Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1465166
MD5:	edda8f53633b4ea2270424b850d700bf
SHA1:	d1cb6ed8d18f40ed4fafd70a70c8168396912f45
SHA256:	bb8fd576341c8f75f014515016614c9b84505d2704fe3e960c32afebab2c19b0
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Loader.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: EDDA8F53633B4EA2270424B850D700BF)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7452 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deadtrainingactioniw.xyz", "qualificationjdwko.xyz", "grandcommonyktsju.xyz", "wordingnatturedowo.xyz", "crisisrottenyjs.xyz", "sweetcalcutangkdow.xyz", "cooperatvassquaidmew.xyz", "exuberanttjdkwo.xyz", "crisisrottenyjs.xyz"], "Build id": "LPnhqo--@fondnesssw"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Loader.exe PID: 7336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.337833
SID:	2054131
Source Port:	50034
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.444343
SID:	2054121
Source Port:	55685
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.368659
SID:	2054129
Source Port:	61762
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.563116
SID:	2054119
Source Port:	57788
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.575107
SID:	2054117
Source Port:	58515
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.405895
SID:	2054123
Source Port:	51384
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.230604
SID:	2054125
Source Port:	50884
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	07/01/24-12:00:10.385037
SID:	2054127
Source Port:	55520
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Loader.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://qualificationjdwko.xyz/api	Avira URL Cloud: Label: malware
Source: https://sweetcalcutangkdow.xyz/api	Avira URL Cloud: Label: malware
Source: https://exuberanttjdkwo.xyz/api	Avira URL Cloud: Label: malware
Source: https://cooperatvassquaidmew.xyz/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.aspnet_regiis.exe.550000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["deadtrainingactioniw.xyz", "qualificationjdwko.xyz", "grandcommonyktsju.xyz", "wordingnatturedowo.xyz", "crisisrottenyjs.xyz", "sweetcalcutangkdow.xyz", "cooperatvassquaidmew.xyz", "exuberanttjdkwo.xyz", "crisisrottenyjs.xyz"], "Build id": "LPnhqo--@fondnesssw"}

Multi AV Scanner detection for domain / URL

Source: https://qualificationjdwko.xyz/api	Virustotal: Detection: 6%	Perma Link
Source: https://sweetcalcutangkdow.xyz/api	Virustotal: Detection: 7%	Perma Link
Source: https://exuberanttjdkwo.xyz/api	Virustotal: Detection: 6%	Perma Link
Source: https://cooperatvassquaidmew.xyz/api	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: Loader.exe	Virustotal: Detection: 72%			Perma Link
Source: Loader.exe	ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: deadtrainingactioniw.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: qualificationjdwko.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: grandcommonyktsju.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: wordingnatturedowo.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: crisisrottenyjs.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: sweetcalcutangkdow.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: cooperatvassquaidmew.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: exuberanttjdkwo.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: crisisrottenyjs.xyz
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--@fondnesssw

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D331178 FindFirstFileExW,

0_2_6D331178

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 00D23749h	3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_00563F6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, word ptr [edi+esi*4]	3_2_00558170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	3_2_00571135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ecx+edx*8], 3BEBD150h	3_2_00584934
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, dword ptr [esi]	3_2_005889DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0055D1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	3_2_005891FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp esi	3_2_0058A192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [edi+ebx+01h], 00000000h	3_2_0056CA4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h	3_2_00563A7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h	3_2_00563A7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp esi	3_2_0058A260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp edx	3_2_00571A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_00570239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+40h]	3_2_00577239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00586A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	3_2_00566340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 0850A6E6h	3_2_0058BB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00573329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_0056E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp edx	3_2_00571BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then inc ebx	3_2_00565390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00575BB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_005763BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0057644B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then inc eax	3_2_00562470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then xor eax, eax	3_2_0056D413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], B33E16A3h	3_2_00586CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000890h]	3_2_0056E4F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0057638D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_0056E490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, dword ptr [esp+5Ch]	3_2_00566CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00574D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00572D7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	3_2_00562D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, dword ptr [esi+04h]	3_2_00573517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0056551E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_00563500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [ebx+edi+01h], 00000000h	3_2_00563D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_005635C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_0056FDFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	3_2_005535A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+40h]	3_2_00577602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, word ptr [edx]	3_2_00587E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp esi	3_2_0058A630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+24h], 0000005Ch	3_2_00584695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00582680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	3_2_0055FE8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	3_2_00551755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_00564F78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00553760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	3_2_00558F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then or ebp, 04h	3_2_0055171B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_00576704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	3_2_00559F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00575FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ecx, 03h	3_2_00573FBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esi], ebp	3_2_00551FA0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2054125 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz) 192.168.2.9:50884 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054131 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz) 192.168.2.9:50034 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054129 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz) 192.168.2.9:61762 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054127 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz) 192.168.2.9:55520 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054123 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz) 192.168.2.9:51384 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054121 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz) 192.168.2.9:55685 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054119 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz) 192.168.2.9:57788 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2054117 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz) 192.168.2.9:58515 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: deadtrainingactioniw.xyz
Source: Malware configuration extractor	URLs: qualificationjdwko.xyz
Source: Malware configuration extractor	URLs: grandcommonyktsju.xyz
Source: Malware configuration extractor	URLs: wordingnatturedowo.xyz
Source: Malware configuration extractor	URLs: crisisrottenyjs.xyz
Source: Malware configuration extractor	URLs: sweetcalcutangkdow.xyz
Source: Malware configuration extractor	URLs: cooperatvassquaidmew.xyz
Source: Malware configuration extractor	URLs: exuberanttjdkwo.xyz
Source: Malware configuration extractor	URLs: crisisrottenyjs.xyz

Performs DNS queries to domains with low reputation

Source:	DNS query: crisisrottenyjs.xyz
Source:	DNS query: exuberanttjdkwo.xyz
Source:	DNS query: cooperatvassquaidmew.xyz
Source:	DNS query: sweetcalcutangkdow.xyz
Source:	DNS query: wordingnatturedowo.xyz
Source:	DNS query: grandcommonyktsju.xyz
Source:	DNS query: qualificationjdwko.xyz
Source:	DNS query: deadtrainingactioniw.xyz

Source: unknown	DNS traffic detected: query: grandcommonyktsju.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: deadtrainingactioniw.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sweetcalcutangkdow.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crisisrottenyjs.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wordingnatturedowo.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cooperatvassquaidmew.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: exuberanttjdkwo.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qualificationjdwko.xyz replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: crisisrottenyjs.xyz
Source: global traffic	DNS traffic detected: DNS query: exuberanttjdkwo.xyz
Source: global traffic	DNS traffic detected: DNS query: cooperatvassquaidmew.xyz
Source: global traffic	DNS traffic detected: DNS query: sweetcalcutangkdow.xyz
Source: global traffic	DNS traffic detected: DNS query: wordingnatturedowo.xyz
Source: global traffic	DNS traffic detected: DNS query: grandcommonyktsju.xyz
Source: global traffic	DNS traffic detected: DNS query: qualificationjdwko.xyz
Source: global traffic	DNS traffic detected: DNS query: deadtrainingactioniw.xyz

Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cooperatvassquaidmew.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cooperatvassquaidmew.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisisrottenyjs.xyz/api
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz/
Source: aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz/0
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deadtrainingactioniw.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://exuberanttjdkwo.xyz/api
Source: aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grandcommonyktsju.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grandcommonyktsju.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grandcommonyktsju.xyz/apiz?
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/7
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/A
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/apidO
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qualificationjdwko.xyz/apizC
Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sweetcalcutangkdow.xyz/
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sweetcalcutangkdow.xyz/api
Source: aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sweetcalcutangkdow.xyz/apiz9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_0057ED60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0057ED60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_0057ED60 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_0057ED60

System Summary

PE file contains section with special chars

Source: Loader.exe

Static PE information: section name: "GT]\

PE file has nameless sections

Source: Loader.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D322ED0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,

0_2_6D322ED0

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D321090	0_2_6D321090
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D323750	0_2_6D323750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D322ED0	0_2_6D322ED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D32BC40	0_2_6D32BC40
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D337715	0_2_6D337715
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D3233E0	0_2_6D3233E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0055F070	3_2_0055F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00551000	3_2_00551000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00587090	3_2_00587090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00558170	3_2_00558170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00567171	3_2_00567171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00571135	3_2_00571135
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0058A192	3_2_0058A192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_005749A0	3_2_005749A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0058C250	3_2_0058C250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00555A40	3_2_00555A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0056CA4C	3_2_0056CA4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0058A260	3_2_0058A260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00571A15	3_2_00571A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00570239	3_2_00570239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00553AA0	3_2_00553AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00576BF9	3_2_00576BF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00575BEA	3_2_00575BEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0056D413	3_2_0056D413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00570C00	3_2_00570C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00556CB0	3_2_00556CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00566CB0	3_2_00566CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00554540	3_2_00554540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00572D7E	3_2_00572D7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0056F511	3_2_0056F511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00577DF3	3_2_00577DF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0058A630	3_2_0058A630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00554F50	3_2_00554F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0058A740	3_2_0058A740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_0058BF40	3_2_0058BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00558F60	3_2_00558F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_2_00556780	3_2_00556780

Source: C:\Users\user\Desktop\Loader.exe	Code function: String function: 6D32CCA0 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 00559550 appears 149 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 00558C40 appears 45 times

Source: Loader.exe, 00000000.00000000.1370386916.0000000000CDA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCosmicEdge40765084938.exeT vs Loader.exe
Source: Loader.exe, 00000000.00000002.1387171648.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Loader.exe
Source: Loader.exe	Binary or memory string: OriginalFilenameCosmicEdge40765084938.exeT vs Loader.exe

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe

Static PE information: Section: "GT]\ ZLIB complexity 1.0003398362810707

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@8/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_0057C16B CoCreateInstance,

3_2_0057C16B

Source: C:\Users\user\Desktop\Loader.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03

Source: Loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe	Virustotal: Detection: 72%
Source: Loader.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Loader.exe

Unpacked PE file: 0.2.Loader.exe.c70000.0.unpack "GT]\:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: Loader.exe	Static PE information: section name: "GT]\
Source: Loader.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D337E44 push ecx; ret

0_2_6D337E57

Source: Loader.exe

Static PE information: section name: "GT]\ entropy: 7.999307018864717

Source: C:\Users\user\Desktop\Loader.exe

File created: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Loader.exe PID: 7336, type: MEMORYSTR

Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 56C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 66C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 67F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 77F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 7B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 8B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 9B40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Loader.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7476	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D331178 FindFirstFileExW,

0_2_6D331178

Source: C:\Users\user\Desktop\Loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 3_2_00588AA0 LdrInitializeThunk,

3_2_00588AA0

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D32CB2A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D32CB2A

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D33289B GetProcessHeap,

0_2_6D33289B

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D32CB2A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D32CB2A
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D32C651 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D32C651
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_6D330AC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D330AC7

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D323750 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_6D323750

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: deadtrainingactioniw.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: qualificationjdwko.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: grandcommonyktsju.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: wordingnatturedowo.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: crisisrottenyjs.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: sweetcalcutangkdow.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: cooperatvassquaidmew.xyz
Source: Loader.exe, 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: exuberanttjdkwo.xyz

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 551000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 58D000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 590000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 5A2000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A6008	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D32CCE8 cpuid

0_2_6D32CCE8

Source: C:\Users\user\Desktop\Loader.exe

Queries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_6D32C773 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D32C773

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Loader.exe	73%	Virustotal		Browse
Loader.exe	79%	ReversingLabs	Win32.Spyware.Lummastealer
Loader.exe	100%	Avira	HEUR/AGEN.1311437
Loader.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\d3d9.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\d3d9.dll	58%	ReversingLabs	Win32.Trojan.LummaStealer

