725bfe82cd68789bd9a
Instruction Fuzzy Hash: BCD166726083654BE319CE18985032FB6E2EBC5324F16863EE9A69F3C1CB74DC4697C5

Function 0042F5A0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

", xrefs: 0042F8D8

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: ec0a4d7e7a130e8e173fe284c57213440baecf839cc35a5dc9babf00f42a6a22
Instruction ID: 2b57ba1541f42e8e21a8568950ef5b359da240a3a1337b25709392993a5a653b
Opcode Fuzzy Hash: ec0a4d7e7a130e8e173fe284c57213440baecf839cc35a5dc9babf00f42a6a22
Instruction Fuzzy Hash: 24C1F6B1B083216BD724CE24E480B6BB7F5AB84714FD9853FE89587381D738DC498796

Function 0041E400 Relevance: 1.6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

Strings

f, xrefs: 0041E560

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 1f8be147d6c71cb6d94941781305ef792ed34139fa22f9e5be8e0f5e09719887
Instruction ID: 3fc95c1a35c615a5e5f849bfd1eac13258ab9e3d0ad1e4915d6f7a2649194308
Opcode Fuzzy Hash: 1f8be147d6c71cb6d94941781305ef792ed34139fa22f9e5be8e0f5e09719887
Instruction Fuzzy Hash: C8B103BA908340CBD7209F25D8417ABB7E2FFC6314F18893DE99487391E7398945CB56

Function 0042FA20 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

", xrefs: 0042FC2E

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: b691a8731d522bf202b6265a6d52436cd82f5d5e5cdb790585c46ddd39a620c4
Instruction ID: 658ba1ac174fa5bbb5701e12885ae34a542f5a56f2b0a0088f48170d9bdec3c6
Opcode Fuzzy Hash: b691a8731d522bf202b6265a6d52436cd82f5d5e5cdb790585c46ddd39a620c4
Instruction Fuzzy Hash: 3681D732B083294BD714CE29E48031FB7F2ABC5710FE9857EE8989B355D3799C49874A

Function 00440080 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

KJML, xrefs: 004400B5

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: KJML
API String ID: 2994545307-719402181
Opcode ID: 7259ffcdef9f725214efaa646c572f75663b81ec1d8d44d4987743b801546b68
Instruction ID: aae6d1a70b394d6a645cc428fa98f49002b7e15d2adbf59507c2af826497a2f4
Opcode Fuzzy Hash: 7259ffcdef9f725214efaa646c572f75663b81ec1d8d44d4987743b801546b68
Instruction Fuzzy Hash: D7615C32A043119BE7108F6889C066BF7A2FFC6324F19C56FD99867392D3B9DC118789

Function 00441270 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

KJML, xrefs: 004412B5

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: KJML
API String ID: 2994545307-719402181
Opcode ID: e244f2a8e87d3e460b21e4f7baed6e80314417ee9993632ba6b3a780dab5fc2f
Instruction ID: e760da798e9f8c3b36aecf8f17f001834919442731765f360604eca841833794
Opcode Fuzzy Hash: e244f2a8e87d3e460b21e4f7baed6e80314417ee9993632ba6b3a780dab5fc2f
Instruction Fuzzy Hash: 0C51E4317083419BF714DF25C980B2BB7E2EB85314F24892EE989877B2D779DC85874A

Function 0043CCF0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

KJML, xrefs: 0043CDB5

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML
API String ID: 0-719402181
Opcode ID: 0dc06117b3de228b02055d5659d7e3ce32f1095a4e79d7dd522e666816b8b20f
Instruction ID: 496f68cfe23377eab9260d2c270221cd907e1f2a865f71cb2b0a81b68968f923
Opcode Fuzzy Hash: 0dc06117b3de228b02055d5659d7e3ce32f1095a4e79d7dd522e666816b8b20f
Instruction Fuzzy Hash: 53312771A04310ABE610AA25DCD2B3B77A9EF85708F05553EFD45A7253E239D814839A

