Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample name:	loader.exe
Analysis ID:	1585383
MD5:	0fd9836e2142bc85ced43d8316650b6c
SHA1:	17ad9773af8f56332d728f94890d9f5a37ec5d03
SHA256:	b870c9ee4b011fdb66b100275c583a3dc2e5884af31a4819f4b484ef839253fb
Tags:	exeuser-aachum
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loader.exe (PID: 5036 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: 0FD9836E2142BC85CED43D8316650B6C)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: loader.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: loader.exe

Joe Sandbox ML: detected

Source: loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 147.185.221.24:48428

Source: Joe Sandbox View

IP Address: 147.185.221.24 147.185.221.24

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: co-updated.gl.at.ply.gg

Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: loader.exe, 00000000.00000002.3916317395.00000000027D3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_975ac80e-6

Source: C:\Users\user\Desktop\loader.exe

Code function: 0_2_00007FF848F1E9AD NtProtectVirtualMemory,

0_2_00007FF848F1E9AD

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F17236	0_2_00007FF848F17236
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F1C681	0_2_00007FF848F1C681
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F196A1	0_2_00007FF848F196A1
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F1BAE8	0_2_00007FF848F1BAE8
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F13440	0_2_00007FF848F13440
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F11448	0_2_00007FF848F11448
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F210D8	0_2_00007FF848F210D8
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F17FE2	0_2_00007FF848F17FE2
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F1BD4B	0_2_00007FF848F1BD4B
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F210A5	0_2_00007FF848F210A5
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F19CB1	0_2_00007FF848F19CB1
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F102FD	0_2_00007FF848F102FD
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F1EB0B	0_2_00007FF848F1EB0B

Source: loader.exe, 00000000.00000000.2048496512.0000000000162000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs loader.exe
Source: loader.exe	Binary or memory string: OriginalFilenameClient.exe. vs loader.exe

Source: loader.exe, FDdCFtRGHOCQM.cs	Security API names: File.GetAccessControl
Source: loader.exe, FDdCFtRGHOCQM.cs	Security API names: File.SetAccessControl
Source: loader.exe, FDdCFtRGHOCQM.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: loader.exe, qlllUayZ.cs	Security API names: Directory.GetAccessControl
Source: loader.exe, qlllUayZ.cs	Security API names: Directory.SetAccessControl
Source: loader.exe, rUGHQDGuDhlrp.cs	Security API names: Directory.GetAccessControl
Source: loader.exe, rUGHQDGuDhlrp.cs	Security API names: Directory.SetAccessControl
Source: loader.exe, rUGHQDGuDhlrp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: loader.exe, dzYeBNghHSwLaeT.cs	Security API names: File.GetAccessControl
Source: loader.exe, dzYeBNghHSwLaeT.cs	Security API names: File.SetAccessControl
Source: loader.exe, wUnKJwFwMLX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal68.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\loader.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\loader.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows company

Source: loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: loader.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: msscntrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfproc.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: sysmain.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rasctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: tapiperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: perfctrs.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: usbperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Section loaded: cryptdll.dll	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: loader.exe, RHxDmhGvQNRS.cs

.Net Code: NXUCOPGm

Source: loader.exe

Static PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]

Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F1BAE8 push ecx; ret	0_2_00007FF848F1C25E
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F100BD pushad ; iretd	0_2_00007FF848F100C1
Source: C:\Users\user\Desktop\loader.exe	Code function: 0_2_00007FF848F1A8DA push eax; iretd	0_2_00007FF848F1A91D