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
deadtrainingactioniw.xyz	1%	Virustotal	Browse
qualificationjdwko.xyz	1%	Virustotal	Browse
sweetcalcutangkdow.xyz	1%	Virustotal	Browse
cooperatvassquaidmew.xyz	1%	Virustotal	Browse
exuberanttjdkwo.xyz	1%	Virustotal	Browse
crisisrottenyjs.xyz	1%	Virustotal	Browse
wordingnatturedowo.xyz	1%	Virustotal	Browse
grandcommonyktsju.xyz	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://sweetcalcutangkdow.xyz/	0%	Avira URL Cloud	safe
https://cooperatvassquaidmew.xyz/	0%	Avira URL Cloud	safe
https://sweetcalcutangkdow.xyz/	0%	Virustotal		Browse
https://qualificationjdwko.xyz/api	100%	Avira URL Cloud	malware
https://sweetcalcutangkdow.xyz/api	100%	Avira URL Cloud	malware
grandcommonyktsju.xyz	0%	Avira URL Cloud	safe
https://sweetcalcutangkdow.xyz/apiz9	0%	Avira URL Cloud	safe
https://exuberanttjdkwo.xyz/api	100%	Avira URL Cloud	malware
https://qualificationjdwko.xyz/api	6%	Virustotal		Browse
cooperatvassquaidmew.xyz	0%	Avira URL Cloud	safe
https://grandcommonyktsju.xyz/	0%	Avira URL Cloud	safe
https://sweetcalcutangkdow.xyz/api	7%	Virustotal		Browse
exuberanttjdkwo.xyz	0%	Avira URL Cloud	safe
cooperatvassquaidmew.xyz	1%	Virustotal		Browse
qualificationjdwko.xyz	0%	Avira URL Cloud	safe
grandcommonyktsju.xyz	0%	Virustotal		Browse
https://exuberanttjdkwo.xyz/api	6%	Virustotal		Browse
https://cooperatvassquaidmew.xyz/	0%	Virustotal		Browse
https://grandcommonyktsju.xyz/	0%	Virustotal		Browse
https://deadtrainingactioniw.xyz/api	0%	Avira URL Cloud	safe
qualificationjdwko.xyz	1%	Virustotal		Browse
https://grandcommonyktsju.xyz/api	0%	Avira URL Cloud	safe
https://qualificationjdwko.xyz/apidO	0%	Avira URL Cloud	safe
https://qualificationjdwko.xyz/A	0%	Avira URL Cloud	safe
https://grandcommonyktsju.xyz/apiz?	0%	Avira URL Cloud	safe
exuberanttjdkwo.xyz	1%	Virustotal		Browse
https://qualificationjdwko.xyz/	0%	Avira URL Cloud	safe
https://deadtrainingactioniw.xyz/api	4%	Virustotal		Browse
https://deadtrainingactioniw.xyz/0	0%	Avira URL Cloud	safe
https://crisisrottenyjs.xyz/api	0%	Avira URL Cloud	safe
https://grandcommonyktsju.xyz/api	4%	Virustotal		Browse
wordingnatturedowo.xyz	0%	Avira URL Cloud	safe
https://qualificationjdwko.xyz/7	0%	Avira URL Cloud	safe
https://cooperatvassquaidmew.xyz/api	100%	Avira URL Cloud	malware
https://deadtrainingactioniw.xyz/	0%	Avira URL Cloud	safe
https://qualificationjdwko.xyz/	0%	Virustotal		Browse
deadtrainingactioniw.xyz	0%	Avira URL Cloud	safe
https://crisisrottenyjs.xyz/api	4%	Virustotal		Browse
crisisrottenyjs.xyz	0%	Avira URL Cloud	safe
https://cooperatvassquaidmew.xyz/api	6%	Virustotal		Browse
https://qualificationjdwko.xyz/apizC	0%	Avira URL Cloud	safe
wordingnatturedowo.xyz	1%	Virustotal		Browse
sweetcalcutangkdow.xyz	0%	Avira URL Cloud	safe
crisisrottenyjs.xyz	1%	Virustotal		Browse
https://deadtrainingactioniw.xyz/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qualificationjdwko.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
crisisrottenyjs.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
deadtrainingactioniw.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
grandcommonyktsju.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
cooperatvassquaidmew.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
sweetcalcutangkdow.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
exuberanttjdkwo.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown
wordingnatturedowo.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
grandcommonyktsju.xyz	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
cooperatvassquaidmew.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
exuberanttjdkwo.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
qualificationjdwko.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
wordingnatturedowo.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
deadtrainingactioniw.xyz	true	Avira URL Cloud: safe	unknown
crisisrottenyjs.xyz	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
sweetcalcutangkdow.xyz	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sweetcalcutangkdow.xyz/	aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cooperatvassquaidmew.xyz/	aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/api	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://sweetcalcutangkdow.xyz/api	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://sweetcalcutangkdow.xyz/apiz9	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://exuberanttjdkwo.xyz/api	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://grandcommonyktsju.xyz/	aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://deadtrainingactioniw.xyz/api	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://grandcommonyktsju.xyz/api	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/apidO	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/A	aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grandcommonyktsju.xyz/apiz?	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/	aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://crisisrottenyjs.xyz/api	aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://deadtrainingactioniw.xyz/0	aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/7	aspnet_regiis.exe, 00000003.00000002.1383006597.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.00000000005FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cooperatvassquaidmew.xyz/api	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://deadtrainingactioniw.xyz/	aspnet_regiis.exe, 00000003.00000003.1382509177.0000000000624000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.1383027287.0000000000624000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://qualificationjdwko.xyz/apizC	aspnet_regiis.exe, 00000003.00000002.1383027287.000000000060D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1382384827.000000000060D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465166
Start date and time:	2024-07-01 11:59:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@8/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 17 Number of non-executed functions: 85
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
06:00:09	API Interceptor	2x Sleep call for process: aspnet_regiis.exe modified

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\d3d9.dll

Download File

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440320
Entropy (8bit):	6.951373265521596
Encrypted:	false
SSDEEP:	12288:4pYXcezO1zLj1KXu4HYkmhrvHfOa3rHk2i4je:VXWiemnmhr/Oa3zk2i4je
MD5:	7A74C48C7D0FF3C094E5FF5CBFEE32BA
SHA1:	D92E038971C0C7AD44878A795428E157FD987B08
SHA-256:	E5F29466C1187FA88876FD5FAE1CE988CA069612A0D3616C267ED1D9C684F9B9
SHA-512:	709E16799C2003CC3716199C3909EC3E1CB509877D0EC571A6AFE11BC090D993E035BDC7E2B39BEC69BCFDF33EED626CE03149763824BCB33FCDCAA3557F5087
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L.....}f...........!...&.r...L............................................................@.............................x...x...<................................... ...............................`...@...............P............................text....p.......r.................. ..`.rdata...d.......f...v..............@..@.data...T...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3280468055909305
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Loader.exe
File size:	419'840 bytes
MD5:	edda8f53633b4ea2270424b850d700bf
SHA1:	d1cb6ed8d18f40ed4fafd70a70c8168396912f45
SHA256:	bb8fd576341c8f75f014515016614c9b84505d2704fe3e960c32afebab2c19b0
SHA512:	62637cebf5931eb6c9df407cf82ee37ad2ac6c335dd00cb2c152e9bf6df496875b9740e9862084ac5e7cb1c7c2b3630d6ae764c1efa8ba1e8cc3b2c4366eecc8
SSDEEP:	12288:jfS5v+TGic+7Lq0W4iHIkSZ96dY4NPj49KQ6appN3vgM4d4L2rW48mX8:bS5aTc+fHiokSZQ
TLSH:	9094B4DCB56076DFC867D462DEB82CA8EA6075BB932F4203912715ADDA0C897CF140F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}f.................D... ...........@... ....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46e00a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x667D0C86 [Thu Jun 27 06:53:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0046E000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x447e4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6a000	0x708	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6e000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x44000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
"GT]\	0x2000	0x415a0	0x41600	19c8e2e581877a08584ccfb85da11e85	False	1.0003398362810707	data	7.999307018864717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x44000	0x24148	0x24200	595a7af8b52fe53451d2e840cc15346b	False	0.3641800929930796	data	4.658647890992144	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6a000	0x708	0x800	627dcae02794fcc58a3e2ad6057b0ec0	False	0.373046875	data	3.8045470753302264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0xc	0x200	03b4a7742d43ef56ec303d17318ca02e	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x6e000	0x10	0x200	e88e96fdc3c61391a0140a395536d408	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6a0a0	0x478	data			0.40384615384615385
RT_MANIFEST	0x6a518	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/01/24-12:00:10.337833	UDP	2054131	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exuberanttjdkwo .xyz)	50034	53	192.168.2.9	1.1.1.1
07/01/24-12:00:10.444343	UDP	2054121	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (grandcommonyktsju .xyz)	55685	53	192.168.2.9	1.1.1.1
07/01/24-12:00:10.368659	UDP	2054129	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (cooperatvassquaidmew .xyz)	61762	53	192.168.2.9	1.1.1.1
07/01/24-12:00:10.563116	UDP	2054119	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (qualificationjdwko .xyz)	57788	53	192.168.2.9	1.1.1.1
07/01/24-12:00:10.575107	UDP	2054117	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (deadtrainingactioniw .xyz)	58515	53	192.168.2.9	1.1.1.1
07/01/24-12:00:10.405895	UDP	2054123	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (wordingnatturedowo .xyz)	51384	53	192.168.2.9	1.1.1.1
07/01/24-12:00:10.230604	UDP	2054125	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (crisisrottenyjs .xyz)	50884	53	192.168.2.9	1.1.1.1
07/01/24-12:00:10.385037	UDP	2054127	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (sweetcalcutangkdow .xyz)	55520	53	192.168.2.9	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 12:00:10.230603933 CEST	50884	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.333440065 CEST	53	50884	1.1.1.1	192.168.2.9
Jul 1, 2024 12:00:10.337832928 CEST	50034	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.365691900 CEST	53	50034	1.1.1.1	192.168.2.9
Jul 1, 2024 12:00:10.368659019 CEST	61762	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.383558035 CEST	53	61762	1.1.1.1	192.168.2.9
Jul 1, 2024 12:00:10.385036945 CEST	55520	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.402679920 CEST	53	55520	1.1.1.1	192.168.2.9
Jul 1, 2024 12:00:10.405894995 CEST	51384	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.436476946 CEST	53	51384	1.1.1.1	192.168.2.9
Jul 1, 2024 12:00:10.444343090 CEST	55685	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.471892118 CEST	53	55685	1.1.1.1	192.168.2.9
Jul 1, 2024 12:00:10.563116074 CEST	57788	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.573378086 CEST	53	57788	1.1.1.1	192.168.2.9
Jul 1, 2024 12:00:10.575107098 CEST	58515	53	192.168.2.9	1.1.1.1
Jul 1, 2024 12:00:10.585148096 CEST	53	58515	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 12:00:10.230603933 CEST	192.168.2.9	1.1.1.1	0x6ef2	Standard query (0)	crisisrottenyjs.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.337832928 CEST	192.168.2.9	1.1.1.1	0x36c1	Standard query (0)	exuberanttjdkwo.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.368659019 CEST	192.168.2.9	1.1.1.1	0x53d9	Standard query (0)	cooperatvassquaidmew.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.385036945 CEST	192.168.2.9	1.1.1.1	0xe488	Standard query (0)	sweetcalcutangkdow.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.405894995 CEST	192.168.2.9	1.1.1.1	0xd977	Standard query (0)	wordingnatturedowo.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.444343090 CEST	192.168.2.9	1.1.1.1	0x6304	Standard query (0)	grandcommonyktsju.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.563116074 CEST	192.168.2.9	1.1.1.1	0xdd95	Standard query (0)	qualificationjdwko.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.575107098 CEST	192.168.2.9	1.1.1.1	0x1586	Standard query (0)	deadtrainingactioniw.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 12:00:10.333440065 CEST	1.1.1.1	192.168.2.9	0x6ef2	Name error (3)	crisisrottenyjs.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.365691900 CEST	1.1.1.1	192.168.2.9	0x36c1	Name error (3)	exuberanttjdkwo.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.383558035 CEST	1.1.1.1	192.168.2.9	0x53d9	Name error (3)	cooperatvassquaidmew.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.402679920 CEST	1.1.1.1	192.168.2.9	0xe488	Name error (3)	sweetcalcutangkdow.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.436476946 CEST	1.1.1.1	192.168.2.9	0xd977	Name error (3)	wordingnatturedowo.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.471892118 CEST	1.1.1.1	192.168.2.9	0x6304	Name error (3)	grandcommonyktsju.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.573378086 CEST	1.1.1.1	192.168.2.9	0xdd95	Name error (3)	qualificationjdwko.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 12:00:10.585148096 CEST	1.1.1.1	192.168.2.9	0x1586	Name error (3)	deadtrainingactioniw.xyz	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:00:08
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xc70000
File size:	419'840 bytes
MD5 hash:	EDDA8F53633B4EA2270424B850D700BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:00:08
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:00:08
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x7c0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1844
Total number of Limit Nodes:	32