Function 00425750 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

MXB, xrefs: 00425847

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: MXB
API String ID: 0-1840459873
Opcode ID: ee35275d9a34e9cfba15f121bff51c2194f5f762cddf232e5f5a9e99bb76435e
Instruction ID: 54d4ca953f57b671d4c7105f66cb0b494950255a10e9672882a2719077d7c472
Opcode Fuzzy Hash: ee35275d9a34e9cfba15f121bff51c2194f5f762cddf232e5f5a9e99bb76435e
Instruction Fuzzy Hash: 2921F364608711D7D710AF28DC5253BB7F4EF82374F945A49E4D58B391E3788900C7AA

Function 0042D166 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

KJML, xrefs: 0042CFDE

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML
API String ID: 0-719402181
Opcode ID: 4d912743dafe993ba31acc6a73f2028d134ae53fbfd3f0bd51a5844100c7e080
Instruction ID: 67847a3a5349aee9a63f75a9970a527da163a1046884678bca3e04b8df67cf2a
Opcode Fuzzy Hash: 4d912743dafe993ba31acc6a73f2028d134ae53fbfd3f0bd51a5844100c7e080
Instruction Fuzzy Hash: 63212136E00224CFDB148FA9E84076EB372FB4A304F6640BAE54963661C7B56D02CB8D

Function 0042CB88 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

KJML, xrefs: 0042CFDE

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML
API String ID: 0-719402181
Opcode ID: be72677f0557254ae2c006caf60763097e6d5860126356f8ce8e951ee76f7ba5
Instruction ID: 8c4e0110f88c6525b1dfb98fdfeb133b18489b609f9c7b6e88947239623be4d6
Opcode Fuzzy Hash: be72677f0557254ae2c006caf60763097e6d5860126356f8ce8e951ee76f7ba5
Instruction Fuzzy Hash: D611E332E00220CBCB08CF94E98067EB372FB4A304F6540AED106737A1D3B59D428B8E

Function 0042C6EF Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

KJML, xrefs: 0042C74F

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: KJML
API String ID: 0-719402181
Opcode ID: b444516c049a429139bc7508a90ee86becaec067f7104d34d86f2965549a885f
Instruction ID: cd3cacbc8958cf5f107e2a87a6df2beb37950addee7bc6a3de5f91f9843bcd83
Opcode Fuzzy Hash: b444516c049a429139bc7508a90ee86becaec067f7104d34d86f2965549a885f
Instruction Fuzzy Hash: 5C01B175A042258BCB18CF94E5D02BEB3B2BF9A300F6550AAC08973711C3789D45CF9E

Function 0040BCA0 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303c36a8b8a7f96d8aef88ae4b684e67dca33dca7435bdac65628a68eb04069d
Instruction ID: cf0df73865c39af8a27db2e383ba25dc87e310e2f9115df183e5622b473bc3ad
Opcode Fuzzy Hash: 303c36a8b8a7f96d8aef88ae4b684e67dca33dca7435bdac65628a68eb04069d
Instruction Fuzzy Hash: F852C231518315CBC724DF18D8802ABB3E1FFC4314F298A3ED995A7395E739A855CB8A

Function 00408CCF Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b73b5924bfe455a85a47490d23da045897ae78b0f3bc012aedb3378faf647f7
Instruction ID: 54a6cfb336f66bf84700c13c4f3c183f23b49e267715de6f9c77ef82aa741379
Opcode Fuzzy Hash: 8b73b5924bfe455a85a47490d23da045897ae78b0f3bc012aedb3378faf647f7
Instruction Fuzzy Hash: CBE1887A214601CFD718CF29D99076AB7F2FB89319F09853DD88687792D738E941CB84

Function 004468B0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd9ac2066ced0b272329e2da8c41d87b610a7086123142ec58dc8f7c729f1298
Instruction ID: 82e67363ac5e6221829c8599006bf9d2501e13bfb50ade001dc1315763ecee39
Opcode Fuzzy Hash: cd9ac2066ced0b272329e2da8c41d87b610a7086123142ec58dc8f7c729f1298
Instruction Fuzzy Hash: 119114356043128BD715DF18C480A2BB3F2FF8A750F06856EE9859B361EB34EC11CB8A