Source: loader.exe, bJLBJJiOps.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'bivKevTybFCvNV', 'gJXZTMvkOVpH', 'lwrzJpOQYfAJRd', 'MYOxgfdYrQZcfy', 'ooneMeODmYGNI', 'WPCiHYqHsbJI'
Source: loader.exe, RHxDmhGvQNRS.cs	High entropy of concatenated method names: 'iMuWkPBrMs', 'LouCbBjQcSXtT', 'GmKMcbBYXf', 'npYmjlEOOsyn', 'TOdAqyKS', 'EddqfkQhmROZ', 'MKdsgTeFZIzGsN', 'AhZUKMkvJsGUxgF', 'YefCSWyRroVfU', 'kmWSgEruObcP'
Source: loader.exe, vRaSIojti.cs	High entropy of concatenated method names: 'MMyPiBeqb', 'YvlySdePnRnR', 'WYXkjTzkhwSerUS', 'TcAzdmzfc', 'eJUGQWvS', 'qLQuXbvrzSTa', 'MFTpmRQkZ', 'HjopQbfwjZsbyC', 'dXiuANIZVxPmb', 'dBrRUJLjmeQTV'
Source: loader.exe, qlllUayZ.cs	High entropy of concatenated method names: 'nDqpbiTIXcjysbS', 'xLZCmzqGJekfR', 'xWpkbbUiT', 'SeRHNExKSyXOZW', 'nMkgxyoqO', 'MJHArROskjHh', 'sEgaMSlixSanO', 'CWqenDcBvpKah', 'WpmDFdrbQ', 'bYcwOqhMcgM'
Source: loader.exe, jqEtvsjElPJ.cs	High entropy of concatenated method names: 'MBsrdtNdDnnnssD', 'yjJHPGFvwaFtUbd', 'BUnXwZdGUkSv', 'RBConFCG', 'jGvwvCnT', 'cKMmXEfAZ', 'CmfoJteY', 'FgVbUzlh', 'zebSBbqlqedx', 'mgwDQESlD'
Source: loader.exe, stTBaitjo.cs	High entropy of concatenated method names: 'ruArbZIzucGR', 'rrFsytWtuoXzRVh', 'phuVaErvy', 'LVbRSCawcKVpvpS', 'wFcsKDaqEuMvW', 'AJuDiASdVVYUtW', 'AmEDoHlTFkHukN', 'qeapKLvsGRT', 'kHTpJECEHHs', 'fPpoSaFhPxeuu'
Source: loader.exe, iWpfJXRBcsiSe.cs	High entropy of concatenated method names: 'iDxSBFvrvsGMhGy', 'TZSUYCtgTBWivcC', 'cNIOprwB', 'rawYwqLDiYJzJX', 'JQyAjNvTqEkT', 'kEbcRggbxIWKKeM', 'sCSpcFYt', 'RawHFUMWOSdwghd', 'ELIbpZiiPxBReU', 'gihAFkUrnKow'
Source: loader.exe, OSwSXnJrgr.cs	High entropy of concatenated method names: 'MVwseiwerfsLHEK', 'diLKteoarZc', 'MKPnMAGddAJmVu', 'kWGoNNSfJVgCi', 'WAEGERgPEzGy', 'rdZYozsDDlkPe', 'fGSfyXxHAEgRcEV', 'GiOgaCjwrC', 'cSPTrZXBJmUHbj', 'dVsXWoimeCAyT'
Source: loader.exe, rUGHQDGuDhlrp.cs	High entropy of concatenated method names: 'DGbfasnCP', 'wTzQCjOM', 'nBNiJlAchsgSBWb', 'oaUVYuoEFKwDp', 'TSYtBJpYSuZPFK', 'huxXiOJtratNJ', 'yowmpYOuIVRs', 'IavIodUYPz', 'GeKYgSIwgvTF', 'dQmVnmcGqyBT'
Source: loader.exe, leMxQLftuJ.cs	High entropy of concatenated method names: 'HlxmVSABVQitbYc', 'lprSGMWJnLkxf', 'rWSUITiA', 'pVMbzCllZ', 'ctDCqruOnzKiDV', 'YMaHPJAkeC', 'tkWHCaKKCLnTcdN', 'uBAHSqLb', 'KdKebJZAtxKsgw', 'XsTEltyeBEGjd'
Source: loader.exe, FDdCFtRGHOCQM.cs	High entropy of concatenated method names: 'xvgOgzkICCM', 'alQnzCmA', 'IjLxzlUbA', 'gwfECITpA', 'xAbqDSgp', 'OAeLNoMURhO', 'gCufFvhNff', 'lzKIIVtgFe', 'mHCkRPqnC', 'mlRygKyXy'
Source: loader.exe, dzYeBNghHSwLaeT.cs	High entropy of concatenated method names: 'eyApHeFUmp', 'LMJeNuOcJaMS', 'DXizEMHkncCoIv', 'zuDrMmVUxnjQLB', 'nRgNljwGQ', 'hqXkHpFzYdO', 'UFBiDkMVvvi', 'okIuKHComSev', 'kqxeRnYvQwaLDgL', 'vdlHuvWhKpRaakC'
Source: loader.exe, MAaNXHPtUGPA.cs	High entropy of concatenated method names: 'nowExJDNPXzUVOc', 'hnlgCLUP', 'XkwKAhfrk', 'xgBjowRxdat', 'tmnnTeTv', 'UgvaZHDOqTcl', 'fZgDxjlOroPVqJ', 'NNBYovdzFJO', 'OimGQRCHNHQgjK', 'crfEjyfAcS'
Source: loader.exe, WuwjxQjqxxhUmd.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'SrujlyRTX', 'xAYrtwqqMzfFBlj', 'nptNDudrkHXbxsF', 'YnzPLzDAqead', 'MpIAmLcaKsDX', 'HlZPtUuFhOmTo', 'ltWZTAOXSOaLhc', 'NuvserSa', 'lGiXfbWhyXqg'
Source: loader.exe, JOBvRAQMqQTcJE.cs	High entropy of concatenated method names: 'zZdmUzNmubXYo', 'oitNwaBDwihoKSu', 'NhOLExpVB', 'wbHTtbbSCiaONd', 'wdvFgousnNpKd', 'qsYMHeavcoFMsQ', 'hzUkaHUuQ', 'ABiTGDRybLp', 'CGzKBAGz', 'wdgGOVZCjWy'
Source: loader.exe, NFoBFrADgPEd.cs	High entropy of concatenated method names: 'ipbFuUOMvyKyLDD', 'TFwlCnlNEsxpD', 'kFIWOmEBKMORRHe', 'tnxRNKIs', 'vDNBCXZIwNFpppR', 'SukWlWejByJsm', 'axQbSiqzIopIU', 'YMExfiuPYVJZZez', 'NhWKnHZN', 'jrSlvhcBkKo'
Source: loader.exe, xFNjOTRQu.cs	High entropy of concatenated method names: 'GWhsVCIFTV', 'DHvhHiry', 'cHCpapiwzNERa', 'VUoCOBeSWGHtyR', 'HkZSJkzU', 'SfUMFGRndQaMSg', 'wGKlvhgrQusc', 'zQFWAvkigRMP', 'UPhrpoEwVCaOZL', 'oESNenoMKDMXw'
Source: loader.exe, sQBzIOKx.cs	High entropy of concatenated method names: 'SqaFaHxmOfGyT', 'GccuePvdV', 'QyZoyyBcIzy', 'tPpPpwPHvCZFuW', 'TfimpUGpbhIo', 'ddpUMPiMFO', 'zNOYNZTtbSh', 'aNJVnaOigHzdRME', 'eoTOQInbGibBOPM', 'vgPGCtvmrgtrOlG'
Source: loader.exe, gnWfyphMe.cs	High entropy of concatenated method names: 'xezAuLbmi', 'BooPEUKzBQ', 'ugAUtRWU', 'FueFmCvKGPAnHqG', 'zHbdfiLNCDxygA', 'ERnJGKicBZzsmQR', 'puctJvrOWjQCj', 'xeFUvVUh', 'hRfZDfpYwkQHDDH', 'JaYnWtfswcVnR'
Source: loader.exe, hpWbfDQQRNsZfQ.cs	High entropy of concatenated method names: 'NcYduEtdsEvPIS', 'tGlOgieSM', 'VTIVMproyoIFKv', 'nLdXjnHxFTmoQ', 'IiJMmZklIgOEa', 'eDnvpesWB', 'cDNWDBZBbEpGztX', 'ACDxJfMyTCf', 'zlrmgOjjLNiGGN', 'WTXEuYSeqTDl'

Source: C:\Users\user\Desktop\loader.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\loader.exe	Memory allocated: 820000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory allocated: 1A570000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 1896			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 7890			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe TID: 2172

Thread sleep time: -35971150943733603s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\loader.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3916317395.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Hypervisor Logical Processor
Source: loader.exe, 00000000.00000002.3920652540.000000001B185000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Servicelb
Source: loader.exe, 00000000.00000002.3921080245.000000001C269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: loader.exe, 00000000.00000002.3921488383.000000001CC80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer I
Source: loader.exe, 00000000.00000002.3920652540.000000001B1CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3916317395.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Virtual Machine Bus Pipes
Source: loader.exe, 00000000.00000002.3921080245.000000001C269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: loader.exe, 00000000.00000002.3920652540.000000001B1CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service8
Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3916317395.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *Hyper-V Dynamic Memory Integration Service
Source: loader.exe, 00000000.00000002.3921028984.000000001C1F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: loader.exe, 00000000.00000002.3920652540.000000001B185000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: loader.exe, 00000000.00000002.3921080245.000000001C269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor:o
Source: loader.exe, 00000000.00000002.3920543632.000000001B160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V hkwxlfuauvtyfti Bus
Source: loader.exe, 00000000.00000002.3921488383.000000001CC2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot(
Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3916317395.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3916317395.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V Hypervisor Root Partition
Source: loader.exe, 00000000.00000002.3916040580.000000000070A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: prlVideoMode
Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3916317395.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )Hyper-V Hypervisor Root Virtual Processor
Source: loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3916317395.000000000292D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: loader.exe, 00000000.00000002.3921488383.000000001CC80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition.dll
Source: loader.exe, 00000000.00000002.3916040580.000000000070A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V hkwxlfuauvtyfti Bus PipesE4

Source: C:\Users\user\Desktop\loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: loader.exe, 00000000.00000002.3921488383.000000001CC6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCW0eeYoUMEZEqriUAHIBGfpWe6GtSCNGK508zZkXG1iNw54/Hr+FUitfZ4Z7/L+t2fn2KaTVu7/rZGfIlU5UrWdc1WkhB6V2JXJp1LGJKlU3FbM9s3PFZ0sJGeKrkZ6VGomU8UU7bRS5TquehRyMImJlmSUScAMcEDPzZ9fT61ERV6ZZFiYNJCwJQkIcnlSR7d+feqjLXJQSUdD5uvJ8yTZWcVA1WnWq7p611RFBlhLSLClmY5qjrkEENqjRqAxbBNaAaHag8xcgevtWXr5UW0W0n7x/lTjN817ndRjeSsc2etFN70VXMepY9IkG2Nv9DEXK/NuJx8vT8etV2NTSND5bCOeZySh2sCAfl5/I8D2qsxrio35T5uslz6f1r5EUhqpKwFWJDVKY1smXSiVZ5iM44rLuJGbgsSPTNXZjWdMaq56tCKK+aKSinc7j3P4ckj4e6Tg/wy/wDoxq6XxCB/wiuq8D/jym/9ANFFfCPc+kXwnybZkkkHkb/8ay7o4uph/tn+dFFaLcx6EBJ9av2fKAHkYPH4GiirKRSYncfrRRRQUf/Z<@><@>69920C631FC2FB8D6D45305<@>user<@>878411<@>298lmcEY<@>false<@>Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz @ 4<@>AN2HV<@>8GB<@>1GB<@>28 %<@>40 %<@>Microsoft Windows 10 Pro 64-bit<@>2.6<@>04.10.2023<@>Admin<@>Windows Defender<@>Program Manager
Source: loader.exe, 00000000.00000002.3916317395.00000000027D3000.00000004.00000800.00020000.00000000.sdmp, loader.exe, 00000000.00000002.3921080245.000000001C22B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: loader.exe, 00000000.00000002.3916317395.00000000027D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: loader.exe, 00000000.00000002.3916317395.00000000027D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Connecting<@>/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCW0eeYoUMEZEqriUAHIBGfpWe6GtSCNGK508zZkXG1iNw54/Hr+FUitfZ4Z7/L+t2fn2KaTVu7/rZGfIlU5UrWdc1WkhB6V2JXJp1LGJKlU3FbM9s3PFZ0sJGeKrkZ6VGomU8UU7bRS5TquehRyMImJlmSUScAMcEDPzZ9fT61ERV6ZZFiYNJCwJQkIcnlSR7d+feqjLXJQSUdD5uvJ8yTZWcVA1WnWq7p611RFBlhLSLClmY5qjrkEENqjRqAxbBNaAaHag8xcgevtWXr5UW0W0n7x/lTjN817ndRjeSsc2etFN70VXMepY9IkG2Nv9DEXK/NuJx8vT8etV2NTSND5bCOeZySh2sCAfl5/I8D2qsxrio35T5uslz6f1r5EUhqpKwFWJDVKY1smXSiVZ5iM44rLuJGbgsSPTNXZjWdMaq56tCKK+aKSinc7j3P4ckj4e6Tg/wy/wDoxq6XxCB/wiuq8D/jym/9ANFFfCPc+kXwnybZkkkHkb/8ay7o4uph/tn+dFFaLcx6EBJ9av2fKAHkYPH4GiirKRSYncfrRRRQUf/Z<@><@>69920C631FC2FB8D6D45305<@>user<@>878411<@>298lmcEY<@>false<@>Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz @ 4<@>AN2HV<@>8GB<@>1GB<@>28 %<@>40 %<@>Microsoft Windows 10 Pro 64-bit<@>2.6<@>04.10.2023<@>Admin<@>Windows Defender<@>Program Manager
Source: loader.exe, 00000000.00000002.3916317395.00000000027D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Connecting<@>/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCW0eeYoUMEZEqriUAHIBGfpWe6GtSCNGK508zZkXG1iNw54/Hr+FUitfZ4Z7/L+t2fn2KaTVu7/rZGfIlU5UrWdc1WkhB6V2JXJp1LGJKlU3FbM9s3PFZ0sJGeKrkZ6VGomU8UU7bRS5TquehRyMImJlmSUScAMcEDPzZ9fT61ERV6ZZFiYNJCwJQkIcnlSR7d+feqjLXJQSUdD5uvJ8yTZWcVA1WnWq7p611RFBlhLSLClmY5qjrkEENqjRqAxbBNaAaHag8xcgevtWXr5UW0W0n7x/lTjN817ndRjeSsc2etFN70VXMepY9IkG2Nv9DEXK/NuJx8vT8etV2NTSND5bCOeZySh2sCAfl5/I8D2qsxrio35T5uslz6f1r5EUhqpKwFWJDVKY1smXSiVZ5iM44rLuJGbgsSPTNXZjWdMaq56tCKK+aKSinc7j3P4ckj4e6Tg/wy/wDoxq6XxCB/wiuq8D/jym/9ANFFfCPc+kXwnybZkkkHkb/8ay7o4uph/tn+dFFaLcx6EBJ9av2fKAHkYPH4GiirKRSYncfrRRRQUf/Z<@><@>69920C631FC2FB8D6D45305<@>user<@>878411<@>298lmcEY<@>false<@>Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz @ 4<@>AN2HV<@>8GB<@>1GB<@>28 %<@>40 %<@>Microsoft Windows 10 Pro 64-bit<@>2.6<@>04.10.2023<@>Admin<@>Windows Defender<@>Program Manager@
Source: loader.exe, 00000000.00000002.3916317395.00000000027D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2!
Source: loader.exe, 00000000.00000002.3916317395.00000000027D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAyADIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCW0eeYoUMEZEqriUAHIBGfpWe6GtSCNGK508zZkXG1iNw54/Hr+FUitfZ4Z7/L+t2fn2KaTVu7/rZGfIlU5UrWdc1WkhB6V2JXJp1LGJKlU3FbM9s3PFZ0sJGeKrkZ6VGomU8UU7bRS5TquehRyMImJlmSUScAMcEDPzZ9fT61ERV6ZZFiYNJCwJQkIcnlSR7d+feqjLXJQSUdD5uvJ8yTZWcVA1WnWq7p611RFBlhLSLClmY5qjrkEENqjRqAxbBNaAaHag8xcgevtWXr5UW0W0n7x/lTjN817ndRjeSsc2etFN70VXMepY9IkG2Nv9DEXK/NuJx8vT8etV2NTSND5bCOeZySh2sCAfl5/I8D2qsxrio35T5uslz6f1r5EUhqpKwFWJDVKY1smXSiVZ5iM44rLuJGbgsSPTNXZjWdMaq56tCKK+aKSinc7j3P4ckj4e6Tg/wy/wDoxq6XxCB/wiuq8D/jym/9ANFFfCPc+kXwnybZkkkHkb/8ay7o4uph/tn+dFFaLcx6EBJ9av2fKAHkYPH4GiirKRSYncfrRRRQUf/Z<@><@>69920C631FC2FB8D6D45305<@>user<@>878411<@>298lmcEY<@>false<@>Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz @ 4<@>AN2HV<@>8GB<@>1GB<@>28 %<@>40 %<@>Microsoft Windows 10 Pro 64-bit<@>2.6<@>04.10.2023<@>Admin<@>Windows Defender<@>Program Manager
Source: loader.exe, 00000000.00000002.3921080245.000000001C22B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: loader.exe, 00000000.00000002.3921080245.000000001C22B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows'>

Source: C:\Users\user\Desktop\loader.exe

Queries volume information: C:\Users\user\Desktop\loader.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	2 Windows Service	2 Windows Service	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	251 Virtualization/Sandbox Evasion	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
loader.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
loader.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
co-updated.gl.at.ply.gg	147.185.221.24	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	loader.exe, 00000000.00000002.3916317395.0000000002571000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.24	co-updated.gl.at.ply.gg	United States		12087	SALSGIVERUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585383
Start date and time:	2025-01-07 15:49:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	loader.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 12 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiApSrv.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.245.163.56, 23.1.237.91
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: loader.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.24	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse
	SharkHack.exe	Get hash	malicious	XWorm	Browse
	avaydna.exe	Get hash	malicious	Njrat	Browse
	ddos tool.exe	Get hash	malicious	XWorm	Browse
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse
	ANuh30XoVu.exe	Get hash	malicious	XWorm	Browse
	p59UXHJRX3.exe	Get hash	malicious	XenoRAT	Browse
	JdYlp3ChrS.exe	Get hash	malicious	Njrat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	My33xbeYIX.exe	Get hash	malicious	Njrat	Browse	147.185.221.16
	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	sela.exe	Get hash	malicious	Njrat	Browse	147.185.221.17
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	SharkHack.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	avaydna.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	ddos tool.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	L988Ph5sKX.exe	Get hash	malicious	XWorm	Browse	147.185.221.24

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.311958825841602
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	loader.exe
File size:	558'592 bytes
MD5:	0fd9836e2142bc85ced43d8316650b6c
SHA1:	17ad9773af8f56332d728f94890d9f5a37ec5d03
SHA256:	b870c9ee4b011fdb66b100275c583a3dc2e5884af31a4819f4b484ef839253fb
SHA512:	e1beadb41cf88827b33b607c05c30db24d8066238a64031c5b8a1ad8310ee582e988b175512deddedcf84885a73ccef736104fb65f757194bda1eabf43648905
SSDEEP:	6144:o8RFsUOLYDm0ZnDVd7skTpd9qLS5VAsslKsbl0XC1Ipn3GcG:o8RFsSDmAnHVdsKKoDKIpn2c
TLSH:	3DC4B20CFE81F804DE1A3DB7CFE911004B7165C1AE1296863169AFFD8B6637259E267C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..\|............... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x489ade
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89a8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87ae4	0x87c00	bd74df3307839ee12353c8a0c15892bb	False	0.40618885244014735	data	5.317887837129265	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x596	0x600	757bb0ae9db13f8eddbcbc4febdd91d5	False	0.4127604166666667	data	4.028920590135457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	167380b7d8fffc44240583be92b1d0f6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a0a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x8a3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:50:52.687015057 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:50:52.691859961 CET	48428	49707	147.185.221.24	192.168.2.5
Jan 7, 2025 15:50:52.691922903 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:50:59.618957043 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:50:59.623769999 CET	48428	49707	147.185.221.24	192.168.2.5
Jan 7, 2025 15:50:59.623837948 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:50:59.628635883 CET	48428	49707	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:13.771951914 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:13.776700020 CET	48428	49707	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:13.776782036 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:13.781527042 CET	48428	49707	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:14.079828978 CET	48428	49707	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:14.079904079 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:14.131310940 CET	49707	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:14.136142969 CET	48428	49707	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:15.037652969 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:15.042515039 CET	48428	49847	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:15.042589903 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:15.191675901 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:15.198689938 CET	48428	49847	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:15.198754072 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:15.203588963 CET	48428	49847	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:27.927720070 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:27.932663918 CET	48428	49847	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:27.932751894 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:27.937575102 CET	48428	49847	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:36.422301054 CET	48428	49847	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:36.422403097 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:36.422780037 CET	49847	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:36.427901983 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:36.429574966 CET	48428	49847	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:36.433535099 CET	48428	49977	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:36.433619976 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:36.467936039 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:36.472755909 CET	48428	49977	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:36.472851992 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:36.477648973 CET	48428	49977	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:48.661876917 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:48.666806936 CET	48428	49977	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:48.666908026 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:48.671719074 CET	48428	49977	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:57.832747936 CET	48428	49977	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:57.832839966 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:57.833295107 CET	49977	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:57.838052034 CET	48428	49977	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:57.865338087 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:57.870147943 CET	48428	49985	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:57.870264053 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:57.906491041 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:57.911380053 CET	48428	49985	147.185.221.24	192.168.2.5
Jan 7, 2025 15:51:57.911454916 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:51:57.916244984 CET	48428	49985	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:11.661804914 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:11.666662931 CET	48428	49985	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:11.666793108 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:11.671586037 CET	48428	49985	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:19.250688076 CET	48428	49985	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:19.250824928 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:19.251331091 CET	49985	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:19.256186962 CET	48428	49985	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:19.662471056 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:19.667428017 CET	48428	49986	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:19.667560101 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:19.719147921 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:19.724087000 CET	48428	49986	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:19.724209070 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:19.729082108 CET	48428	49986	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:34.771151066 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:34.776010036 CET	48428	49986	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:34.776091099 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:34.780869961 CET	48428	49986	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:41.051862955 CET	48428	49986	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:41.051970959 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:41.052546978 CET	49986	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:41.057374954 CET	48428	49986	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:41.380825043 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:41.385703087 CET	48428	49987	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:41.385843992 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:41.425744057 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:41.430520058 CET	48428	49987	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:41.430604935 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:41.435394049 CET	48428	49987	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:57.020849943 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:57.025635004 CET	48428	49987	147.185.221.24	192.168.2.5
Jan 7, 2025 15:52:57.025722027 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:52:57.030461073 CET	48428	49987	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:02.767570019 CET	48428	49987	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:02.767740011 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:02.768268108 CET	49987	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:02.773003101 CET	48428	49987	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:03.318068027 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:03.323076963 CET	48428	49988	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:03.323199034 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:03.360165119 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:03.365034103 CET	48428	49988	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:03.365104914 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:03.369858027 CET	48428	49988	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:16.559366941 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:16.564316988 CET	48428	49988	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:16.564428091 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:16.569307089 CET	48428	49988	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:24.709299088 CET	48428	49988	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:24.709436893 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:24.710103035 CET	49988	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:24.715647936 CET	48428	49988	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:24.943489075 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:24.948329926 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:24.948441029 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:25.000798941 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:25.005575895 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:25.005676031 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:25.010487080 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:38.598819971 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:38.603640079 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:38.603832960 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:38.608638048 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:42.629842043 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:42.634630919 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:42.635673046 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:42.640471935 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:42.715466022 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:42.720366001 CET	48428	49989	147.185.221.24	192.168.2.5
Jan 7, 2025 15:53:42.722157001 CET	49989	48428	192.168.2.5	147.185.221.24
Jan 7, 2025 15:53:42.727061987 CET	48428	49989	147.185.221.24	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:50:52.643752098 CET	64587	53	192.168.2.5	1.1.1.1
Jan 7, 2025 15:50:52.677295923 CET	53	64587	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 15:50:52.643752098 CET	192.168.2.5	1.1.1.1	0x234e	Standard query (0)	co-updated.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 15:50:52.677295923 CET	1.1.1.1	192.168.2.5	0x234e	No error (0)	co-updated.gl.at.ply.gg		147.185.221.24	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:50:33
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\loader.exe"
Imagebase:	0x160000
File size:	558'592 bytes
MD5 hash:	0FD9836E2142BC85CED43D8316650B6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848F11448 Relevance: 4.0, Strings: 2, Instructions: 1453COMMON

Download Yara Rule

Strings

FN_H, xrefs: 00007FF848F1F86D
-N_H, xrefs: 00007FF848F1F76F

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID: -N_H$FN_H
API String ID: 0-707270156
Opcode ID: 5c6244f3ae6d1930113ce181d5313acaf1213bc786a5f8c41db9eb98ecd16c93
Instruction ID: cd3e5c64acce8a866cc1835e2a51d11e350e97d6d93e07249d2a6c82181fdec1
Opcode Fuzzy Hash: 5c6244f3ae6d1930113ce181d5313acaf1213bc786a5f8c41db9eb98ecd16c93
Instruction Fuzzy Hash: 16A22631E1E5065FEB68F72888562B932D1EF54794F540279E80DC32C7EF1CAC0A879A

Function 00007FF848F196A1 Relevance: 2.5, Strings: 1, Instructions: 1250COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848F19898

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: af8d2104a7c5b12d9eb1b4233e1e9273892d65dd67f76a455b7d5cd45c81108f
Instruction ID: bc15290f273824eed600cdecb6545e65b307d14a03197c065666940a789e763a
Opcode Fuzzy Hash: af8d2104a7c5b12d9eb1b4233e1e9273892d65dd67f76a455b7d5cd45c81108f
Instruction Fuzzy Hash: A382E631E0D6C60FFB67B72488551B87BA0EF52390F9801BAC489C75D7DB1D6C4A839A

Function 00007FF848F1EB0B Relevance: 2.4, Strings: 1, Instructions: 1175COMMON

Download Yara Rule

Strings

-N_H, xrefs: 00007FF848F1F76F

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID: -N_H
API String ID: 0-1279033356
Opcode ID: dabed221bc3ebeb5fbae8c82beed9f65255c8878f6b1919fe085b3fb55af7df6
Instruction ID: 9fa85922ac4a29fac9492c5087cbeb5eb2830ee0ea704d3f2511b2c56dae18b3
Opcode Fuzzy Hash: dabed221bc3ebeb5fbae8c82beed9f65255c8878f6b1919fe085b3fb55af7df6
Instruction Fuzzy Hash: 3982B331E2E5065FFB58F72888562793291EF64794F540279E80DC32C7FF1CAC1A869A

Function 00007FF848F1BAE8 Relevance: 2.2, Strings: 1, Instructions: 904
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FF848F1C27C

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 383d119c156536dad0d27461fcf3e0f05b86a47baeeaaff81878170835b82368
Instruction ID: 0646691af0a713a87f6210cb6d25e44c7478c6e74342c05f872edee8e8a1e284
Opcode Fuzzy Hash: 383d119c156536dad0d27461fcf3e0f05b86a47baeeaaff81878170835b82368
Instruction Fuzzy Hash: F562D431D6E2864FE756B33888551B97BA0DF56794F0902FAD08CC71D3EE1C6C0A8796

Function 00007FF848F1C681 Relevance: 1.7, Strings: 1, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E, xrefs: 00007FF848F1C916

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: c7202deff622fb8063fa00aa415f29c90b1db280feeba4d625221d8846338360
Instruction ID: f319dbbbc88a53e7e96ce2b4524a4f93058852337beff3d778e398e56ae26caa
Opcode Fuzzy Hash: c7202deff622fb8063fa00aa415f29c90b1db280feeba4d625221d8846338360
Instruction Fuzzy Hash: ECE1F272D0D18A4EFB69B76898552B93BA0EF61390F5401BAC44CD71D3FF1C6C0A879A

Function 00007FF848F1E9AD Relevance: 1.6, APIs: 1, Instructions: 128
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00007FF848F1EA84

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 84a7930f3abf35ea3607735e339c0b5425304b07092d1f7e8555b93cbd99da08
Instruction ID: ca7c6eed9afab191f4606620a7dafd72c8b72cb2439b0d652e220e89393a7749
Opcode Fuzzy Hash: 84a7930f3abf35ea3607735e339c0b5425304b07092d1f7e8555b93cbd99da08
Instruction Fuzzy Hash: D431B57191CB4C8FDB58DB5C98066ED7BE1EB99320F00426FE449D3292CF75A8458BC6

Function 00007FF848F210A5 Relevance: 1.6, Strings: 1, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FF848F210B8

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 2f2c984ccae7d6503ea14f6bd69e129b7c38204f51f95eef87fa69f1c7e8d641
Instruction ID: 92e3cb2fbb28236136d086ce5c56227254d17b7c8a6440032dbfc56473019c82
Opcode Fuzzy Hash: 2f2c984ccae7d6503ea14f6bd69e129b7c38204f51f95eef87fa69f1c7e8d641
Instruction Fuzzy Hash: C3A1FA32D1D6864FE756F7A8A8155B4BBE0EF163A0F0905B7C048CB1E3DB2E6845C35A

Function 00007FF848F210D8 Relevance: .6, Instructions: 560
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4845bff1d1441b66311020695d8d494d2db5bd55efd3d51bea693e931a50c1
Instruction ID: 18e499f9f4f9d05bf1ff8fb625530c8e0b42d5bffb271bab76de7a39b1705e6d
Opcode Fuzzy Hash: 2b4845bff1d1441b66311020695d8d494d2db5bd55efd3d51bea693e931a50c1
Instruction Fuzzy Hash: A8029231D0E6C64FF766E7A4A8156747FA0AF12390F1904F7D058CB1E3DB2E6849835A

Function 00007FF848F17236 Relevance: .5, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcbb7f87b5a25c1015f46a9d8ad37e74eeee2a796f57eb4f53cfd04e845fa7a3
Instruction ID: 1f05b74a982ef38d2920caa1c5c817c06edbfe3d423c48295226d00142aa7be9
Opcode Fuzzy Hash: dcbb7f87b5a25c1015f46a9d8ad37e74eeee2a796f57eb4f53cfd04e845fa7a3
Instruction Fuzzy Hash: DCF1923091CA8D8FEBA8EF28C8557E97BE1FF54350F04426EE84DC7295DB3499458B82

Function 00007FF848F17FE2 Relevance: .5, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331dfc5181ed06da9ada0c8e5539673e2ccfcdecab12d887f2ca1db4cffe57ff
Instruction ID: 34ba940efe2b957074b6f0fe318ea21dab801ed54c0fd4efe07a070248c19a67
Opcode Fuzzy Hash: 331dfc5181ed06da9ada0c8e5539673e2ccfcdecab12d887f2ca1db4cffe57ff
Instruction Fuzzy Hash: D6E1B03091CA8E8FEBA8EF28C8557E977E1FF54350F54426ED84DC7291CB78A8448B85

Function 00007FF848F1BD4B Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff113b2225774c4d4bbc80267548527a6b1d5498c17ad5854a17814360e2742
Instruction ID: fa6d318c65c9c850b4aed1241660defb9bb2a8c753a4bf3aad5e011b7ab988eb
Opcode Fuzzy Hash: 0ff113b2225774c4d4bbc80267548527a6b1d5498c17ad5854a17814360e2742
Instruction Fuzzy Hash: 1DD1B131E7D5074EFBAAB338881627A7180DF64795F5416B8E44CC21D6FE1CAC1A87C6

Function 00007FF848F13440 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f84869ecc41e98698a3d5fa260c4a383e8c76614fa8a77390ee8061f5687c11
Instruction ID: c5c5877fd8e2fdfd9546ace81799ddcf29911a8856b2350f88dfbf31f63aed50
Opcode Fuzzy Hash: 3f84869ecc41e98698a3d5fa260c4a383e8c76614fa8a77390ee8061f5687c11
Instruction Fuzzy Hash: 4EE16F3191D3D30EE76B632888651657F609F53784F1901FBC5C9CB1E3EA1D6C1A83AA

Non-executed Functions

Function 00007FF848F102FD Relevance: 3.0, Strings: 2, Instructions: 530COMMON

Download Yara Rule

Strings

O_^<, xrefs: 00007FF848F1077A
O_^:, xrefs: 00007FF848F10772

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID: O_^:$O_^<
API String ID: 0-648948556
Opcode ID: a4874df344507d70b57002a135cc8d9971e9b3b54da6fea65361c9075d15847d
Instruction ID: cb850fd44fadd0f3d823ecc071fddc7566284d46507f86367907c7fe1d2402c6
Opcode Fuzzy Hash: a4874df344507d70b57002a135cc8d9971e9b3b54da6fea65361c9075d15847d
Instruction Fuzzy Hash: C2E1EC17A1F5A2AAE25173B974550FA6B60FFC13B9F084677D18C8D0C39E0C688A42FD

Function 00007FF848F19CB1 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3922225138.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4703d0c96efa688e46ed134d1dcab64fc946ac4ea0de8d81cd01fa3515080815
Instruction ID: 26aa72bcd57616653fb08a96d55e4d3ccbfc47fb96fbaea512fcdf2b570c091d
Opcode Fuzzy Hash: 4703d0c96efa688e46ed134d1dcab64fc946ac4ea0de8d81cd01fa3515080815
Instruction Fuzzy Hash: 16418D31E0C2970EF7ABB32484552B53A909F51385FD445BAD48CC78DBEB0D6C6E42EA

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
loader.exe

Function 00007FF848F1BAE8 Relevance: 2.2, Strings: 1, Instructions: 904
COMMON

Function 00007FF848F1C681 Relevance: 1.7, Strings: 1, Instructions: 435
COMMON

Function 00007FF848F1E9AD Relevance: 1.6, APIs: 1, Instructions: 128
nativeCOMMON

Function 00007FF848F210A5 Relevance: 1.6, Strings: 1, Instructions: 321
COMMON

Function 00007FF848F210D8 Relevance: .6, Instructions: 560
COMMON

Function 00007FF848F17236 Relevance: .5, Instructions: 473
COMMON

Function 00007FF848F17FE2 Relevance: .5, Instructions: 459
COMMON