Executed Functions

Function 6D323750 Relevance: 92.0, APIs: 25, Strings: 23, Instructions: 7972injectionmemorythreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?,?,?,?,?), ref: 6D325E5D
ShowWindow.USER32 ref: 6D325E73
CreateProcessW.KERNELBASE ref: 6D3299AD
VirtualAlloc.KERNELBASE ref: 6D329A83
VirtualAllocEx.KERNELBASE ref: 6D329BF0
VirtualAllocEx.KERNELBASE ref: 6D329DB2
WriteProcessMemory.KERNELBASE ref: 6D329E9F
WriteProcessMemory.KERNELBASE ref: 6D32A0C7
ReadProcessMemory.KERNEL32 ref: 6D32AAEE
WriteProcessMemory.KERNEL32 ref: 6D32ABD1
WriteProcessMemory.KERNELBASE ref: 6D32AEB4
Wow64SetThreadContext.KERNEL32 ref: 6D32AF04
ResumeThread.KERNELBASE ref: 6D32AF19
CloseHandle.KERNEL32 ref: 6D32B087
CloseHandle.KERNEL32 ref: 6D32B09B
GetConsoleWindow.KERNEL32 ref: 6D32B248
ShowWindow.USER32 ref: 6D32B25E
VirtualAlloc.KERNEL32 ref: 6D32B8E7
VirtualAllocEx.KERNEL32 ref: 6D32B97A
WriteProcessMemory.KERNEL32 ref: 6D32B9D3
WriteProcessMemory.KERNEL32 ref: 6D32BB34
WriteProcessMemory.KERNEL32 ref: 6D32BB8C
SetThreadContext.KERNEL32 ref: 6D32BBDC
ResumeThread.KERNEL32 ref: 6D32BBF1

Strings

#xL, xrefs: 6D328035
^~R, xrefs: 6D32660B
AXs, xrefs: 6D32B143
Hp+, xrefs: 6D326359
@, xrefs: 6D32B972
=%h, xrefs: 6D32BC2A
MZx, xrefs: 6D3294CB, 6D3294ED, 6D32B835, 6D32B857
L7Ho, xrefs: 6D32A9AE
x?ZQ, xrefs: 6D32A88D
!/_, xrefs: 6D325F2F
$~V, xrefs: 6D326990
$I\D, xrefs: 6D326C44
kernel32.dll, xrefs: 6D325E79, 6D32B264
Z#Il, xrefs: 6D328451
$I\D, xrefs: 6D326C95
]n?S, xrefs: 6D327945
\:, xrefs: 6D326C49
=%h, xrefs: 6D32B1C8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6D3297A1
D, xrefs: 6D329750
fAACDxAijcIREAGiOgnTh/zV4lkQA6KofAACDxAijmJZEAOgtAwAAiw0EbEQAus33yyUzFQxsRAAB0UH/4Q+2wIsEhRBsRAC50FG88DMNGGxEAAHBQTHA/+GhKGxEALkJl, xrefs: 6D3249D5, 6D328644, 6D328695
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6D329823, 6D32B89D
ntdll.dll, xrefs: 6D325E8D, 6D32B278

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: Process$Memory$Write$AllocVirtual$ThreadWindow$CloseConsoleContextHandleResumeShow$CreateReadWow64
String ID: $~V$!/_$Hp+$#xL$$I\D$$I\D$@$AXs$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$L7Ho$MZx$Z#Il$]n?S$^~R$fAACDxAijcIREAGiOgnTh/zV4lkQA6KofAACDxAijmJZEAOgtAwAAiw0EbEQAus33yyUzFQxsRAAB0UH/4Q+2wIsEhRBsRAC50FG88DMNGGxEAAHBQTHA/+GhKGxEALkJl$kernel32.dll$ntdll.dll$x?ZQ$=%h$=%h$\:
API String ID: 3290418030-1524399179
Opcode ID: 66aca74f3173a19b42171fed97394730ed0759471804b6376f25aca60ba8fdfe
Instruction ID: dab3cd7fa44b5db62ef01e6ec6206c03c119fb6beb9efe44d953feb37d9660a7
Opcode Fuzzy Hash: 66aca74f3173a19b42171fed97394730ed0759471804b6376f25aca60ba8fdfe
Instruction Fuzzy Hash: EAE3F131E642658FCB15CE2DC9C13D977F9BB4B311F008299D919EB2A4CA369E85CF60

Function 6D321090 Relevance: 47.5, APIs: 19, Strings: 7, Instructions: 1980filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?), ref: 6D321937
GetModuleHandleA.KERNEL32 ref: 6D321972
GetModuleFileNameA.KERNEL32 ref: 6D321BCA
CreateFileA.KERNELBASE ref: 6D321C0E
CreateFileMappingA.KERNEL32 ref: 6D321D9A
CloseHandle.KERNEL32 ref: 6D32201A
VirtualProtect.KERNELBASE ref: 6D32268F
VirtualProtect.KERNELBASE ref: 6D3227C4
FindCloseChangeNotification.KERNELBASE ref: 6D322971
CreateFileMappingA.KERNEL32 ref: 6D322C66
MapViewOfFile.KERNEL32 ref: 6D322CDE
VirtualProtect.KERNEL32 ref: 6D322DE4
CloseHandle.KERNEL32 ref: 6D322E9A
CloseHandle.KERNEL32 ref: 6D322EAC

Strings

.text, xrefs: 6D3225DA
^\+), xrefs: 6D322B6D
@, xrefs: 6D322DD8
Rj+, xrefs: 6D321E69
^\+), xrefs: 6D322EC1
S>|, xrefs: 6D322634
S>|, xrefs: 6D322746

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: File$CloseHandle$CreateProtectVirtual$MappingModule$ChangeCurrentFindNameNotificationProcessView
String ID: .text$@$Rj+$S>|$S>|$^\+)$^\+)
API String ID: 2059257565-797904774
Opcode ID: 1a0bbc444c0e59ba9839d8f78d0d230336238dec8818696c24f97d30abdf33b3
Instruction ID: 7ef87b1b5cbab3b90e61a6448798979b1d54a3123adf92bfa548ee194f64ebed
Opcode Fuzzy Hash: 1a0bbc444c0e59ba9839d8f78d0d230336238dec8818696c24f97d30abdf33b3
Instruction Fuzzy Hash: 00F2FC39E142058FCB28CE3CCA957DE7BF6BB86311F108599D919DB394C73A89898F11

Function 6D322ED0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?), ref: 6D323065

Strings

ntdll.dll, xrefs: 6D323059
NtQueryInformationProcess, xrefs: 6D32307D

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: HandleModule
String ID: NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-2906145389
Opcode ID: 3f66c3e498d876e0506cb2578399ab53ce6a150bb1bd4bd657d89b9dcad236ef
Instruction ID: 54c10b0e08cb86d41dad21215e20f68456b0afea5abf147a05dc81b3db3cfa78
Opcode Fuzzy Hash: 3f66c3e498d876e0506cb2578399ab53ce6a150bb1bd4bd657d89b9dcad236ef
Instruction Fuzzy Hash: 45C1FF76E25205DFCB04CFACD6C13DDBBF6AB86350F10951AD614EB350CA3A9A0A8B51

Function 6D32C448 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D32C48F
___scrt_uninitialize_crt.LIBCMT ref: 6D32C4A9

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 22710b153ae1e7b484894c02958855684e3b752e9402c83e5e86655aba276ec6
Instruction ID: db6a3d1b9a20bd576afb08c1b36f3b2704f922d9c65eb0981996d7a51170d14c
Opcode Fuzzy Hash: 22710b153ae1e7b484894c02958855684e3b752e9402c83e5e86655aba276ec6
Instruction Fuzzy Hash: 0941D672D48215ABDB218F65C841B7F7BB8EB857A5F128126F955A7140C771CD01CBE0

Function 6D32C4F8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D32C535
dllmain_crt_dispatch.LIBCMT ref: 6D32C54C
dllmain_raw.LIBCMT ref: 6D32C594
dllmain_crt_dispatch.LIBCMT ref: 6D32C5A7
dllmain_raw.LIBCMT ref: 6D32C5BA

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 05ca623c000e3bac5a18035150448d9d0d09401e8e5cf01640360c1de084d89a
Instruction ID: 36e1ca801fce75d14601d999d3b14b038c7cc1a486414ee80c63285d86ba60ed
Opcode Fuzzy Hash: 05ca623c000e3bac5a18035150448d9d0d09401e8e5cf01640360c1de084d89a
Instruction Fuzzy Hash: AA21A771D4426AABDB224F56CC41E7F3B79EB85B94F168125F91AAB210C731CD01CBE0

Function 6D32C341 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D32C38E

Part of subcall function 6D32C80B: InitializeSListHead.KERNEL32(6D38CA20,6D32C398,6D33E650,00000010,6D32C329,?,?,?,6D32C551,?,00000001,?,?,00000001,?,6D33E698), ref: 6D32C810

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D32C3F8

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 3fc91a514f52cfe703452938634126cdc29f0174c8f6f071406ca629ef999e38
Instruction ID: 28ee6c8546388f2bc621939197ac35ddf4e1ba9c75b677ac39e1b877422fcf35
Opcode Fuzzy Hash: 3fc91a514f52cfe703452938634126cdc29f0174c8f6f071406ca629ef999e38
Instruction Fuzzy Hash: B3212132E4C252AADB119FB498167FD37A09F0626DF12C42ADAC1776C2CB62C140C6A2

Function 6D33296C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6D3329B8
GetFileType.KERNELBASE(00000000), ref: 6D3329CA

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 9650837ea29fba839c8c132d6934a89ead9c5c8aa8cd7af1e7f2665d10297b43
Instruction ID: 00a038ada09c169fa11a71c12667c5021964f6dbabb02d095a2498f3f64f9e25
Opcode Fuzzy Hash: 9650837ea29fba839c8c132d6934a89ead9c5c8aa8cd7af1e7f2665d10297b43
Instruction Fuzzy Hash: 961129795047E256CB308E3E8F89732BAACB747270B26070AE5B6961F1C735D492D2D0

Function 6D330DB7 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,6D330865,00000001,00000364,00000000,FFFFFFFF,000000FF,?,6D32FDE0,00000000,00000000), ref: 6D330DF8

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9d60286e78f9c902f95646329bea1afa0ef43343962ffe3baf4a7d84cbe54e43
Instruction ID: 86b3642ad2b47ad54f5d230069300e92f1305c89073c12fe1128967dfea98737
Opcode Fuzzy Hash: 9d60286e78f9c902f95646329bea1afa0ef43343962ffe3baf4a7d84cbe54e43
Instruction Fuzzy Hash: 74F0B43220A9B5A6EB155E27CF01B6B379CAF827B0B17C011B924AB580CB71E80083E0

Non-executed Functions

Function 6D32CB2A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D32CB36
IsDebuggerPresent.KERNEL32 ref: 6D32CC02
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D32CC1B
UnhandledExceptionFilter.KERNEL32(?), ref: 6D32CC25

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0436130722665a9712d911a9966a3a2a5e1929445edd1a5df8ee0edfb315e6b4
Instruction ID: 0494281a7e95f3ecffccf5212ad5297eb0d2aa63b84a87d7448fa86a1331b097
Opcode Fuzzy Hash: 0436130722665a9712d911a9966a3a2a5e1929445edd1a5df8ee0edfb315e6b4
Instruction Fuzzy Hash: 4531F879D0522DDBDF20DF64D9897CDBBB8AF08304F1041AAE50CAB240EB719A85CF55

Function 6D330AC7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D330BBF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D330BC9
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D330BD6

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f01250d6513b0b28077723389ed2903b83c5446a70ea80210c7707f0f938195a
Instruction ID: c04b1798362862883bed3a7c06e06b7c6215c23ffd94a9534977b083c3b95409
Opcode Fuzzy Hash: f01250d6513b0b28077723389ed2903b83c5446a70ea80210c7707f0f938195a
Instruction Fuzzy Hash: 2E31E574D0122DABCB21DF64D98878DBBB8BF08314F5141DAE81CA7250EB709B858F54

Function 6D337715 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D337710,?,?,00000008,?,?,6D337313,00000000), ref: 6D337942

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e221bc7e7b5f051600590b609b99af4ae42283a1fd7d638a9c4e1497c90f716f
Instruction ID: 14587a40beb377072ecde435ef813e0eb69fc7caa565575799b0df0d94d7144d
Opcode Fuzzy Hash: e221bc7e7b5f051600590b609b99af4ae42283a1fd7d638a9c4e1497c90f716f
Instruction Fuzzy Hash: 79B18B71A20659DFD705CF28C587B647BE0FF45365F268658E8A9CF2A1C336D982CB40

Function 6D32BC40 Relevance: 1.7, Strings: 1, Instructions: 446COMMONLIBRARYCODE

Download Yara Rule

Strings

>H=, xrefs: 6D32C053

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID:
String ID: >H=
API String ID: 0-1700937968
Opcode ID: c914dfe83427a4a88450319b0df8eadfb430afe9f82e341c4d06de7c286faf42
Instruction ID: 312456577c2375d9159d02018cacbe62389aa429ea294fc61a3d4f3c3568f1d3
Opcode Fuzzy Hash: c914dfe83427a4a88450319b0df8eadfb430afe9f82e341c4d06de7c286faf42
Instruction Fuzzy Hash: 49F1CB72E9520A8FCF09CEACE6917DD7BF6BB46340F248116D501EB358D62ACE05CB25