Function 004465D0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 248cf560536bd0f856c3d7c225bda352b1c4efebd9f87163617ee6e934d05be3
Instruction ID: aae54c732809a90d8ae6e322cd7e61525f89c665e97792c335f496d5b0e9b2b5
Opcode Fuzzy Hash: 248cf560536bd0f856c3d7c225bda352b1c4efebd9f87163617ee6e934d05be3
Instruction Fuzzy Hash: 8B716935A053019BE725EF18C85063BB3F2FF96750F0A842EE9859B361EB34D854D78A

Function 004440D0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69c76fb03af777cea5a82e1470c24e8f0bb7eac79918c91538455b79e513942b
Instruction ID: 2ba11ffb798b776aed3031428183eb572784c105051d1a1de1c36ca958a73da8
Opcode Fuzzy Hash: 69c76fb03af777cea5a82e1470c24e8f0bb7eac79918c91538455b79e513942b
Instruction Fuzzy Hash: 48812431608341ABF720CF29DC41BABB7E5EBC5324F14892EF99583392E7349840CB5A

Function 0043CAD0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e90d7c32807658e95f92c7cfd45234d21f8d32d52fafd78568e10985583fd9d
Instruction ID: c84672670c5bb5716a0cc2ab31f7185ad730eb0abbd7f71e805be12aa0488625
Opcode Fuzzy Hash: 6e90d7c32807658e95f92c7cfd45234d21f8d32d52fafd78568e10985583fd9d
Instruction Fuzzy Hash: DC513A706083009BD7009F29E892B3F77E5FB8A304F10692EF68997292D779D815C75A

Function 00405620 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428d7873da69aa17b1f5ce5c61ff9786b56280d46f6bc6ba6fbd3d452c47aa3f
Instruction ID: ed980bc96afa24b5e26d18314451e7c1ca0421191e5fa44015e2c9cef196b9a6
Opcode Fuzzy Hash: 428d7873da69aa17b1f5ce5c61ff9786b56280d46f6bc6ba6fbd3d452c47aa3f
Instruction Fuzzy Hash: 6B51BBB5A046009FC714EF18C880927B7E2FB85324F558A3EE859AB392D735EC51CF96

Function 00423490 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f45860c71b36dbb22a23d4921348e32f409014738fc3881ff55937025abfed4
Instruction ID: 12587c1bed67f0492888f70e6cdeac2b6f3692b37b66fd3888174c71f70729d8
Opcode Fuzzy Hash: 4f45860c71b36dbb22a23d4921348e32f409014738fc3881ff55937025abfed4
Instruction Fuzzy Hash: C231E575609304AFD300EF29AC41B1B77F8EF4A365F40492EF555C3281E779DA048BAA

Function 00439A90 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 0f39eb27cea14f00c24a8bede1c17dc0b1cd7fab47bffadf86192ea97af8f87a
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F3112533B081E44EC3129D3C8400566BFA31AA7234F1D939AF4B99B2D6D6668D8A9359

Function 0042F000 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2036d31a6b2ee937928f924f2011fbd93933cf689c02acd9856b6e63cc50f44
Instruction ID: dcbec719b0fa3e57d2d6faa4261861f6dc3dd9fe3deff9abcf33c9eef83228c2
Opcode Fuzzy Hash: d2036d31a6b2ee937928f924f2011fbd93933cf689c02acd9856b6e63cc50f44
Instruction Fuzzy Hash: 080175F670071187D720AF55A4C1B27B2B86F44B08F99453ED90467343DB7EEC0986AD

Function 00406AD0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f057210bbfdcbbee2b2fe16ab6ae785ce43166e946ee8c9d9838c76897f05522
Instruction ID: fc276bcd9e57667d7c172bae2774b4717a19b0d0cc6a7e14e4dac11c02770272
Opcode Fuzzy Hash: f057210bbfdcbbee2b2fe16ab6ae785ce43166e946ee8c9d9838c76897f05522
Instruction Fuzzy Hash: 76F0E07E7552270BA610DEB59CC043BB7E6D7C5204B09543DD542E3245D575F801D1A9

Function 0043E6B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
Instruction ID: 3cc83840e48d649ccb35d338e5301b6ba7822ca4830eba629f59ad42d1270e01
Opcode Fuzzy Hash: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
Instruction Fuzzy Hash: 7AE0CD7AB15611066764CE179801677F3E1EBD6711F8CB52ED441D3244D138C8404265

Function 00410740 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b117bfbea6400a99ddbf75ff449b5b70eac8b1f266ab9053fcde73136b554d
Instruction ID: 0057cf3667f10266d5b6785f04005e9803a65e6ac1b15eee677565dbea5d3bd8
Opcode Fuzzy Hash: e7b117bfbea6400a99ddbf75ff449b5b70eac8b1f266ab9053fcde73136b554d
Instruction Fuzzy Hash: 5BD0C918A081446796286B39DDAAE3BBABCC747244F006028E847A7291E604D8188AED

Function 0042C644 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb887095e8422a92bf6d1b7e51c50219760e700a459d1eafefdbd9c2ef3436af
Instruction ID: 6c623430e68bea02d48ecfd5536ed97dda63d07ce065cf2221a1ad66ca1e7e04
Opcode Fuzzy Hash: fb887095e8422a92bf6d1b7e51c50219760e700a459d1eafefdbd9c2ef3436af
Instruction Fuzzy Hash: F9C09BB6E0457087DB01BF55684157DB3345F07719F552439E80573243DB18F945469E

Function 0043322E Relevance: 56.1, APIs: 1, Strings: 31, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004332E4

Strings

/, xrefs: 004334B9
', xrefs: 004334F9
c, xrefs: 00433421
Y, xrefs: 00433307
a, xrefs: 004333D1
?, xrefs: 00433439
), xrefs: 004334C9
1, xrefs: 00433489
], xrefs: 00433321
R, xrefs: 004333F1
+, xrefs: 004334D9
I, xrefs: 004332FD
5, xrefs: 00433469
=, xrefs: 00433429
{, xrefs: 004333B1
Q, xrefs: 004333E1
T, xrefs: 00433311
b, xrefs: 00433391
!, xrefs: 00433509
a, xrefs: 00433331
7, xrefs: 00433479
-, xrefs: 004334A9
3, xrefs: 00433499
r, xrefs: 00433341
#, xrefs: 00433519
", xrefs: 00433521
h, xrefs: 00433381
%, xrefs: 004334E9
;, xrefs: 00433459
9, xrefs: 00433449
c, xrefs: 004333A1

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: !$"$#$%$'$)$+$-$/$1$3$5$7$9$;$=$?$I$Q$R$T$Y$]$a$a$b$c$c$h$r${
API String ID: 2525500382-2513824458
Opcode ID: db803e73eb57c6d99aba7a560505e665c17ad81a19c08ea0f41ba71f1f78f7e5
Instruction ID: ec1a6813e2cc4ffa1bb43567f46c38aba4ccc173f8c13d6f3834154b4e0b6a17
Opcode Fuzzy Hash: db803e73eb57c6d99aba7a560505e665c17ad81a19c08ea0f41ba71f1f78f7e5
Instruction Fuzzy Hash: CF91A12150CBC28DD336863C98097DBBED15BA7224F484B9E91F98A2E3C7B54246C767

Function 00436450 Relevance: 44.0, APIs: 2, Strings: 23, Instructions: 211COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00436492
GetSystemMetrics.USER32 ref: 004364A2