Function 6D32CCE8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D32CCFE

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1e74ffe90d4fe0db93ad57ce51f0831a243a97f5884c5b61ca9269e998d40e2f
Instruction ID: de87dd14e9085ef24d048aa36a7d29a3a1540b3249a995cb79e60997ea2028f2
Opcode Fuzzy Hash: 1e74ffe90d4fe0db93ad57ce51f0831a243a97f5884c5b61ca9269e998d40e2f
Instruction Fuzzy Hash: FE519AB1E0220ADFEB15CF55D4827AABBF8FB4A712F14812AD411EB750D376E940CB50

Function 6D331178 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67620320d1544c9af1b63e73f406bbad3f98a1f83788f850c0baee025275bcc
Instruction ID: 9b8418ccaae859a79a2c2aa6e5d36296e5a4d391dbdcaf4824bc5c830cfebaa6
Opcode Fuzzy Hash: d67620320d1544c9af1b63e73f406bbad3f98a1f83788f850c0baee025275bcc
Instruction Fuzzy Hash: 4E41B2B5C04269AFDB10DF69CD89AEABBB8AF45304F1582D9E45DD3200DB359E84CF60

Function 6D33289B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6D33289B

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 12b12f13fc483e4d11ae151b76694ea2ad1897338093e9b89e53af1806dcc651
Instruction ID: da206b2c81832ab18eb7ce98700500450c3833411249c4719dff233cbbf3605d
Opcode Fuzzy Hash: 12b12f13fc483e4d11ae151b76694ea2ad1897338093e9b89e53af1806dcc651
Instruction Fuzzy Hash: A6A00274605241EB9B508E35470931976BD554759270545595405D5150DB7454509F11

Function 6D3233E0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc34d37f2f4d96fad5ac77d4f694893e7ea119da9ce74546484ab007d5b05ab
Instruction ID: 4a28a362f199cb64b0115b56d887b651ffc81dc843393105eada9b3b08b713a5
Opcode Fuzzy Hash: efc34d37f2f4d96fad5ac77d4f694893e7ea119da9ce74546484ab007d5b05ab
Instruction Fuzzy Hash: AD91D376F206058FCF09CE7CD9957EE77F6AF4A320F109219EA61E7390C63A99058B50

Function 6D32E55A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D32E679
___TypeMatch.LIBVCRUNTIME ref: 6D32E787
_UnwindNestedFrames.LIBCMT ref: 6D32E8D9
CallUnexpected.LIBVCRUNTIME ref: 6D32E8F4

Strings

csm, xrefs: 6D32E604
csm, xrefs: 6D32E597
csm, xrefs: 6D32E6B0
L3m, xrefs: 6D32E670

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: L3m$csm$csm$csm
API String ID: 2751267872-2258815385
Opcode ID: 8074d8e1fad495326e0952e7d2a3b596327c497c0bbb5725ebf0eabc74620c16
Instruction ID: 79c75e4692a4348f4d672ac20650e3b9a81ee7e9ae008ae24b571497dd98ced9
Opcode Fuzzy Hash: 8074d8e1fad495326e0952e7d2a3b596327c497c0bbb5725ebf0eabc74620c16
Instruction Fuzzy Hash: 90B18931C0430AAFCF15CFA4D9829AEBBB5FF04714B15816AE965BB201D332DA51CF91

Function 6D32D600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6D32D637
___except_validate_context_record.LIBVCRUNTIME ref: 6D32D63F
_ValidateLocalCookies.LIBCMT ref: 6D32D6C8
__IsNonwritableInCurrentImage.LIBCMT ref: 6D32D6F3
_ValidateLocalCookies.LIBCMT ref: 6D32D748

Strings

csm, xrefs: 6D32D6DD

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5abbb0bd4b1024713e64520514e30a329bce55f2cb2fd541533ec65fd86a4fce
Instruction ID: 33b683daef31c0c3b4344c766d41d86e10875e2cb4269a2793d95e19bf58e171
Opcode Fuzzy Hash: 5abbb0bd4b1024713e64520514e30a329bce55f2cb2fd541533ec65fd86a4fce
Instruction Fuzzy Hash: 9541A434E04209ABCF00CF68E884AAEBBB5BF85318F21C155E9196B351D772EA05CFD1

Function 6D3324CA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6D3325D9,00000000,6D32FDE0,00000000,00000000,00000001,?,6D332752,00000022,FlsSetValue,6D33A898,6D33A8A0,00000000), ref: 6D33258B

Strings

api-ms-, xrefs: 6D332521
ext-ms-, xrefs: 6D332535

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 72e8809c24a215cb67a417989e19cbabd29b07188f28a43d4100c9fb1e511771
Instruction ID: 00ea18189fe0a0196ec644065a6286d780c8da97a98a9b1ba505b25a34c9703c
Opcode Fuzzy Hash: 72e8809c24a215cb67a417989e19cbabd29b07188f28a43d4100c9fb1e511771
Instruction Fuzzy Hash: D721F9399452B1FBDB319F298F51A5A777CAB43768F134220EE15A7180DB31EA00C6E0

Function 6D32DBAC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D32D7E1,6D32C900,6D32C319,?,6D32C551,?,00000001,?,?,00000001,?,6D33E698,0000000C,6D32C64A), ref: 6D32DBBA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D32DBC8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D32DBE1
SetLastError.KERNEL32(00000000,6D32C551,?,00000001,?,?,00000001,?,6D33E698,0000000C,6D32C64A,?,00000001,?), ref: 6D32DC33

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f53d0e03b82c783c02aa05b9ec39f1ec352e79d191580a71b23425f720ee955a
Instruction ID: 0afd04c832652293efc460a20bc14bd486a4f0c99c97be609f29945ea009b53a
Opcode Fuzzy Hash: f53d0e03b82c783c02aa05b9ec39f1ec352e79d191580a71b23425f720ee955a
Instruction Fuzzy Hash: C901D83290C33B6EEB1526B4BDC6726267DEF437797214229E710990F1EFD3480092E0

Function 6D3316FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Loader.exe, xrefs: 6D33171A

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Loader.exe
API String ID: 0-1966603485
Opcode ID: 4846a63c45afebf320debf1e52f3bbb7ea2470104f71de1360f937e42e39a9d7
Instruction ID: a58336b5577a1d2c9143c53d3112d24fce6e59fe73aaee0dfeff16b8a0ed7aa3
Opcode Fuzzy Hash: 4846a63c45afebf320debf1e52f3bbb7ea2470104f71de1360f937e42e39a9d7
Instruction Fuzzy Hash: 8A218E352082A6AFD7109F658E8196B77BDBF5136870BC618FA58D7150EB31E84087A0

Function 6D32F70E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DCEAC541,00000000,?,00000000,6D338012,000000FF,?,6D32F6A8,?,?,6D32F67C,?), ref: 6D32F743
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D32F755
FreeLibrary.KERNEL32(00000000,?,00000000,6D338012,000000FF,?,6D32F6A8,?,?,6D32F67C,?), ref: 6D32F777

Strings

CorExitProcess, xrefs: 6D32F74D
mscoree.dll, xrefs: 6D32F73C

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9b23dc3338ceb6610240eb112517d6f8cd7aae276f89602896bf6133d2733b17
Instruction ID: 6c03ecc2781868e62e0bf7fcd4d23bd9f2f1b4c1eb3de227f598231af9f6b237
Opcode Fuzzy Hash: 9b23dc3338ceb6610240eb112517d6f8cd7aae276f89602896bf6133d2733b17
Instruction Fuzzy Hash: 2401A23991066AFFDF219F54CE49FBE7BBDFB05755F010525E821A2290DB75D800CAA0

Function 6D334185 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D33420A
__alloca_probe_16.LIBCMT ref: 6D3342D3
__freea.LIBCMT ref: 6D33433A

Part of subcall function 6D33332A: HeapAlloc.KERNEL32(00000000,6D331C77,6D333044,?,6D331C77,00000220,?,?,6D333044), ref: 6D33335C

__freea.LIBCMT ref: 6D33434D
__freea.LIBCMT ref: 6D33435A

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 23998eb0d6ce875702e15740beff39b352959eeadc34deeee011014f9eb22417
Instruction ID: eea74cc805d52df485ba985dda7c7872e19bfdeaf3b1e702e419fda51948840b
Opcode Fuzzy Hash: 23998eb0d6ce875702e15740beff39b352959eeadc34deeee011014f9eb22417
Instruction Fuzzy Hash: 5051B6726042ABABEB154FA4DE41EBB36A9EF48764F178128FE14D7110E737DC50C6A0

Function 6D32E182 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D32E133,00000000,?,00000001,?,?,?,6D32E222,00000001,FlsFree,6D339F70,FlsFree), ref: 6D32E18F
GetLastError.KERNEL32(?,6D32E133,00000000,?,00000001,?,?,?,6D32E222,00000001,FlsFree,6D339F70,FlsFree,00000000,?,6D32DC81), ref: 6D32E199
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D32E1C1

Strings

api-ms-, xrefs: 6D32E1A6

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 805409d28e0e29a2f96b337b640a8b5423c820a77f2e2aad3b9ac0bd915b3150
Instruction ID: 19421cde07af7eafd7df69e3312247842f720f8b682b142f5565051f00925225
Opcode Fuzzy Hash: 805409d28e0e29a2f96b337b640a8b5423c820a77f2e2aad3b9ac0bd915b3150
Instruction Fuzzy Hash: 61E01A38648355F7EF201F71DD07B693A69AB01B54F114030F90CE8095DB62E450C6A6

Function 6D334892 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(DCEAC541,00000000,00000000,?), ref: 6D3348F5

Part of subcall function 6D3322CC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D334330,?,00000000,-00000008), ref: 6D33232D

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D334B47
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D334B8D
GetLastError.KERNEL32 ref: 6D334C30

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: f5352e14cca457c6015893452dd10b435c376d0ceebc2ae99c201cd19fd5deb0
Instruction ID: 2118b232a414e899c14f601056d2dfa6df7f3b76237289c6f19a9f426c411bca
Opcode Fuzzy Hash: f5352e14cca457c6015893452dd10b435c376d0ceebc2ae99c201cd19fd5deb0
Instruction Fuzzy Hash: CDD19E75D04298AFCF01CFA8D980AADBBB9FF0D314F15812AE555EB351D731A941CB60

Function 6D32E303 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D32E3CA
___AdjustPointer.LIBCMT ref: 6D32E3ED
___AdjustPointer.LIBCMT ref: 6D32E489

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c2666f073dc1005329904d3695d5194ea6295620a47e8cca5a72d0ec4e03f489
Instruction ID: fe1b8248a651b28f509ba440f3fa45f53c32a8a50738eaf2f2d506220bee5af6
Opcode Fuzzy Hash: c2666f073dc1005329904d3695d5194ea6295620a47e8cca5a72d0ec4e03f489
Instruction Fuzzy Hash: 2351CD72E08302EFEB158F65D842BBA77A4BF44714F10852DEA95E7290E732E940C790

Function 6D330F18 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D3322CC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D334330,?,00000000,-00000008), ref: 6D33232D

GetLastError.KERNEL32 ref: 6D330F7C
__dosmaperr.LIBCMT ref: 6D330F83
GetLastError.KERNEL32(?,?,?,?), ref: 6D330FBD
__dosmaperr.LIBCMT ref: 6D330FC4

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 12009cc6699ead9c84c81b29cf291d47157e823d308e2e20e20850cd8c550d60
Instruction ID: 2c2da929cb479b651f3e07fe6dc917f0301ec3430782d63e60a152810589fe0b
Opcode Fuzzy Hash: 12009cc6699ead9c84c81b29cf291d47157e823d308e2e20e20850cd8c550d60
Instruction Fuzzy Hash: 5A2198326082A6AFD7119F6BCA4196BB7BDFF45364703C518FA59E7140DB31EC508760

Function 6D33236F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D332377

Part of subcall function 6D3322CC: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D334330,?,00000000,-00000008), ref: 6D33232D

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D3323AF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D3323CF

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 598ed4d34789b1aad9347253b3bad95149bbfa72545d8a138fbd6965fc7c8872
Instruction ID: f4b3a720f354552b0bf8f5eda34bf363780095d3859936c9a70495e2bdb2e9fe
Opcode Fuzzy Hash: 598ed4d34789b1aad9347253b3bad95149bbfa72545d8a138fbd6965fc7c8872
Instruction Fuzzy Hash: E511E5BA9085B6BFEA251A769F89C6FAA6CDE461E8707C024F601D1200EF358D0186F0

Function 6D336206 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D3359C6,00000000,00000001,00000000,?,?,6D334C84,?,00000000,00000000), ref: 6D33621D
GetLastError.KERNEL32(?,6D3359C6,00000000,00000001,00000000,?,?,6D334C84,?,00000000,00000000,?,?,?,6D335227,00000000), ref: 6D336229

Part of subcall function 6D3361EF: CloseHandle.KERNEL32(FFFFFFFE,6D336239,?,6D3359C6,00000000,00000001,00000000,?,?,6D334C84,?,00000000,00000000,?,?), ref: 6D3361FF

___initconout.LIBCMT ref: 6D336239

Part of subcall function 6D3361B1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D3361E0,6D3359B3,?,?,6D334C84,?,00000000,00000000,?), ref: 6D3361C4

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D3359C6,00000000,00000001,00000000,?,?,6D334C84,?,00000000,00000000,?), ref: 6D33624E

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 4b2e57c9d78acf0a993f82c2028ee6f40c6f6bc221c7408a0790596a576bc503
Instruction ID: e3552d88ccd89f716abaa69b0fc3811cdef7880ab80a287d89a3118c26d2fba1
Opcode Fuzzy Hash: 4b2e57c9d78acf0a993f82c2028ee6f40c6f6bc221c7408a0790596a576bc503
Instruction Fuzzy Hash: 90F0AC3A5041A5BFCF221F95DE05A997F7AFB4A3A1F074110FB1995120DB328920EBD4

Function 6D32E8FF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D32E924

Strings

RCC, xrefs: 6D32E93E
MOC, xrefs: 6D32E936

Memory Dump Source

Source File: 00000000.00000002.1393040422.000000006D321000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D320000, based on PE: true

Associated: 00000000.00000002.1393020864.000000006D320000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393080024.000000006D339000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393103242.000000006D340000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1393184797.000000006D38E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d320000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ab21f745b024b5a609196131649d570193212c426d3ee99d8387abb92bd63647
Instruction ID: 089623858c34cf5d6bfb4e20857c5f2f0012c733f0c0e8edb645e38f27a88bc0
Opcode Fuzzy Hash: ab21f745b024b5a609196131649d570193212c426d3ee99d8387abb92bd63647
Instruction Fuzzy Hash: 78413875D0020AAFCF05CFA4CD82AEE7BB5FF48304F15805AEA15BA250D336A951DB91

Analysis Process: aspnet_regiis.exePID: 7452, Parent PID: 7336COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.9%
Total number of Nodes:	34
Total number of Limit Nodes:	3

Executed Functions

Function 00588AA0 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0058B4DC,005C003F,00000006,00120089,?,00000018,08090E0F,00000000,00565CBA), ref: 00588AC6

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 0055A5B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 259
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE ref: 0055A6CA

Strings

?, xrefs: 0055A5CC
B, xrefs: 0055A5F4
@, xrefs: 0055A5FE

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID: ?$@$B
API String ID: 1029625771-3550719225
Opcode ID: 8bbacb1584caab43c8d7acee79d0624958682bcd2534cf2cd7cf4d61668e55e0
Instruction ID: 9f7410e6b69f40f2bcd10db2cafac7c2a98b7c43f923523b23eb6c6173b61d86
Opcode Fuzzy Hash: 8bbacb1584caab43c8d7acee79d0624958682bcd2534cf2cd7cf4d61668e55e0
Instruction Fuzzy Hash: 8AC1457450D7828FCB50DF28D59422ABFE0BBAA314F054A5EF8D897391D7348849EB93

Function 005594C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00559529

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 005594F2

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: 3d0739873cb203152440816a9a6b8428d67bf1a94eb287e7fb7ec15613a46ba1
Instruction ID: 88e5b298c348ea91d3179be45945f98389205c593e834edd53661b20d43474ae
Opcode Fuzzy Hash: 3d0739873cb203152440816a9a6b8428d67bf1a94eb287e7fb7ec15613a46ba1
Instruction Fuzzy Hash: 6CF0A7B0808215C6CE117BB4A96F23D3E58BF91313F400837EDC562102FB2C882DA7A3

Function 005888AB Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b1a70aeba42e8ad7fd5d9d7854048cab32089095631ddfd7cb57c207f99a9d
Instruction ID: 46c8c57e2e8c9e242f1244795cfdbfddf14987fa4308e0f671349e9c31cadb7f
Opcode Fuzzy Hash: 71b1a70aeba42e8ad7fd5d9d7854048cab32089095631ddfd7cb57c207f99a9d
Instruction Fuzzy Hash: 414125706483429BD308DF14D9A072FBBE1FBD6708F148A1DE8992B691CB74DD09DB86

Function 005887EA Relevance: 1.5, APIs: 1, Instructions: 47
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 0058888A

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a515b8e077ccc12c9f33b678c11d8b92f205c0969b55c61774705e3e4ddb0956
Instruction ID: af8319c700be70a9bc02fa7ebf7ccc59f82bf301bb89139f005326e3023b9c98
Opcode Fuzzy Hash: a515b8e077ccc12c9f33b678c11d8b92f205c0969b55c61774705e3e4ddb0956
Instruction Fuzzy Hash: 3A1116706483419BD308DF14D9A072FBBE2FBD6708F148A1DE8952B691CB74DD09DB86

Function 00588418 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00588426

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 0381c13378bef33cc86f3c197c8be7b3c6b13927dd99a46e0a39b96965de5c7d
Instruction ID: 0d2a2fe4cb640db2c5228d85fa5de5a90a1fb270a686d79975f8b7dcc0583212
Opcode Fuzzy Hash: 0381c13378bef33cc86f3c197c8be7b3c6b13927dd99a46e0a39b96965de5c7d
Instruction Fuzzy Hash: 5ED0222EA200404BDB0CB775ECA2A3E3257EBE030736A403EC402C3341F63DC20E9A20

Function 00586802 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00586806

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cc64c9807242cd09c9b96dbdd0e7a29bbe2467af3302191d983f3715906f0d60
Instruction ID: 16a40d57eba595d07e25bbb04b4e71a8b8b95c49ad386cb0a1e0a24629cb0d6c
Opcode Fuzzy Hash: cc64c9807242cd09c9b96dbdd0e7a29bbe2467af3302191d983f3715906f0d60
Instruction Fuzzy Hash: 27B0127B74010464DA2022987C01BED731CC7C0132F000063E70891040412151240160

Function 00586712 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00586716

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cc64c9807242cd09c9b96dbdd0e7a29bbe2467af3302191d983f3715906f0d60
Instruction ID: 16a40d57eba595d07e25bbb04b4e71a8b8b95c49ad386cb0a1e0a24629cb0d6c
Opcode Fuzzy Hash: cc64c9807242cd09c9b96dbdd0e7a29bbe2467af3302191d983f3715906f0d60
Instruction Fuzzy Hash: 27B0127B74010464DA2022987C01BED731CC7C0132F000063E70891040412151240160

Function 00588960 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(0055951B), ref: 0058896B

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 90ec0a6d1d0303c8c8c10b3e20e92610f447f11f7369583c828fc5acdff5816a
Instruction ID: 9562058f02f20f38e14b0626455396d1269a76c4ec916df3805350b722170d21
Opcode Fuzzy Hash: 90ec0a6d1d0303c8c8c10b3e20e92610f447f11f7369583c828fc5acdff5816a
Instruction Fuzzy Hash: B4A00235411443DBDE117F34ED0D6283E32BBA1309B260157B44EA58318E251419FB05

Non-executed Functions

Function 00566CB0 Relevance: 20.8, Strings: 16, Instructions: 797COMMON

Download Yara Rule

Strings

?Y?[, xrefs: 0056783C
b, xrefs: 0056771F
_A@X, xrefs: 005676B7
,I(K, xrefs: 0056785C
\1N3, xrefs: 00567B98, 00567A18, 00567A5D
WE[S, xrefs: 005676BF
+6*m, xrefs: 00567717
)a1-, xrefs: 005676DF
f1, , xrefs: 005676E7
!b60, xrefs: 005676FF
j, 9, xrefs: 005676EF
WVSJ, xrefs: 005676CF
</)&, xrefs: 0056770F
#>0{, xrefs: 00567707
{JVA, xrefs: 005677D8, 0056775E, 00567900, 0056789E
LM, xrefs: 00567868

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: !b60$#>0{$)a1-$+6*m$,I(K$</)&$?Y?[$LM$WE[S$WVSJ$\1N3$_A@X$b$f1, $j, 9${JVA
API String ID: 0-2289204625
Opcode ID: 94083ed82ed11c01ac0e2ed12a78c65bc6c3000bc7cc49ea9be97e659a87c554
Instruction ID: b4765f65d9ad0e97300c1af825950ecef8a9d3e452f222a4826b21113e3cf767
Opcode Fuzzy Hash: 94083ed82ed11c01ac0e2ed12a78c65bc6c3000bc7cc49ea9be97e659a87c554
Instruction Fuzzy Hash: FA5267715083458FD718CF18C4906ABBBE2FFD9318F058A2DE8E55B281E774D909CB92

Function 00571A15 Relevance: 12.4, Strings: 9, Instructions: 1101COMMON

Download Yara Rule

Strings

afdx, xrefs: 005716A1
MO, xrefs: 00572617
IVTP, xrefs: 0057276B
mfgs, xrefs: 0057169A
MFG[, xrefs: 00572764
EG, xrefs: 00572609
{~sy, xrefs: 005716B6
C^[A, xrefs: 00572780
]_, xrefs: 005725FB

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: C^[A$IVTP$MFG[$afdx$mfgs${~sy$EG$MO$]_
API String ID: 0-2294649119
Opcode ID: c1638575676f08c5e63e902445dfa4401c1c448ae338bba5b91fb75f8a9d7946
Instruction ID: 2c5f75aa75f9711bbf52fcba8e1e18d7187bdecc09bcdba6c7bb420afd023a6d
Opcode Fuzzy Hash: c1638575676f08c5e63e902445dfa4401c1c448ae338bba5b91fb75f8a9d7946
Instruction Fuzzy Hash: C682AAB5600601CFD724CF29E890A22BBF2FF99304F15896DD58A8B762D735E856DF80

Function 0056E4F4 Relevance: 11.7, Strings: 9, Instructions: 456COMMON

Download Yara Rule

Strings

Hi, xrefs: 0056E5E9
61, xrefs: 0056ECD3
$IK, xrefs: 0056E838
qs, xrefs: 0056E87A
*U"W, xrefs: 0056E82D
Cg, xrefs: 0056E5DE
uw, xrefs: 0056F0F6
9;, xrefs: 0056EEB2
!#, xrefs: 0056EEC8

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: $IK$*U"W$61$Cg$Hi$!#$9;$qs$uw
API String ID: 0-3993577159
Opcode ID: 4778804fd8313d1d4e79665a6744a96b279d9dec0d8c70d028a477e37c51bf7c
Instruction ID: fd12a05d93143c6d2c5c391e3f333acc037222c24b76aaad031e1ab8edb6c029
Opcode Fuzzy Hash: 4778804fd8313d1d4e79665a6744a96b279d9dec0d8c70d028a477e37c51bf7c
Instruction Fuzzy Hash: ED52A4B41193818AE3749F05D591BEFBBE2BB86344F108E2DC9EE2B645CB704146CF96

Function 00551FA0 Relevance: 11.7, Strings: 9, Instructions: 430COMMON

Download Yara Rule

Strings

null, xrefs: 00552319
true, xrefs: 0055211A
0, xrefs: 00552044
., xrefs: 0055204A
., xrefs: 0055206F
false, xrefs: 00552132
W"k, xrefs: 005523F8
[, xrefs: 00552209
{, xrefs: 005523D0

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: .$.$0$W"k$[$false$null$true${
API String ID: 0-1320804404
Opcode ID: 849d19c4a2f5d438f56266856bb441da0fe30f9279d9c56bdd82d2b72c24dd7f
Instruction ID: b7a7b129e6f34be79a4d093419493d040261b9d0414c95eb121c055cbc3fc9e8
Opcode Fuzzy Hash: 849d19c4a2f5d438f56266856bb441da0fe30f9279d9c56bdd82d2b72c24dd7f
Instruction Fuzzy Hash: 1CD138B45013069FEB105F20DC6972A7FE5BF82346F15443AEC869B2A2EB75D90CCB52

Function 0057ED60 Relevance: 9.2, APIs: 6, Instructions: 151clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0057EDAF
GetWindowLongW.USER32 ref: 0057EDD2
GetClipboardData.USER32 ref: 0057EDE9
GlobalLock.KERNEL32 ref: 0057EE07
GlobalUnlock.KERNEL32 ref: 0057EF20
CloseClipboard.USER32 ref: 0057EF28

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 2d22969b0e444d0234e42464e0aac54efe66d1236873936e6d69f4e00f95c305
Instruction ID: 6305ce2a3738f98795e703cd4fd0049605a2ebc8663803f74d98515b1b05853f
Opcode Fuzzy Hash: 2d22969b0e444d0234e42464e0aac54efe66d1236873936e6d69f4e00f95c305
Instruction Fuzzy Hash: DD5139B0508B81DFD321DF38D559716BFE0BB1A304F148A6DD89A8BB91D335B818DB92

Function 00559F20 Relevance: 8.0, Strings: 6, Instructions: 462COMMON

Download Yara Rule

Strings

{nvo, xrefs: 0055A216
YX, xrefs: 0055A138
tQpS, xrefs: 0055A384
Y!N#, xrefs: 0055A364
crkr, xrefs: 0055A1DB
0, xrefs: 00559F99

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 0$Y!N#$YX$crkr$tQpS${nvo
API String ID: 0-2801861193
Opcode ID: bc27c668f6989bf8fc83902213486f14ec2b5ef6b9e9555969c668e25bb79fad
Instruction ID: 49034f4c3d33cb1c07de5b2d1954df8f90078ff2de0c66e665fd2b4a396d7db4
Opcode Fuzzy Hash: bc27c668f6989bf8fc83902213486f14ec2b5ef6b9e9555969c668e25bb79fad
Instruction Fuzzy Hash: 830244B02083818BD714DF19C4A1B6BBBE2FFC5309F148A1EE4D98B252D7799909CB57

Function 00573FBB Relevance: 7.9, Strings: 6, Instructions: 379COMMON

Download Yara Rule

Strings

.(.#, xrefs: 00573FD8
f8 <, xrefs: 00573FD1
119,, xrefs: 00573FDF
f, xrefs: 00573FEC
60&+, xrefs: 00573FCA
5 , xrefs: 00573FE6

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: .(.#$119,$5 $60&+$f$f8 <
API String ID: 0-2009440134
Opcode ID: c84701d44f41ccacabc30ba5a0bd7b5cacdb4d9b5d5c5c9ec1d38bb3ead31ac9
Instruction ID: f65cc61713a85136d84d3309418203c43f2d3c3c369ac06be2d8e3ef0c5932be
Opcode Fuzzy Hash: c84701d44f41ccacabc30ba5a0bd7b5cacdb4d9b5d5c5c9ec1d38bb3ead31ac9
Instruction Fuzzy Hash: C3C1BDB41047018FD728CF24D8A0A27BBF2FF9A304F05896DD99A4B796DB35E806CB50

Function 0055FE8B Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

YX, xrefs: 0055FFE1
qxML, xrefs: 0055FFFD
y{, xrefs: 0056022F
uw, xrefs: 00560250
f, xrefs: 0055FEBF
stJd, xrefs: 0055FFF2

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID: YX$f$qxML$stJd$uw$y{
API String ID: 4116985748-4140902196
Opcode ID: 1877f74233a50cbe631422f801d62f17060425094df450acd2a0a69b86ef44c1
Instruction ID: c05f2764eeba705f2d3b038f83e3ec87e063ef041dac45d78eb24f51064d2798
Opcode Fuzzy Hash: 1877f74233a50cbe631422f801d62f17060425094df450acd2a0a69b86ef44c1
Instruction Fuzzy Hash: 9CD149B010D3818BD375CF14C4A4BABBFE2AFD6344F285A1DD4C91B296C7349989CB96

Function 0056CA4C Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 828COMMON

Download Yara Rule

Strings

?>=<, xrefs: 0056D349
EMLR, xrefs: 0056CB7C

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ?>=<$EMLR
API String ID: 0-78272047
Opcode ID: 2b19a530164e02c1c41a89112507baa65ea8a49113c687230cc735c3db710f9e
Instruction ID: 24c55e1247c59009d1b6425c5b43951964845510efe844fcb7fec84773766072
Opcode Fuzzy Hash: 2b19a530164e02c1c41a89112507baa65ea8a49113c687230cc735c3db710f9e
Instruction Fuzzy Hash: B75289B6600B41CFD328CF29C890B22BBF2FB99314B19896DD5968B7A1D735F945CB40

Function 00573517 Relevance: 5.7, Strings: 4, Instructions: 654COMMON

Download Yara Rule

Strings

F0, xrefs: 00573C66
ihk, xrefs: 00573BC2
_M, xrefs: 00573C58
_Z, xrefs: 005739DF

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: F0$_M$_Z$ihk
API String ID: 0-2356880666
Opcode ID: b438f4e14150a1e9a0a07f65b5b79db36f748f661e8aa78ef5a00c5d29329ba5
Instruction ID: e899b9f20fa457e4f1705485e2eb714e65876d823cbf2f3cbd899d3466e685ff
Opcode Fuzzy Hash: b438f4e14150a1e9a0a07f65b5b79db36f748f661e8aa78ef5a00c5d29329ba5
Instruction Fuzzy Hash: 974269B5600B019FD728CF29D595617BBF2FF85710B148A1DE8AA8BB85D730F812CB91

Function 0058A192 Relevance: 4.8, Strings: 3, Instructions: 1015COMMON

Download Yara Rule

Strings

vn$+, xrefs: 0058A806
Tvca, xrefs: 0058A3EB
%;TK, xrefs: 0058A346

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: %;TK$Tvca$vn$+
API String ID: 0-2903632686
Opcode ID: 44889fe674403507a048ed82cae8ad97231f6482039f9c365db9a55b1e0f05f3
Instruction ID: faf673c24f21788f16da6e9a4c4577c3821c74a1976443e06e038f8d99cd18bb
Opcode Fuzzy Hash: 44889fe674403507a048ed82cae8ad97231f6482039f9c365db9a55b1e0f05f3
Instruction Fuzzy Hash: 8F62D035608201CFD718CF28D89062AB7F2FF9E314F1A896ED58A97761D734E849DB81

Function 0058A260 Relevance: 4.8, Strings: 3, Instructions: 1001COMMON

Download Yara Rule

Strings

vn$+, xrefs: 0058A806
Tvca, xrefs: 0058A3EB
%;TK, xrefs: 0058A346

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: %;TK$Tvca$vn$+
API String ID: 0-2903632686
Opcode ID: 26344490dac32f23c8694919040231f38ff9487977e9a99201087d189c3efed1
Instruction ID: 6a4dec8992ddc7515e9a6b7937544059a4712442ede617d9c15b93a12068bbe2
Opcode Fuzzy Hash: 26344490dac32f23c8694919040231f38ff9487977e9a99201087d189c3efed1
Instruction Fuzzy Hash: 3262D235608301CFD718CF28D89062AB7F2FF9A314F1A896ED58A97761D735E809DB81

Function 00570239 Relevance: 4.3, Strings: 3, Instructions: 530COMMON

Download Yara Rule

Strings

&u&w, xrefs: 00570251
y*{, xrefs: 005703C6
%q%s, xrefs: 00570249

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: y*{$%q%s$&u&w
API String ID: 0-23862052
Opcode ID: b6c80a4056b4efe589860e9bfe9a2757182639e4b215e2025d82ffbc549b4b0d
Instruction ID: 74e46d5aa603630950c74f577cc2c8075828fdf8d285e32b7ea9142a55a302fb
Opcode Fuzzy Hash: b6c80a4056b4efe589860e9bfe9a2757182639e4b215e2025d82ffbc549b4b0d
Instruction Fuzzy Hash: 3C02A9B0608341DFE728DF24E890B6BBBE1FBD4304F15991DE5899B2A1D7349846DF82

Function 00566340 Relevance: 3.9, Strings: 3, Instructions: 119COMMON

Download Yara Rule

Strings

VQ, xrefs: 0056635A
A\, xrefs: 0056636A
_Q, xrefs: 00566362

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: A\$VQ$_Q
API String ID: 0-2014431945
Opcode ID: 0018cf0d46f7b34891c2d6a60d0ec1a9563958d2f8aaaf798db0608a0139cedc
Instruction ID: 1f52ecb8edde335298cccd75f93b2cc79af8dbdd7333a4b2cc4c8b4b206172b6
Opcode Fuzzy Hash: 0018cf0d46f7b34891c2d6a60d0ec1a9563958d2f8aaaf798db0608a0139cedc
Instruction Fuzzy Hash: 9F4197B0508351DBCB248F14C8A066FBBF1FF86315F054A1DE8995B390EB789D06DB96

Function 00577239 Relevance: 3.0, Strings: 2, Instructions: 472COMMON

Download Yara Rule

Strings

+82, xrefs: 0057761E
mgnd, xrefs: 005779B1

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: +82$mgnd
API String ID: 0-2839690620
Opcode ID: 8c55e9529a8be9d028fa236196aeca17c3ca76cc39296d37b8dee3d1ca7b7e08
Instruction ID: 67f53bd14c03554fada55361cf5339cf5baf9846866f0fe87a8f93105167858c
Opcode Fuzzy Hash: 8c55e9529a8be9d028fa236196aeca17c3ca76cc39296d37b8dee3d1ca7b7e08
Instruction Fuzzy Hash: 37F19970108B918FD725CF39D0947A7BBE1BF56304F18896DC4EB8B692D73AA409DB50

Function 00577602 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

+82, xrefs: 0057761E
mgnd, xrefs: 005779B1

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: +82$mgnd
API String ID: 0-2839690620
Opcode ID: e0b16b7768c4c1983d8e917dae01a4d77ab77ffd7a6247690cdb9ce5ed51a102
Instruction ID: 74fd373d519bbcb293267113e829f27fd3f11548c68892746fd84e478364ca17
Opcode Fuzzy Hash: e0b16b7768c4c1983d8e917dae01a4d77ab77ffd7a6247690cdb9ce5ed51a102
Instruction Fuzzy Hash: 8AD19B70108B828BD725CF39D094BA7BBF1BF56304F14896DD4EB8B692D736A809DB50

Function 0058A630 Relevance: 2.0, Strings: 1, Instructions: 772COMMON

Download Yara Rule

Strings

vn$+, xrefs: 0058A806

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: vn$+
API String ID: 0-1879957136
Opcode ID: 0b2f7e34d941586ad10417949e2849ac3119e3f0a0f2bf17588f6fb9ea3976e8
Instruction ID: 59049b76ef14c5f8526238c707cd90ad9f8e8a17dc38c43c17acd98dc2663174
Opcode Fuzzy Hash: 0b2f7e34d941586ad10417949e2849ac3119e3f0a0f2bf17588f6fb9ea3976e8
Instruction Fuzzy Hash: 8742E375608301CFD718CF28D8A062AB7F2FF9A314F19896ED98A97751D734E809DB81

Function 00558F60 Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

X, xrefs: 0055937F

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-529171957
Opcode ID: 09bdf61dc5ced588b59da596db21fdcf87d1e62c95f2e079ea363cb78f6c38b5
Instruction ID: 37ae7ffbb014ff1360d9176bf929913345fc8cdaf26f170b83cc5ad8f2be24d0
Opcode Fuzzy Hash: 09bdf61dc5ced588b59da596db21fdcf87d1e62c95f2e079ea363cb78f6c38b5
Instruction Fuzzy Hash: 8ED1F471A08752CBC714CE29C4E425ABFE3BFC5315F29CA2EE895473A5D6789C098B81

Function 0056D413 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

?>=<, xrefs: 0056D525

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: ?>=<
API String ID: 2994545307-3799960392
Opcode ID: 10dd8254f58ddf4ec1603fb10149df74a12dd9c5444d6bce4aa03f97d59ed4ca
Instruction ID: 0810cbb8dc6c5dd46b1fcbdf81afa6c987c098d6d79f011ec0ad6db419cbe701
Opcode Fuzzy Hash: 10dd8254f58ddf4ec1603fb10149df74a12dd9c5444d6bce4aa03f97d59ed4ca
Instruction Fuzzy Hash: A271DC35605201CFD728CF18D890B22B3F2FF99305F19886EE98A8BA91D736F955DB50

Function 00562D60 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

95, xrefs: 00562EEA

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 95
API String ID: 0-435051366
Opcode ID: 338b27fdd4725514f32f27615e4d963fe078574ffcd6e673930d0073e911b38b
Instruction ID: 94947e485936d31acc57f630b0406efcb51df9afdd59a19a5fb21fd3a589b5e3
Opcode Fuzzy Hash: 338b27fdd4725514f32f27615e4d963fe078574ffcd6e673930d0073e911b38b
Instruction Fuzzy Hash: 2251ADB19187418BD321DF28C85472ABBE8BF9A304F040A2DE4C5D7292E736DD45CB92

Function 0058BB40 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

@, xrefs: 0058BB90

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: c44a35eb52ed7da93ac617a5f7117d619d35c449770a55ccc5a921ccdcf44374
Instruction ID: 079839b05837efa7f6eb5bd29de7c1bb0d13bd464de7174e41d7bd78679a4375
Opcode Fuzzy Hash: c44a35eb52ed7da93ac617a5f7117d619d35c449770a55ccc5a921ccdcf44374
Instruction Fuzzy Hash: E83198B15083059FD700EF18C8C0B6ABBF9FF99324F504A1DE894A7260C375A914CBA2

Function 0056E3F0 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

2V, xrefs: 0056E425

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 2V
API String ID: 0-2394869900
Opcode ID: e14e8af4c81799f7dbab537716765addeb57e39c432b9f52c256e55b25037846
Instruction ID: b43cf6df606d5fd479b7e9c9fd5c782b52051ead952e2884ce85bf3800142a1f
Opcode Fuzzy Hash: e14e8af4c81799f7dbab537716765addeb57e39c432b9f52c256e55b25037846
Instruction Fuzzy Hash: 9211D075608301EFE310CF28DC86B6BB7E9EB89704F10492AF644D72A1E771E908DB42

Function 0056E490 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

2V, xrefs: 0056E425

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 2V
API String ID: 0-2394869900
Opcode ID: bd26d397582a4d7f64a2485b4733c102770dd015c89f73c2aeb337160da80b72
Instruction ID: 48e29a4bf40de73c705ab0887d2945b432f4a96a4ac7a958641299c1d67a34ac
Opcode Fuzzy Hash: bd26d397582a4d7f64a2485b4733c102770dd015c89f73c2aeb337160da80b72
Instruction Fuzzy Hash: B011A9B6A18300DFC700CF28D88596AB7E9FB99304F00492AE554C3321E73AEA08DB52

Function 00584695 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

\, xrefs: 005846D0

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: f192f9e9c408b162717effa63685aec90440f078f252826209de8cfc909abf5b
Instruction ID: 8c6c28b7180ed792e41f94571eec891afaf268c7ef7fb2a7c2d4da00493edca0
Opcode Fuzzy Hash: f192f9e9c408b162717effa63685aec90440f078f252826209de8cfc909abf5b
Instruction Fuzzy Hash: 9B019674285300BEF6209F50DD47F1BB6A0A790F05F30581DB2497A1D1D6F47909964E

Function 00558170 Relevance: .8, Instructions: 837COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778d99a5e817c14e1941c326cf3ec900021067227dd567f81c87b1ae683ffb15
Instruction ID: 0af97ceadbe3afeb73319f90029a8991b2b3ad37ac5bf48f9cb57aeea63600ab
Opcode Fuzzy Hash: 778d99a5e817c14e1941c326cf3ec900021067227dd567f81c87b1ae683ffb15
Instruction Fuzzy Hash: 1962E4315087118BC724DF18D8A067AB7E1FFD4315F198A2ED9C6A7381EB34E959CB82

Function 00587090 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7707bba77f17cc6253d3c156aa4c95db60232043759fed5f96612df1dd8bb9
Instruction ID: c1ef7702486814e38fab27d6c9508c532e2255d19c606e2fa5b1ad7f6f35a322
Opcode Fuzzy Hash: 2c7707bba77f17cc6253d3c156aa4c95db60232043759fed5f96612df1dd8bb9
Instruction Fuzzy Hash: 9A228B7160C3458FD714DF18C890B6ABBE2BBC8314F288A6DF9A59B391D735E805CB52

Function 00571135 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787038f9b152fb731d1770967a64674f2fd4d7083f93dedeeb1678e2ba96aadb
Instruction ID: b4bffbed673cd488b87e212aa697a6e3cbeb4096377ed47f72b90f7ac4240ee1
Opcode Fuzzy Hash: 787038f9b152fb731d1770967a64674f2fd4d7083f93dedeeb1678e2ba96aadb
Instruction Fuzzy Hash: 5CF1D3B4604B418FC724CF29D490622BBF2BF9A304B09896DD4DB8BB52D735F80ADB54

Function 00572D7E Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef702b0a96f55de0d9ece70ac1174a3b584e25385ff52a30b0eef1675fd3598c
Instruction ID: f67924fd9669f80721d1ffe584cc153f8b686ff186043caf28b73cd62f019230
Opcode Fuzzy Hash: ef702b0a96f55de0d9ece70ac1174a3b584e25385ff52a30b0eef1675fd3598c
Instruction Fuzzy Hash: 2DF1D271605B408FD324CF39D891726BBE2BF9A320F19C66DD4AA8B7E1C335E9059B00

Function 00575BB5 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35d45ded01736ea161091aaf0188490265680cd4fd2fa1b1a6d3d3ff48f2da7
Instruction ID: 4f735e04bab4d55c55532c0fa819dd95c422e6e4275718785bb16bba56219a96
Opcode Fuzzy Hash: b35d45ded01736ea161091aaf0188490265680cd4fd2fa1b1a6d3d3ff48f2da7
Instruction Fuzzy Hash: 2BA1F570104F818BD3288B398094766FFE6BF96304F28866DD8EB4B792F3756945D750

Function 00575FE4 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b72aa6f06424cd596ef3e8242400e7ad1d8d7cf3176da6ae1362d2434276d8d
Instruction ID: 9e403139ae6daf94dc5efe62e3f7c5c06e37fa7911e70571fdb52d98dc82ac71
Opcode Fuzzy Hash: 8b72aa6f06424cd596ef3e8242400e7ad1d8d7cf3176da6ae1362d2434276d8d
Instruction Fuzzy Hash: C3A1E724104F818BD3288F3980A4766FFE2BF96304F28CA6DD4EB4B792D735A849D750

Function 00576704 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab387acfc012bfd4fce599158157e7d9a87c6473fad4c80b562183820d54d0cf
Instruction ID: 72a42fe05658bc70423797e191de1c0b6eeca0cd6235029be333fee46f6bc59d
Opcode Fuzzy Hash: ab387acfc012bfd4fce599158157e7d9a87c6473fad4c80b562183820d54d0cf
Instruction Fuzzy Hash: 27B1B170104F428AD728CF35D4987E3BBE1BF56304F18896DC0EB4B692DB7A6509DB94

Function 0056551E Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce16dadf67938f728824a5641d77130c748d6074f4e40c8aa1b073f8de92d98
Instruction ID: 30546fd4a333dc8ffabb0970682a09a33f9f01ac4dfb9607efc8c450cd8b5392
Opcode Fuzzy Hash: bce16dadf67938f728824a5641d77130c748d6074f4e40c8aa1b073f8de92d98
Instruction Fuzzy Hash: 9E61A2B16407019BCB28CF15CC92B637BB6FF99324B19861DE8478B7A0F734A801CB60

Function 00564F78 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0b408f23cb3da7bf22e3993cff87963153073e855bad85fa660743775c85c7
Instruction ID: 17ee85f7e116ca10d1d11981a9d0f377e6e63a548670460072e08e4c3dc4fec2
Opcode Fuzzy Hash: dd0b408f23cb3da7bf22e3993cff87963153073e855bad85fa660743775c85c7
Instruction Fuzzy Hash: 98715879200B019FD7208F29C890B62BBF1FF86714F54894DE8968B7A0E739F815CB90

Function 00573329 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ad5c4d6c2d1724592e13f47108d77c2b5bce9dbe94b28161cd9949414c94bc
Instruction ID: 9f5f2e59c2c4c8f903a9afdeafdbbe87a3db02bde031e4cae619a2dafe3a130a
Opcode Fuzzy Hash: a8ad5c4d6c2d1724592e13f47108d77c2b5bce9dbe94b28161cd9949414c94bc
Instruction Fuzzy Hash: 7681A174605740CFD325CF38D890B22BBE2BF5A314F1986ADD55A8B7A2C736E805EB10

Function 005763BB Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798f8765049bf285a76ce3d4bd51a89d8b55822d53e954927484a7b2ff876b55
Instruction ID: f2d9e942f05228f1e35a8ff7d965fc4e643251c30df9a823e2e5d26f3c57653c
Opcode Fuzzy Hash: 798f8765049bf285a76ce3d4bd51a89d8b55822d53e954927484a7b2ff876b55
Instruction Fuzzy Hash: 0D614B70104F518BE725CF39C4A47A2BBE2BF56304F44895DD0EB8B282DB3AA519DB54

Function 0057644B Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c7108bc464627d20f63e66f2629c8426849fab47f9974a06d7b924ca01acd6
Instruction ID: 305e5d332beb980741d9e1eea283bc9c503685a33af48756260eefe97cd3482e
Opcode Fuzzy Hash: d5c7108bc464627d20f63e66f2629c8426849fab47f9974a06d7b924ca01acd6
Instruction Fuzzy Hash: 8C712C70104F518FE725CF39C4A47A2BBE2BF56204F48895DD0EBCB282DB2AA519DB54

Function 00586CC0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 057e90dcfa51e726b2d862abe2eb7ca7749970423e1cac7951b821ef4ddf1a46
Instruction ID: 516a0029bde7e21a334452956c8232df828c5cb1febdf57f1eea35c5cd7b9886
Opcode Fuzzy Hash: 057e90dcfa51e726b2d862abe2eb7ca7749970423e1cac7951b821ef4ddf1a46
Instruction Fuzzy Hash: E3519E766083018FD314EF18C89066BBBE6FBD8714F1A8A2DE9C967355C7399C05CB81

Function 00584934 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7636ed063c64d2fd911d37252f062a1744a33633154bf4721345c0b1940ac27
Instruction ID: 03f28dc00c3d2f40af3c7f5c87edbbd73d767fd835d3fa21e82cbac798294ea3
Opcode Fuzzy Hash: a7636ed063c64d2fd911d37252f062a1744a33633154bf4721345c0b1940ac27
Instruction Fuzzy Hash: E3716874600B018FD728DF19D990A26BBE2FB99304F01895DE89B9BA51D735F845CF80

Function 00563A7E Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f87995f30d2ba089923c3f99fdd5173bf1e9995a78dbba91803c6cddc9fb7c1
Instruction ID: 4f4993f24e0770c348b2727040df6cb40595ce88f6e21c401bafeafda421d5ad
Opcode Fuzzy Hash: 9f87995f30d2ba089923c3f99fdd5173bf1e9995a78dbba91803c6cddc9fb7c1
Instruction Fuzzy Hash: 5E514774600B018FD325CF28C890B66B7E2FF8A314F098A5DD4A68B7A1E778F945CB40

Function 00563A7A Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a5c7dd600f00d275911e88207053f9b090cec54717118d97407297c5104bfd
Instruction ID: 704d9be0294d0dbd9d189a7301ef54cddc388aac503709b45d4c4b650e01384b
Opcode Fuzzy Hash: 09a5c7dd600f00d275911e88207053f9b090cec54717118d97407297c5104bfd
Instruction Fuzzy Hash: 52512574600B018FD325CF28C891B66B7E1FF4A710F198A5DD4A68B7A1E778F945CB90

Function 005535A0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bfcd7267b5f58250beb7797a8eec3b549af9fe90fa92025e6d923d1b0c640b
Instruction ID: 72a880dbdc2a784d162f2fd2b59b53f4e3b53032543c097cf07021f25159f235
Opcode Fuzzy Hash: 12bfcd7267b5f58250beb7797a8eec3b549af9fe90fa92025e6d923d1b0c640b
Instruction Fuzzy Hash: B041C732B081615BCB148A3DCC6027ABED39FC5285F1DC63AECC9DB346E534D9045794

Function 00565390 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac79e7acb4c5d2ce9581a2c2b8d229d43d4e8a692aae4cfcb9308a1a14e778f
Instruction ID: 3867bdbb12e42cebaf2dc5812a99970fba797d73a3aea6a79c602a99c2b394f3
Opcode Fuzzy Hash: eac79e7acb4c5d2ce9581a2c2b8d229d43d4e8a692aae4cfcb9308a1a14e778f
Instruction Fuzzy Hash: 914129B19487089BCB219F54C88473ABBE8FF91316F1946A9E88947382FFB1DC44C751

Function 0057638D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b7157c4ddebb451878e33dc1a3bd84f76d3283e4f3ac7b905b71f85500fc7e
Instruction ID: 31f216f44f2aeb5615607ed6e79f4ec8c1f01a73537193f742b32c041505ee24
Opcode Fuzzy Hash: 08b7157c4ddebb451878e33dc1a3bd84f76d3283e4f3ac7b905b71f85500fc7e
Instruction Fuzzy Hash: 8B513D70104F518BE725CF39C4947A3BBE2BF56304F44895DD0EB8B282DB3AA429DB54

Function 005635C0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd555eb5c6a9d8580900354f07d486399135257b8333361a3d8f43f69cb12fd1
Instruction ID: d0da24b8e7562f65d74f385aecaec7f70638a5fd25dfc1c1791739beb9a5122d
Opcode Fuzzy Hash: dd555eb5c6a9d8580900354f07d486399135257b8333361a3d8f43f69cb12fd1
Instruction Fuzzy Hash: 32412271601B008FD325CF28C991B52BBF2BF8A701F08895ED89A87B65D739F805CB40

Function 00563F6C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243537e4999cf07b4934df13b2911a24d01d69319d8529b8622270ad32ce8366
Instruction ID: 10e14b907b895969bcfd967c370acdd3db28744aee2b24ad196a790196733825
Opcode Fuzzy Hash: 243537e4999cf07b4934df13b2911a24d01d69319d8529b8622270ad32ce8366
Instruction Fuzzy Hash: 8D416878240B019FD7208F29C890B62B7F2FF86704F18890DE8968B790E739F815CB90