Strings

.vC, xrefs: 00436847
UvC, xrefs: 00436663
|pC, xrefs: 0043671E
lsC, xrefs: 004367D9
f{C, xrefs: 004367FA
xoC, xrefs: 004366B0
,uC, xrefs: 0043668F
rmC, xrefs: 00436566
PuC, xrefs: 004366DC
`wC, xrefs: 00436852
4}C, xrefs: 004365F5
h|C, xrefs: 00436781
'nC, xrefs: 00436776
jzC, xrefs: 00436642
vC, xrefs: 00436729
}C, xrefs: 004365EA
tuC, xrefs: 00436658
QoC, xrefs: 00436708
UpC, xrefs: 00436713
X}C, xrefs: 004365DF
Z~C, xrefs: 00436873
FzC, xrefs: 004366BB
A C, xrefs: 0043645A, 00436545, 00436894, 004368AA, 004368C0, 004368D6, 004368EC, 00436902, 00436918, 0043692E, 00436944, 0043695A, 00436970, 00436986, 0043699C, 004369B2, 004369C8, 004369DE, 004369F4, 00436A0A, 00436A20, 00436A36, 00436A4C, 00436A62, 00436A78, 00436A8E, 00436AA4, 00436ABA, 00436AD0, 00436AE6, 00436AFC, 00436B12, 00436B28, 00436B3E, 00436B54, 00436B6A, 00436B80, 00436B96, 00436BAC, 00436BC2, 00436BD8

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID: vC$'nC$,uC$.vC$4}C$A C$FzC$PuC$QoC$UpC$UvC$X}C$Z~C$`wC$f{C$h|C$jzC$lsC$rmC$tuC$xoC$|pC$}C
API String ID: 4116985748-174186748
Opcode ID: 1de41a796f7c7c2945f359baaf60d5e23e1d7e1d519e82fa3b264251056bc7c6
Instruction ID: 0a8f1a278ffd458be4205ed3a482d6bf25b80cb1d2324e41d2521270be2f79d3
Opcode Fuzzy Hash: 1de41a796f7c7c2945f359baaf60d5e23e1d7e1d519e82fa3b264251056bc7c6
Instruction Fuzzy Hash: 51F126B04593C89BE775DF15C5897DBBAE5BBC6308F648E2E91C84B250C7B8014CDB8A

Function 00433B68 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 96COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00433B72
VariantInit.OLEAUT32 ref: 00433B85

Strings

m, xrefs: 00433C00
}, xrefs: 00433C60
F, xrefs: 00433C30
L, xrefs: 00433BA0
g, xrefs: 00433BD0
g, xrefs: 00433BC0
m, xrefs: 00433BB0
z, xrefs: 00433C10
u, xrefs: 00433C20
N, xrefs: 00433BF0
{, xrefs: 00433C50
}, xrefs: 00433C40
d, xrefs: 00433BE0

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: F$L$N$d$g$g$m$m$u$z${$}$}
API String ID: 2610073882-4216798751
Opcode ID: 9b2272d1c2637700aef6298ac09221ce17400ed7ccb67fd97863bc5ac1f88d49
Instruction ID: 6d437fe010267870698063eaedda02719b7ac4a53ee0bb3831a6a63f692259f6
Opcode Fuzzy Hash: 9b2272d1c2637700aef6298ac09221ce17400ed7ccb67fd97863bc5ac1f88d49
Instruction Fuzzy Hash: 9B51293154C3C28AE335DA28C4587EFBED15B92308F098D6DC4DD5B682D7BA0548D763

Function 0043435E Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00434368
VariantInit.OLEAUT32 ref: 0043437B

Strings

k, xrefs: 0043440E
a, xrefs: 004343DE
., xrefs: 00434406
Q, xrefs: 00434396
e, xrefs: 004343FE
i, xrefs: 0043441E
s, xrefs: 0043444E
c, xrefs: 004343CE
o, xrefs: 0043442E
r, xrefs: 00434446
g, xrefs: 004343EE
m, xrefs: 0043443E

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: .$Q$a$c$e$g$i$k$m$o$r$s
API String ID: 2610073882-439072438
Opcode ID: 7074daab4ed169e7569e339999eefcd785e9f2a5b70f89b33a64958011d00b3f
Instruction ID: a4b1fb7a3ba408c63527201464c1baa79c0f6012301206869f4e40615d8653b3
Opcode Fuzzy Hash: 7074daab4ed169e7569e339999eefcd785e9f2a5b70f89b33a64958011d00b3f
Instruction Fuzzy Hash: 3641486100D7C18EE3719B7898987DBBFD0ABA6314F084EAED0D89B382C67941488727

Function 004341ED Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 82COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004341F7
VariantInit.OLEAUT32 ref: 0043420A