Function 00587E00 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae64ea677bdf4bca35d4c3fcb74770b69736975759b72cd1fe5c3c05a9640fc
Instruction ID: 5e4b7060c11d8e78296f2d63447f91073570150dd834a4bc52dad5668a9834b6
Opcode Fuzzy Hash: eae64ea677bdf4bca35d4c3fcb74770b69736975759b72cd1fe5c3c05a9640fc
Instruction Fuzzy Hash: D831EB32A082114BC718DF34C89166AF7E2FBCD354F2A9A6DE8A59B3C1D334DC018791

Function 00571BF0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84dfe39a0240755fd6f13e35870048ba7ceb730868c3c2d638680708d5ca1a03
Instruction ID: c7921d5a9febe42302d269e7f771bcc4a7d619738253723b63b4b84a37db001f
Opcode Fuzzy Hash: 84dfe39a0240755fd6f13e35870048ba7ceb730868c3c2d638680708d5ca1a03
Instruction Fuzzy Hash: F741ACB1910B00AFD360DF3D8947757BEE8AB0A260F504B1DF8EAD7790E231A4158BD6

Function 00586A90 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badbe1553ffab3dad17f5905473659d94891fea34b2952449eb4dded3149edb2
Instruction ID: 52dab26305d545cd4a3670bb9377d16a17fa678dfe0a2d734eea1d5637e70f8f
Opcode Fuzzy Hash: badbe1553ffab3dad17f5905473659d94891fea34b2952449eb4dded3149edb2
Instruction Fuzzy Hash: 43317A725083009FD311EF18C884B5BBBE5FBC5768F158A2DE8D8AB251D339ED458B92

Function 00562470 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88dea710e969eb5744eda019992d353233ee74d05e628acffda370b1205f2bbb
Instruction ID: c20d12aca9342124d615fa9ed9723683483a3147fa9b4ac3d67138b32e054ed9
Opcode Fuzzy Hash: 88dea710e969eb5744eda019992d353233ee74d05e628acffda370b1205f2bbb
Instruction Fuzzy Hash: 1E11BE715087019BC721CF14CC80B6BBBF5FBD9304F08191DE48597262E731D801CB56

Function 00582680 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: 9fdbd073d16227f64612e2267521ae73012165a8939be35af32e192efa93041e
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: C011C6326051E40BC3169D3D8410569BFE32AA3334F594399E8B8AB2D2DA238D8A8365

Function 00574D50 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd6d0f5f57ab19e159eae15cdc49e35225bcc7563e26bc5766ba6c6ada42ad
Instruction ID: cbfa890637dfe0596c43c2194934b811ea97fe2030aba1d2f9d2942b1e8b78e0
Opcode Fuzzy Hash: c5bd6d0f5f57ab19e159eae15cdc49e35225bcc7563e26bc5766ba6c6ada42ad
Instruction Fuzzy Hash: 9D0192F160130287D731AE14F4D873BAAA8BB80705F08852DD8495B301DB61EC08DAA1

Function 00563D28 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52da11bdfa80d55698eca696b1fc391b65a49468e709b80be94feec5a1af2a1e
Instruction ID: cc12bb44f7f0298a781add0b38f0de74657346975a16c438f8200072dee4bfca
Opcode Fuzzy Hash: 52da11bdfa80d55698eca696b1fc391b65a49468e709b80be94feec5a1af2a1e
Instruction Fuzzy Hash: DA116774604B029FC324CF29C980A26BBF6BF9A310B185A1DC4978BBA1DB70F944CB14

Function 00563500 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf5b2435f6fad9a1c76ac5d9c6729455afd3750a09ba2418628369d150614ac
Instruction ID: 2827801d81bc07069d207ce785f4e057554ef4f1ffb29d59ece77363a6bcf2bd
Opcode Fuzzy Hash: ecf5b2435f6fad9a1c76ac5d9c6729455afd3750a09ba2418628369d150614ac
Instruction Fuzzy Hash: A0117976201A419BD328CF28C990B66B7F2BB86310F08996DD09AC7B11EB38E805CB44

Function 005889DF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1e8632c2800de9c474029ef36b45d888954fb80d83fd4ce242a25dee42c612
Instruction ID: 1034d462c33f55588c06c4d0b0887515e8891c3215bb0b94f2fd2692bf42047e
Opcode Fuzzy Hash: ee1e8632c2800de9c474029ef36b45d888954fb80d83fd4ce242a25dee42c612
Instruction Fuzzy Hash: 9C019A316052828FC324CF28C890B20FFF6FF6A315F29459AD1849B662C331E855CF98

Function 00553760 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d665afaa01de69fd6255678c59983a907f0d18cd5b9c20b036e790e0463bc5a0
Instruction ID: e33c2763b4e1720bde7e6ead3342bbc7387c84c49137923e16d95671320c41a3
Opcode Fuzzy Hash: d665afaa01de69fd6255678c59983a907f0d18cd5b9c20b036e790e0463bc5a0
Instruction Fuzzy Hash: 69F04CBA7AC30E1B9710DCF99CC0462F7D2E3C8555F0C4039DD45D3200E464EA0982D0

Function 00551755 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc38ea068082d4b92a633d9d58e24b68f8873dd92fc05601116b715a65e56bb
Instruction ID: d85a4819dd0b3669a5bd7b2fd62d4d1922c91e33db7614277b769c153ef281b5
Opcode Fuzzy Hash: 3bc38ea068082d4b92a633d9d58e24b68f8873dd92fc05601116b715a65e56bb
Instruction Fuzzy Hash: 6001A739209340CFD3448F2CD8906397BA6EB96365F5529AAF491873F1C734CC85D751

Function 005891FB Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889a0a25f094b01e0f69bc34d83ba06e836868c7b06ed6d3d49b14b3c62465fb
Instruction ID: 8a724fce1ac2123ab34a24e1715ebf6cabd2e6f3dec3fcdf69c7efca21ffc35f
Opcode Fuzzy Hash: 889a0a25f094b01e0f69bc34d83ba06e836868c7b06ed6d3d49b14b3c62465fb
Instruction Fuzzy Hash: 5AF0E775A1C201ABD708DF29C59166BBBE2AB85744F18892DF88AD3341D634DC06EB46

Function 0055D1C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: c37ea7505b9e03fd98c7ae771f358a80285a539e48f72055a5ba4e67f6ae1e91
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: F9D0A762649BA50E57688D3844B0477FFF8F947613F18149FE8D6E7105D220DC4586AC

Function 0057C16B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415e07923a9248e3ab0b99fd183aa0e3509434bcf9ab1075cc96053aa39154a8
Instruction ID: 2393fc11c457fb321078cdd1824504a66442edd1e2351e37d5d7c8309b447ccc
Opcode Fuzzy Hash: 415e07923a9248e3ab0b99fd183aa0e3509434bcf9ab1075cc96053aa39154a8
Instruction Fuzzy Hash: 27E0C2B011A241DFD310EF28C999B4ABBF0FB94704F41895CE986D7390D7749508CB82

Function 0055171B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfe9d4b0f945351f3ebf764d8a8a652b27a0a9a4d96b54098bb7e27959cb61e
Instruction ID: 1f8f40d85c6ced5fd731afa4665f67045b0e9890b830b533da6f2f80757ccab9
Opcode Fuzzy Hash: edfe9d4b0f945351f3ebf764d8a8a652b27a0a9a4d96b54098bb7e27959cb61e
Instruction Fuzzy Hash: DDD0ECA04093C4DE8B09CF559454035FFB1AF56204B6424DED0964B292DA31D58BEB55

Function 0056FDFC Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128f5fe937d45877b8dd531beaf0bf20fec1687645d771a1486700b49ccdb4aa
Instruction ID: 4485dc28013bb5ba83e5db757bf52972c22e1db1d78798371a9a6059a747ea8c
Opcode Fuzzy Hash: 128f5fe937d45877b8dd531beaf0bf20fec1687645d771a1486700b49ccdb4aa
Instruction Fuzzy Hash: E4B012A5D8500096D2445D00A40A2B0F334632B307F067411D808B7223D952EA480109

Function 0057EF40 Relevance: 103.4, APIs: 2, Strings: 57, Instructions: 165COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0057EF8A
GetSystemMetrics.USER32 ref: 0057EF9D

Strings

[Y, xrefs: 0057F14B
PHY, xrefs: 0057F2B6
t[Y, xrefs: 0057F0B1
PHY, xrefs: 0057F3A8
PHY, xrefs: 0057F508
PHY, xrefs: 0057F2A0
PHY, xrefs: 0057F400
PHY, xrefs: 0057F4DC
PHY, xrefs: 0057F392
PHY, xrefs: 0057F33A
PHY, xrefs: 0057F2F8
l\Y, xrefs: 0057F206
l[Y, xrefs: 0057F0A6
<\Y, xrefs: 0057F1C4
t\Y, xrefs: 0057F211
L[Y, xrefs: 0057F07A
|\Y, xrefs: 0057F21C
PHY, xrefs: 0057F484
T\Y, xrefs: 0057F1E5
PHY, xrefs: 0057F2CC
PHY, xrefs: 0057F30E
T[Y, xrefs: 0057F085
PHY, xrefs: 0057F3EA
<[Y, xrefs: 0057F064
,\Y, xrefs: 0057F1AE
PHY, xrefs: 0057F37C
4\Y, xrefs: 0057F1B9
|[Y, xrefs: 0057F0BC
PHY, xrefs: 0057F46E
PHY, xrefs: 0057F3BE
PHY, xrefs: 0057F366
PHY, xrefs: 0057F4C6
PHY, xrefs: 0057F2E2
$\Y, xrefs: 0057F1A3
\[Y, xrefs: 0057F090
PHY, xrefs: 0057F458
,[Y, xrefs: 0057F04E
PHY, xrefs: 0057F442
PHY, xrefs: 0057F350
\\Y, xrefs: 0057F1F0
PHY, xrefs: 0057F42C
D[Y, xrefs: 0057F06F
d\Y, xrefs: 0057F1FB
L\Y, xrefs: 0057F1DA
PHY, xrefs: 0057F4B0
PHY, xrefs: 0057F324
PHY, xrefs: 0057F02D
d[Y, xrefs: 0057F09B
PHY, xrefs: 0057EF52
D\Y, xrefs: 0057F1CF
PHY, xrefs: 0057F4F2
4[Y, xrefs: 0057F059
PHY, xrefs: 0057F49A
$[Y, xrefs: 0057F043
PHY, xrefs: 0057F416
PHY, xrefs: 0057F3D4
[Y, xrefs: 0057F156

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID: $[Y$$\Y$,[Y$,\Y$4[Y$4\Y$<[Y$<\Y$D[Y$D\Y$L[Y$L\Y$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$PHY$T[Y$T\Y$\[Y$\\Y$d[Y$d\Y$l[Y$l\Y$t[Y$t\Y$|[Y$|\Y$[Y$[Y
API String ID: 4116985748-53087812
Opcode ID: 5a162564fafcc0001243892996c8255b3850fcb541c14b472857c154b43fa9dd
Instruction ID: 681b1569bae8189bc2c91400bddec9d2f87c1a55446a4c93600388b8a3eb155b
Opcode Fuzzy Hash: 5a162564fafcc0001243892996c8255b3850fcb541c14b472857c154b43fa9dd
Instruction Fuzzy Hash: E7C138B09197C09BDB72CF10E8987CFBEE4BB86748F104A5CD0AD4A251E7B50959CF86

Function 0057835B Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

32, xrefs: 005785E5
g})/, xrefs: 0057832C

Memory Dump Source

Source File: 00000003.00000002.1382886794.0000000000551000.00000020.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Associated: 00000003.00000002.1382867358.0000000000550000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382914931.000000000058D000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382935367.0000000000590000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1382954984.00000000005A2000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_550000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 32$g})/
API String ID: 0-4181651060
Opcode ID: 8c76918bd42a6fc15894158a8a994409c655a22625b1f161773e3b62df30791a
Instruction ID: 627833ca8c693ef6b01828316ca03bff7b8e2bf94fe6044ddd6a6aa18ccbd19f
Opcode Fuzzy Hash: 8c76918bd42a6fc15894158a8a994409c655a22625b1f161773e3b62df30791a
Instruction Fuzzy Hash: 1AC11130284B418BD725CF29D888762BFE2BF95314F188A5DD4EA8B792DB34F409DB51

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

C:\Users\user\AppData\Roaming\d3d9.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

Windows Analysis Report
Loader.exe

Function 6D322ED0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349
COMMON

Function 6D32C448 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6D32C4F8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6D32C341 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6D33296C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 6D330DB7 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 6D32E55A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303
COMMONLIBRARYCODE

Function 6D32D600 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Function 00588AA0 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Function 0055A5B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 259
libraryCOMMON