Strings

), xrefs: 0043424F
+, xrefs: 00434259
3, xrefs: 00434231
/, xrefs: 00434245
!, xrefs: 00434277
%, xrefs: 00434263
1, xrefs: 00434227
-, xrefs: 0043423B
#, xrefs: 00434281
', xrefs: 0043426D

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 4b2ff6a19490661dd97030cd7318d2a4d61e6c7925bc5b0f44817881ddce85e1
Instruction ID: 084519ba09f15f54216546a2bc129c5999e7b13f9af0ad8356666cc8c042fcba
Opcode Fuzzy Hash: 4b2ff6a19490661dd97030cd7318d2a4d61e6c7925bc5b0f44817881ddce85e1
Instruction Fuzzy Hash: 2541056000C7C19AD3629B38948835BBFE15BA7228F485A9DF1E50B3E2C3768109CB57

Function 00434034 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 75COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043403E
VariantInit.OLEAUT32 ref: 00434051

Strings

-, xrefs: 00434082
!, xrefs: 004340BE
), xrefs: 00434096
3, xrefs: 00434078
/, xrefs: 0043408C
#, xrefs: 004340C8
%, xrefs: 004340AA
1, xrefs: 0043406E
+, xrefs: 004340A0
', xrefs: 004340B4

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$%$'$)$+$-$/$1$3
API String ID: 2610073882-2331977360
Opcode ID: 1a20efacf0e195b30e754bf8a711b6bddaf53a2e7060570804146ab8a04217dc
Instruction ID: f8a351fd608090bec9361875ee0b16c1ea26082387d95b7d0fc6e22f3608a586
Opcode Fuzzy Hash: 1a20efacf0e195b30e754bf8a711b6bddaf53a2e7060570804146ab8a04217dc
Instruction Fuzzy Hash: 7541D47000C7C19AD362DB38948835ABFE15BA7228F481A9DF5E54B3E2C3768549CB57

Function 0043359C Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004335AD

Strings

S, xrefs: 004335F5
W, xrefs: 00433609
Q, xrefs: 004335FF
U, xrefs: 00433613
o, xrefs: 004335E1
k, xrefs: 004335CD
i, xrefs: 004335D7
V, xrefs: 0043360E
m, xrefs: 004335EB

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: Q$S$U$V$W$i$k$m$o
API String ID: 1927566239-286780673
Opcode ID: 9cb09c364e5b36dec20ad39ce086e80b3f9db0063f4d46314c7ffdaba325edd6
Instruction ID: 50e60367779120f07c3bb968cef5a4fc575c46cc91a9ebde744b89d391a95e3b
Opcode Fuzzy Hash: 9cb09c364e5b36dec20ad39ce086e80b3f9db0063f4d46314c7ffdaba325edd6
Instruction Fuzzy Hash: 1A418D7290CBD08ED3219B38C48938FBFD1AB96318F194A5EE4E897392C7788544CB53

Function 0043C952 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0043C95B
SysFreeString.OLEAUT32(?), ref: 0043C960
SysFreeString.OLEAUT32(?), ref: 0043C979
SysFreeString.OLEAUT32(?), ref: 0043C97E

Memory Dump Source

Source File: 00000002.00000002.1860797359.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 7513e40abce2683c0f9875052ac9dd6cda1d204f60d4def54d90547febcd212e
Instruction ID: b96013b1363d6de582764c9147e42d707290ad78c484f990cbbe7c665502bef7
Opcode Fuzzy Hash: 7513e40abce2683c0f9875052ac9dd6cda1d204f60d4def54d90547febcd212e
Instruction Fuzzy Hash: 05D0E935050A44EBCB227B61DE058067BB2FFC57553164838E155134318775F835DF45

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Solara.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Solara.exe.log

C:\Users\user\AppData\Roaming\msvcp110.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Solara.exe

Function 6CEF9710 Relevance: 32.6, APIs: 15, Strings: 3, Instructions: 1063
filememoryCOMMON

Function 6CEFAEB0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 337
COMMON

Function 6CF0E2AE Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CF0E35E Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CF0E1A7 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CF160C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON