Edit tour

Windows Analysis Report
msvcp110.dll

Overview

General Information

Sample name:	msvcp110.dll
Analysis ID:	1541478
MD5:	740c3417929730c4ae20e0165aa94b7c
SHA1:	d03cebc7b1172149f65b06f15b0fbb11512f5b88
SHA256:	8e200e4aca363cc2be03121815ec03525f1d983f717f67b63241028c59cb0bde
Tags:	dlluser-aachum
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking computer name)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6480 cmdline: loaddll32.exe "C:\Users\user\Desktop\msvcp110.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5832 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5960 cmdline: rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

aspnet_regiis.exe (PID: 5092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1260 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2404 cmdline: rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData MD5: 889B99C52A60DD49227C5E485A016679)

aspnet_regiis.exe (PID: 4488 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1244 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5344 cmdline: rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData MD5: 889B99C52A60DD49227C5E485A016679)

aspnet_regiis.exe (PID: 5276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 1444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1268 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://95.217.125.57/2f571d994666c8cb.php", "Botnet": "36495972654"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000A.00000002.2661356120.000000000321A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000007.00000002.2655450967.000000000309A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000006.00000002.2408845959.00000000007DA000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 4488	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 4488	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 5092	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 5092	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 5276	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 5276	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.aspnet_regiis.exe.3000000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
6.2.aspnet_regiis.exe.740000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
10.2.aspnet_regiis.exe.3180000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
6.2.aspnet_regiis.exe.740000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
7.2.aspnet_regiis.exe.3000000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
10.2.aspnet_regiis.exe.3180000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.aspnet_regiis.exe.3180000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://95.217.125.57/2f571d994666c8cb.php", "Botnet": "36495972654"}

Multi AV Scanner detection for submitted file

Source: msvcp110.dll

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: msvcp110.dll

Joe Sandbox ML: detected

Source: msvcp110.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: msvcp110.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://95.217.125.57/2f571d994666c8cb.php

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 95.217.125.57 95.217.125.57

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.125.57

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.217.125.57Connection: Keep-AliveCache-Control: no-cache

Source: aspnet_regiis.exe, 00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.000000000359C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000002.2661808078.000000000355D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/.
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.000000000359C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/1
Source: aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/2=
Source: aspnet_regiis.exe, 0000000A.00000002.2661808078.000000000355D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/IXK
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/R
Source: aspnet_regiis.exe, 00000006.00000002.2409698695.000000000306F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/Y
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/b
Source: aspnet_regiis.exe, 0000000A.00000002.2661808078.000000000355D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/jXl
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57/~
Source: aspnet_regiis.exe, 00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57R/
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.217.125.57h
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1244

Source: msvcp110.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal100.troj.evad.winDLL@19/13@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 6_2_00758680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

6_2_00758680

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5276
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4488

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3205649a-56de-4634-b8e2-296e669c7ce8

Jump to behavior

Source: msvcp110.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData

Source: aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT url FROM urls LIMIT 1000;

Source: msvcp110.dll

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\msvcp110.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1268
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: msvcp110.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: msvcp110.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 6_2_0075B035 push ecx; ret	6_2_0075B048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_0301B035 push ecx; ret	7_2_0301B048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 10_2_0319B035 push ecx; ret	10_2_0319B048

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Evasive API call chain: GetComputerName,DecisionNodes,Sleep

graph_7-13459

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 4800	Thread sleep count: 258 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 4800	Thread sleep time: -1548000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 4052	Thread sleep count: 231 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 4052	Thread sleep time: -1386000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 6_2_00741160 GetSystemInfo,

6_2_00741160

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: aspnet_regiis.exe, 00000006.00000002.2409698695.0000000003053000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000006.00000002.2409698695.0000000003084000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2655920781.00000000035AF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000002.2661808078.000000000356D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarer
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 0000000A.00000002.2661808078.000000000356D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWU
Source: aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwared
Source: aspnet_regiis.exe, 00000006.00000002.2409698695.0000000003084000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWsbC
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 6_2_007445C0 VirtualProtect ?,00000004,00000100,00000000

6_2_007445C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 6_2_00759750 mov eax, dword ptr fs:[00000030h]	6_2_00759750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_03019750 mov eax, dword ptr fs:[00000030h]	7_2_03019750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 10_2_03199750 mov eax, dword ptr fs:[00000030h]	10_2_03199750

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 5276, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 740000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3000000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3180000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 740000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3180000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 740000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 741000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75E000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 76B000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 99C000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2B57008	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3000000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3001000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 301E000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 302B000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 325C000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F40008	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3180000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3181000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 319E000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31AB000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33DC000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F37008	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoA,	6_2_00757B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoA,	7_2_03017B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: GetLocaleInfoA,	10_2_03197B90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 6_2_00757850 GetUserNameA,

6_2_00757850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 6_2_00757A30 GetTimeZoneInformation,

6_2_00757A30

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 7.2.aspnet_regiis.exe.3000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.aspnet_regiis.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.aspnet_regiis.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.aspnet_regiis.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.aspnet_regiis.exe.3000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.aspnet_regiis.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2661356120.000000000321A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2655450967.000000000309A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2408845959.00000000007DA000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 5276, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 7.2.aspnet_regiis.exe.3000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.aspnet_regiis.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.aspnet_regiis.exe.3180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.aspnet_regiis.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.aspnet_regiis.exe.3000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.aspnet_regiis.exe.3180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2661356120.000000000321A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2655450967.000000000309A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2408845959.00000000007DA000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 4488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 5276, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	132 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
msvcp110.dll	63%	ReversingLabs	Win32.Trojan.Tedy
msvcp110.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://95.217.125.57/	true		unknown
http://95.217.125.57/2f571d994666c8cb.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://95.217.125.57/b	aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57/~	aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57R/	aspnet_regiis.exe, 00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57/jXl	aspnet_regiis.exe, 0000000A.00000002.2661808078.000000000355D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57	aspnet_regiis.exe, 00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://95.217.125.57/R	aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57/1	aspnet_regiis.exe, 00000007.00000002.2655920781.000000000359C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57/IXK	aspnet_regiis.exe, 0000000A.00000002.2661808078.000000000355D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.14.dr	false	URL Reputation: safe	unknown
http://95.217.125.57h	aspnet_regiis.exe, 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57/.	aspnet_regiis.exe, 00000007.00000002.2655920781.000000000359C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57/2=	aspnet_regiis.exe, 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://95.217.125.57/Y	aspnet_regiis.exe, 00000006.00000002.2409698695.000000000306F000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.217.125.57	unknown	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541478
Start date and time:	2024-10-24 21:49:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	msvcp110.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@19/13@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: msvcp110.dll

Simulations

Behavior and APIs

Time	Type	Description
15:49:59	API Interceptor	490x Sleep call for process: aspnet_regiis.exe modified
15:50:01	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:50:27	API Interceptor	3x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
95.217.125.57	Setup_v1.29.exe	Get hash	malicious	Stealc	Browse	95.217.125.57/
	L0ad3r.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php
	Loader.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php
	Installer.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php
	AVSicb6epR.exe	Get hash	malicious	Stealc, Vidar	Browse	95.217.125.57/2f571d994666c8cb.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	Setup_v1.29.exe	Get hash	malicious	Stealc	Browse	95.217.125.57
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	94.130.253.79
	https://tronlkam8s2.z13.web.core.windows.net	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	http://tronlkam8s2.z13.web.core.windows.net	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	https://8jkfw9cqp7ep.z13.web.core.windows.net/?zpbid=78432_55610c1d-9229-11ef-824f-03718b6de7bb#	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	195.201.57.90
	Payment for outstanding statements.pdf	Get hash	malicious	HTMLPhisher	Browse	144.76.38.184
	o2YUBeMZW6.elf	Get hash	malicious	Mirai	Browse	94.130.241.80
	ai3eCONS9Q.elf	Get hash	malicious	Mirai	Browse	95.217.66.133
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	49.12.72.134
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	95.217.66.190

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_6d2334a9-d117-4c9d-a14b-c975bce9f6c7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9590496265491976
Encrypted:	false
SSDEEP:	192:dRcP1xC0BU/4ju0ZrVZSzuiF2Z24IO8CBHw:LmxJBU/4jP8zuiF2Y4IO8CBH
MD5:	1D114E1B98FB9C8C7DFA39A940330603
SHA1:	9052ABAE3EE01417514B7FA0FD16F4183B84BCAC
SHA-256:	FF3566C24321DEFC55C9DDACCE800A4050DA93CED4789E249247A51A4D8AA27D
SHA-512:	27DC7C525C9E5D4AE352AA0A12E8D956EF85D7912D467E8EC8226E8A71A942C1525D6EA6BB4FEE98863B4108F1AF39ADB3B5550FF1DA18E28EDDED50AEB8A811
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.3.0.2.2.7.8.5.5.8.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.3.0.2.4.2.5.4.3.4.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.2.3.3.4.a.9.-.d.1.1.7.-.4.c.9.d.-.a.1.4.b.-.c.9.7.5.b.c.e.9.f.6.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.0.e.a.3.3.1.-.d.4.b.3.-.4.c.5.a.-.9.a.2.1.-.7.5.c.0.8.1.9.6.0.7.3.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.8.8.-.0.0.0.1.-.0.0.1.5.-.5.4.b.6.-.6.5.e.8.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.5.8.f.0.e.8.4.2.c.4.3.e.6.b.3.b.c.0.6.6.9.1.6.b.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_73e42fea-b641-47b7-9191-6583a7169bb0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9589222191980253
Encrypted:	false
SSDEEP:	192:78ixXP1VC0BU/4ju0ZrVZazuiF2Z24IO8CBHw:QQNVJBU/4jPEzuiF2Y4IO8CBH
MD5:	831285CF69DF220DEBB42D59709DB1AE
SHA1:	B42EF4D8805185A1CF588BDA4D297E442D6B3B50
SHA-256:	EA2D25DCBFA5561FFCB162DE7042057753828B27CF168CC9A0E95C0F72448C8E
SHA-512:	01B94702F2CC1D0492A81704DAAA80C29249A56E612BDC7C7EECB284851CC124BD3768679D014268F20BD004E328F3B4270B1DE9F5B371B4004892E7AD0F60EE
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.3.0.4.9.9.9.1.3.4.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.3.0.5.0.5.5.3.8.4.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.e.4.2.f.e.a.-.b.6.4.1.-.4.7.b.7.-.9.1.9.1.-.6.5.8.3.a.7.1.6.9.b.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.f.b.3.b.7.a.-.6.8.6.a.-.4.f.3.d.-.a.d.1.8.-.f.4.e.4.a.3.0.4.d.f.c.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.e.4.-.0.0.0.1.-.0.0.1.5.-.0.5.3.f.-.7.1.e.8.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.5.8.f.0.e.8.4.2.c.4.3.e.6.b.3.b.c.0.6.6.9.1.6.b.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_e6cff271-b88a-43cf-821c-19466915ba55\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9591073704243255
Encrypted:	false
SSDEEP:	192:Ib7P1RC0BU/4ju0ZrVZazuiF2Z24IO8CBHw:cRRJBU/4jPEzuiF2Y4IO8CBH
MD5:	9D7999D546A3238ED40AA2A7A662CF8E
SHA1:	2C48D1294D6893E37133A1B58716EBC8583408D0
SHA-256:	BA3F5E3CCB66D41E1D0036C56611E134AB118FCEFED7A5797169A3AC239850EE
SHA-512:	1E210D945F8A8AB8B2AB2613A0541A098B10C4E01E98ED9A4DAA0686DDC7C3C1496A91DA05ED82F2753528F69C2543E8D9246060FF9D41D99C1DB05B6F34B82A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.7.3.0.5.0.9.4.4.4.6.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.7.3.0.5.1.3.6.6.3.3.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.c.f.f.2.7.1.-.b.8.8.a.-.4.3.c.f.-.8.2.1.c.-.1.9.4.6.6.9.1.5.b.a.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.f.b.9.f.8.8.-.a.7.d.a.-.4.8.a.7.-.9.4.d.0.-.9.2.9.9.1.0.2.f.1.0.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.9.c.-.0.0.0.1.-.0.0.1.5.-.b.0.c.7.-.2.c.e.a.4.d.2.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.5.8.f.0.e.8.4.2.c.4.3.e.6.b.3.b.c.0.6.6.9.1.6.b.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER264A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 24 19:50:50 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	116598
Entropy (8bit):	1.6203438626240492
Encrypted:	false
SSDEEP:	384:9OW5sc1zbSEFtBCsjPBiNnF/pjEukm8ED:75sc1/SEFtDgNnrQtK
MD5:	8887503B8C596E96A9DFAE2207176B8A
SHA1:	678334BCAFFEFD9F71DD265D43FBBD1D900F3E4F
SHA-256:	1353010C27F5AF19AD961AB204927FF3C334411529837563D07D637D1878FC41
SHA-512:	80816382B20EE7CB26471370068BB4BA24E1E0623F4B61EC3CB022A68C3BCC493083406CA71CCF84BC5DA17C62991259A4FB118D285F56B52AC86CA58AB32694
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................A..........T.......8...........T............1.............l...........X...............................................................................eJ..............GenuineIntel............T.............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2745.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.6965711090821176
Encrypted:	false
SSDEEP:	192:R6l7wVeJeI6e6YBX76Sq7h4gmfutprp89bpmsfRjm:R6lXJp6e6YBL6Sqigmfu2pFfY
MD5:	1888A91352795DA17E08D7B12B20AF51
SHA1:	28B76E413CD708CA9FCBD508A09F263CAB928573
SHA-256:	D313842F1807F69DD29BFEACFE89556E21411D15F25FAAB9CE8D400D9B4F202B
SHA-512:	1CF61DE494351459A4ED5D2A1B40A7F791A7B5ECA84661E6E1F1A033AF96A7603FC440DF22B41C88235E3D62BBBBD3BE8A1F0A428D04B460E6DF8C3346ED2985
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2765.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4675
Entropy (8bit):	4.460095411802302
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg77aI9ij5WpW8VYXBYm8M4JhqeFGdM+q8b3s0SaraTMd:uIjfII7AI7VWgJh6dMgc0SaraTMd
MD5:	42C5948CD938F4EFC22F292B41F30E0D
SHA1:	80D441C01B89E54D20F8EA73582F813EEF719486
SHA-256:	B8E08D2566880FC3A356730C09DBF1CDC377FD161905A611D5B15765C77851DE
SHA-512:	7DCDDD669C7B820DEE08582CD2CA5B528ACDB5526E385E54B7E929D96583FAECB78C7F723D60CE3DCDC4361852C654187CAED4C02F7A57B703616B8852C83CC3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557933" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A03.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 24 19:50:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	115518
Entropy (8bit):	1.6351844297158578
Encrypted:	false
SSDEEP:	384:G7W5sc12TSEKPbAghHuUS6pwr0YQ3oaY1IV+hB5XiJTHrb:35sc12TSEKjPGoYsoX1IY5XQL
MD5:	732F03B9F457C5FBFED7C9F33430EE33
SHA1:	49950F48FAB0B9C7012D578C49DD96745DCB0465
SHA-256:	2B72CD814DABEA67F5923AF44333DECFC4D6D4E9CFAC69D44D2083203FD49060
SHA-512:	AE4C5D8DB5039240DA5E1B632AC12B913EFD96ABD67BC69E2747570C3E0B0BE9468FA3A9AC391E9A37D422E233280E9DE57287883E7E286427ADE71B2C7055AC
Malicious:	false
Preview:	MDMP..a..... ..........g.........................................A..........T.......8...........T...........H1..............l...........X...............................................................................eJ..............GenuineIntel............T.............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AA0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6360
Entropy (8bit):	3.722114229301873
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbGe67eSYuQE/CKP5aM4U889bgLsf6gm:R6l7wVeJGe67eSYutpr889bgLsf6gm
MD5:	23F4EEB23B94BF2F811EA28582DE49A9
SHA1:	D4CA66E6655E3FC318F4A1F03D9DF74ADD3C2229
SHA-256:	2E94B7589DA970C30A41FF9B4A55B865CF048823E8CBB3F46E84F7EC5EB770E8
SHA-512:	DC07DA25D271AB8B4EDA7ED51A2DEF9143BA551BE47D798C6444BB9DF3245BEA6D16170EC3BC715C544FCA0C0E868513A3ACADC84F63BFB47027F85D5938CC40
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AE0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4675
Entropy (8bit):	4.4590376158644975
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg77aI9ij5WpW8VYXsYm8M4JhqeFvo+q8b3K0SaraOMd:uIjfII7AI7VWpJhjoga0SaraOMd
MD5:	3DC791E84C5DE7B918BEBD0D7B3A04D3
SHA1:	017BBD4D894DE48530AFE02AE692520955D9F8E3
SHA-256:	A4BBB35DAF1530364F91E5A3B6E950081B53A542BF4805B046908D1A90E2B34A
SHA-512:	132543BBE6E1796EED49C32AA3A11CC3F19C5011B05BEF0CE090445324BD8B72755224E2447FAF5F26EF52F69A60928805C7EEA9E658A0E74A51625C7B3321C5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557933" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC16.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Oct 24 19:50:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	110512
Entropy (8bit):	1.6159377954215517
Encrypted:	false
SSDEEP:	384:Rml/cugQVSEVSctGo+oyhDNcQU9Ns6hMxIMkYIWr+:cl/cugQVSEzJh7Jlh3xvb
MD5:	E75D671DA253361DDBBC8842B197AD45
SHA1:	F385311CDF4C8D36B4C8FEAB34BB3046878A29E5
SHA-256:	D6E09870F91930B137C51156FE26287D94B761BAAE64B1B274BA326D503D00A0
SHA-512:	E2AD990AA98CC463261A4869162FD36D873E8BC51B87D488940DF7094F7366A015BFD9D65168D929543CCB3FD53EE148A99C7ABDB664B7CF2613B617BD934866
Malicious:	false
Preview:	MDMP..a..... ..........g....................................T....>..........T.......8...........T............0...~..........<...........(...............................................................................eJ..............GenuineIntel............T.............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	3.721636286272004
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb+ZK6LyYuQE/CKP5aM4Ui89b6Rsf5fGm:R6l7wVeJwK6LyYutpri89b6Rsf5em
MD5:	E223AB812DC1B9973F7878CC8122E299
SHA1:	3B51B2B7B3D47ADD8E4FA571A985DB257C0937EB
SHA-256:	552C5005715345FE30B3034E9C0EBFAEAA7B0A95FB4A50236720C9384F7106E1
SHA-512:	D575AB2EDF81F7F2EB509DE5E4CDF0026D19D62CBBAE6188606890DB3C8676D58E73928FE1170D7C16DF75ACE4A4DEE4A6C5E2A61EBE3A11DA437DF7D27AFE28
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC119.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4675
Entropy (8bit):	4.4600701723392815
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg77aI9ij5WpW8VYXcYm8M4JhqeFJ+q8b3J0SaraiMd:uIjfII7AI7VW5JhVgZ0SaraiMd
MD5:	C1F1E357170C9FBCBCC5404CD46E37D5
SHA1:	EE50FACAFD21559C7801ACBB95F274E67EE13D02
SHA-256:	2C2F15928D56C3882A8670D6CBDFE49C5A9D78595E4E8E941CAAFCD466522CB9
SHA-512:	229417EF705CA78D5A3E9186652EE4A65609DCA11DCC84521A1B427DEBB0CD5AEC656C7F83FA4204B6F6831CA418402FF77D8085C0E1C5B773304183CBD50E32
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557933" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469509149710471
Encrypted:	false
SSDEEP:	6144:2zZfpi6ceLPx9skLmb0fFZWSP3aJG8nAgeiJRMMhA2zX4WABluuNQjDH5S:YZHtFZWOKnMM6bFpWj4
MD5:	5606B5DBE9630E8021268F2AE6BF31F5
SHA1:	6D89EFF200CD76B84B9027B21D166D7A9D7DCF1F
SHA-256:	EC252D935A81CE7CFB1F2056DCA63593CAF905D6B4065A8EE230C611B64230CD
SHA-512:	61933F47C856325656683690081F18C683E0404F17066B1D0FDAC5CF640F8E2E1626CD8296C15603507F173967612FD4B2A3A118C7F2329367F6C7E30E32200B
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..E.M&................................................................................................................................................................................................................................................................................................................................................S.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.928739021633009
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	msvcp110.dll
File size:	601'088 bytes
MD5:	740c3417929730c4ae20e0165aa94b7c
SHA1:	d03cebc7b1172149f65b06f15b0fbb11512f5b88
SHA256:	8e200e4aca363cc2be03121815ec03525f1d983f717f67b63241028c59cb0bde
SHA512:	4bccf661986c98635319ae86c394022e9e4bf1a944a759176a69916b33e64eb910beb027faa55f66322754715a772d0ec693ddf6c3cb07a611f026f678390e7f
SSDEEP:	12288:UVi4BszD+DZslByhHwrZz1vb2MW4hPuH5A5ItioxaNi2iU:aBsG2l06rrCwSig9
TLSH:	89D45B48AD34C29BE648C5F2F96C46D0796487A51D328CCB3EAE1C243B66EF0506D7F9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.vkp}.8p}.8p}.8;..9\|}.8;..9.}.8;..9d}.8;..9v}.8W.c8s}.8p}.8.}.8v..9Q}.8v..9`}.8v..9d}.8p}.8q}.8...9q}.8...9q}.8Richp}.8.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1002faae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x671803AA [Tue Oct 22 19:57:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	43480200b3c5eced3ea874108558123d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F6D6C812D47h
call 00007F6D6C813270h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F6D6C812BF3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1003D06Ch]
push dword ptr [ebp+08h]
call dword ptr [1003D068h]
push C0000409h
call dword ptr [1003D034h]
push eax
call dword ptr [1003D070h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1003D074h]
test eax, eax
je 00007F6D6C812D47h
push 00000002h
pop ecx
int 29h
mov dword ptr [100926D0h], eax
mov dword ptr [100926CCh], ecx
mov dword ptr [100926C8h], edx
mov dword ptr [100926C4h], ebx
mov dword ptr [100926C0h], esi
mov dword ptr [100926BCh], edi
mov word ptr [100926E8h], ss
mov word ptr [100926DCh], cs
mov word ptr [100926B8h], ds
mov word ptr [100926B4h], es
mov word ptr [100926B0h], fs
mov word ptr [100926ACh], gs
pushfd
pop dword ptr [100926E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [100926D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [000926D8h], eax

Rich Headers

Programming Language:

[IMP] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x43a40	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43ab8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0x2118	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x42dd0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x42d10	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3d000	0x174	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3bb63	0x3bc00	b9583e00c36c0820ca67ea068e65034f	False	0.4124239997384937	data	6.654540918170396	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3d000	0x732e	0x7400	91edac08b9eb0cb235dd3b28530bf9be	False	0.4581088362068966	data	5.17097918438835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x45000	0x4e3e0	0x4d600	9d9cfc5947f7a0aa0653d6af4cdef6f8	False	0.4926418618739903	data	6.351172386117954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x94000	0x2118	0x2200	56e1b578d061799baa1245cfb844d13e	False	0.7789522058823529	data	6.639453614972652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
USER32.dll	FillRect, BeginPaint, InvalidateRect, PostQuitMessage, DefWindowProcA, ShowWindow, EndPaint
GDI32.dll	TextOutA
ntdll.dll	NtWriteVirtualMemory, NtCreateThreadEx, NtSetContextThread, NtResumeThread, NtAllocateVirtualMemory, NtGetContextThread, RtlUnwind
KERNEL32.dll	WriteConsoleW, SetFilePointerEx, CreateFileW, TlsSetValue, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, GetCurrentProcess, GetModuleHandleA, K32GetModuleInformation, GetModuleFileNameA, CreateFileA, CreateFileMappingA, CloseHandle, MapViewOfFile, VirtualProtect, GetModuleHandleW, GetConsoleWindow, VirtualAlloc, CreateProcessW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStringTypeW, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, DecodePointer, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType

Exports

Name	Ordinal	Address
GetGameData	1	0x10015900

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:50:00.968420982 CEST	49709	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:00.973826885 CEST	80	49709	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:00.973917961 CEST	49709	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:00.974601984 CEST	49709	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:00.980110884 CEST	80	49709	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:09.657960892 CEST	80	49709	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:09.658107996 CEST	49709	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:09.658602953 CEST	49709	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:09.664665937 CEST	80	49709	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:30.500909090 CEST	49821	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:30.506715059 CEST	80	49821	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:30.506781101 CEST	49821	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:30.508619070 CEST	49822	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:30.510962009 CEST	49821	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:30.514591932 CEST	80	49822	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:30.514658928 CEST	49822	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:30.514794111 CEST	49822	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:30.516382933 CEST	80	49821	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:30.521173000 CEST	80	49822	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:38.997706890 CEST	80	49821	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:38.997900009 CEST	49821	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:38.998357058 CEST	49821	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:38.998608112 CEST	80	49822	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:38.998665094 CEST	49822	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:38.998739004 CEST	49822	80	192.168.2.6	95.217.125.57
Oct 24, 2024 21:50:39.003886938 CEST	80	49821	95.217.125.57	192.168.2.6
Oct 24, 2024 21:50:39.004096031 CEST	80	49822	95.217.125.57	192.168.2.6

HTTP Request Dependency Graph

95.217.125.57

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	95.217.125.57	80	4488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:50:00.974601984 CEST	88	OUT	GET / HTTP/1.1 Host: 95.217.125.57 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49821	95.217.125.57	80	5276	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:50:30.510962009 CEST	88	OUT	GET / HTTP/1.1 Host: 95.217.125.57 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49822	95.217.125.57	80	5092	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:50:30.514794111 CEST	88	OUT	GET / HTTP/1.1 Host: 95.217.125.57 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	15:49:58
Start date:	24/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\msvcp110.dll"
Imagebase:	0xf30000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:49:58
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:49:58
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:49:58
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData
Imagebase:	0xdf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:49:58
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Imagebase:	0xdf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:49:59
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x200000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000002.2409698695.0000000003027000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000002.2408845959.00000000007DA000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:49:59
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x200000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000002.2655920781.0000000003557000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000002.2655450967.000000000309A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:50:01
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData
Imagebase:	0xdf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:50:02
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x200000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2661808078.0000000003517000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000A.00000002.2661356120.000000000321A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:50:22
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1244
Imagebase:	0xba0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:50:49
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1260
Imagebase:	0xba0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:50:50
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1268
Imagebase:	0xba0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2%
Total number of Nodes:	1159
Total number of Limit Nodes:	6

Executed Functions

Function 00758680 Relevance: 6.1, APIs: 4, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007605B7), ref: 007586CA
Process32First.KERNEL32(?,00000128), ref: 007586DE
Process32Next.KERNEL32(?,00000128), ref: 007586F3
CloseHandle.KERNELBASE(?), ref: 00758761

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fde0498dd664bab6aceca2b8101347d979ff0a0221a4b6ad25ce3fafaa89e047
Instruction ID: 1d2dda4cb1f71491054687bb926271acbad1fbce25e4ef524dddca9164d30df6
Opcode Fuzzy Hash: fde0498dd664bab6aceca2b8101347d979ff0a0221a4b6ad25ce3fafaa89e047
Instruction Fuzzy Hash: DF316171901218EBDB25DF50CC45FEEB778FB44701F1046A9E90AA2190DF786E49CFA2

Function 007445C0 Relevance: 3.1, APIs: 2, Instructions: 114
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,007569FB), ref: 0074460E
VirtualProtect.KERNELBASE(?,00000004,00000100,00000000), ref: 0074479C

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateHeapProtectVirtual
String ID:
API String ID: 1542196881-0
Opcode ID: 7d4a38272a402e8ab808dd0253732b8bdd5388e48ae2329f9682d428b217a045
Instruction ID: 766e3803959e45a350a17b06c7ba1b73666cc4ed35fabf372598d9d723eb9745
Opcode Fuzzy Hash: 7d4a38272a402e8ab808dd0253732b8bdd5388e48ae2329f9682d428b217a045
Instruction Fuzzy Hash: 8E41A7B1640704EBC71C9BE4EC8DA9D7B61AB48717F60C040F90B991D0DAFC9601ABBA

Function 00757B90 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNELBASE(?,00000002,?,00000200), ref: 00757C62

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: dae8e2b5141edacdaaecdfe47eedb74554cbb25a8aba62a872e3df573c6994e3
Instruction ID: 37e6d41f8adda994fc5ce4d7ebb274b5d436e228348f0b6f0ce5382a2bfeaf90
Opcode Fuzzy Hash: dae8e2b5141edacdaaecdfe47eedb74554cbb25a8aba62a872e3df573c6994e3
Instruction Fuzzy Hash: 6E415171954218EBDB24DB54DC99BEDB378FF44701F1042D9E80962291DB782F89CFA1

Function 00757A30 Relevance: 1.5, APIs: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(?,?,?,?,00000000,00000000,?,?,00000000,?,00760E10,00000000,?,00000000,00000000,?), ref: 00757A7D

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 6158727a4d8cdf6b4b9a2f04cc529307e142661d958dad4733334ce71107a28a
Instruction ID: a344e82187c2b499069eb06d852f4eb496a9507bf526f8c51997ad48d930892d
Opcode Fuzzy Hash: 6158727a4d8cdf6b4b9a2f04cc529307e142661d958dad4733334ce71107a28a
Instruction Fuzzy Hash: D31165B1949218DBEB24CF54DC45F99B778F704711F10439AE916932C0D7785E44CF51

Function 00757850 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0075789F

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 898838f6a3733187ed8d9dec45d52173f403e8d020a7bf2cfc41a70ca0634121
Instruction ID: 6c190795d81561a54b36881f9638c16244daf9545e583b262b2167b4e394e030
Opcode Fuzzy Hash: 898838f6a3733187ed8d9dec45d52173f403e8d020a7bf2cfc41a70ca0634121
Instruction Fuzzy Hash: 23F04FF1D48208ABD714DF98DD49BAEBBB8EB04711F10025AFA05A2780C7B81904CBA1

Function 00741160 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00756A17,00760AEF), ref: 0074116A

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 90906e6468853a242d5110b69fc08cab492de9b320256fc1af48bc47f9ff05a2
Instruction ID: 287ee8801124fd05f947c2b55f151acc144702620001e0a5bcfbe7e996afbe91
Opcode Fuzzy Hash: 90906e6468853a242d5110b69fc08cab492de9b320256fc1af48bc47f9ff05a2
Instruction Fuzzy Hash: D5D05E74D0430CDBDB00EFE0D8496DDBBB8FB08311F000555D90562340EA305881DBA6

Function 00759C10 Relevance: 12.7, APIs: 8, Instructions: 684
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A03D
LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A04E
LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A060
LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A072
LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A083
LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A095
LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A0A7
LoadLibraryA.KERNELBASE(?,?,00755CA3,?,00000034,00000064,00756600,?,0000002C,00000064,007565A0,?,00000030,00000064,Function_00015AD0,?), ref: 0075A0B8

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d292422dc13c514bd5bf66cc7dd3675cb555c578693facf95f5c8949064fa7d2
Instruction ID: 913d38a505d418ff2a44a85ecceae22a6aee6cb150b548c3934eb5d23b956b81
Opcode Fuzzy Hash: d292422dc13c514bd5bf66cc7dd3675cb555c578693facf95f5c8949064fa7d2
Instruction Fuzzy Hash: FC621AB6938200AFF744DFA8ED8896637F9F74C701714851BA609C3374D639A852FB62

Function 00758320 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000,007605B6), ref: 007583A4
RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00758426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0075847B

Strings

?, xrefs: 0075837A

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID: ?
API String ID: 462099255-1684325040
Opcode ID: 376b0c9b22f5677fb549827025eee17f7d9be4494eb66ae771daf6c5e4d2951c
Instruction ID: f410764ab2cadebb7d11e1ddbca428c99562e9720baedb008d53af2f55186b60
Opcode Fuzzy Hash: 376b0c9b22f5677fb549827025eee17f7d9be4494eb66ae771daf6c5e4d2951c
Instruction Fuzzy Hash: 968120B1910118EBEB64DB50CC95FEA77B8FF08701F008299E509A6140DFB96F89CFA1

Function 00757500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0075757F

Strings

:, xrefs: 0075755C
\, xrefs: 00757560
C, xrefs: 0075754C

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: 93d61cd2df70b34507f6280c74b6f26857a8d096639c2147b096c3b105db586a
Instruction ID: 3d6d9b43d7641996090a698a9482914bebb3a76f04c43b0a89d70b51493dfd30
Opcode Fuzzy Hash: 93d61cd2df70b34507f6280c74b6f26857a8d096639c2147b096c3b105db586a
Instruction Fuzzy Hash: 394185B1D04248EBDB14DF94DC45BDEBBB8EF08701F100199F90567280E7B96A48CBA5

Function 00758100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,00000040,00000000), ref: 00758158
__aulldiv.LIBCMT ref: 00758172
__aulldiv.LIBCMT ref: 00758180

Strings

@, xrefs: 0075814D

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 64c9c3a0905cafcb529a381f089724aac02d18bcbb3333e06a2421a71096b305
Instruction ID: d35d61a368d7b249109bed372016886ae755a8865b0237a1ef2fb954207780ff
Opcode Fuzzy Hash: 64c9c3a0905cafcb529a381f089724aac02d18bcbb3333e06a2421a71096b305
Instruction Fuzzy Hash: 73211DB1E44218ABEB10DFD4CC49FAFB7B8FB44B11F104509FA05BB280D7B969058BA5

Function 00741220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0074123E
__aulldiv.LIBCMT ref: 00741258
__aulldiv.LIBCMT ref: 00741266

Strings

@, xrefs: 00741233

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 7be48c5c798d65e6082acfbb6cdd81ec160374e7029c7af20806a69bfdba3e51
Instruction ID: 678a3f370d425f4b9b80af8a843483a593328d48c39fdb1623458fb5712803ed
Opcode Fuzzy Hash: 7be48c5c798d65e6082acfbb6cdd81ec160374e7029c7af20806a69bfdba3e51
Instruction Fuzzy Hash: A70162B0E54308FBEB10EBE0CC49B9EB778BB04701F608045E705F62C0D7B859858759

Function 00746280 Relevance: 6.2, APIs: 4, Instructions: 191
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00744849

InternetOpenA.WININET(00760DFE,00000001,00000000,00000000,00000000,00760DFB), ref: 007462E1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00746335
HttpOpenRequestA.WININET(00000000,00761A28,?,?,00000000,00000000,00400100,00000000), ref: 00746385
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007463D1

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectCrackSend
String ID:
API String ID: 612470270-0
Opcode ID: da244d5e2490fe9f7f30ef999308ac416a57966683ed8cd8f30c249535112c5e
Instruction ID: c4068130a1feb70694cd70f13e6c71e5b134f0f6e36bcb1a3128d512b3ac90a1
Opcode Fuzzy Hash: da244d5e2490fe9f7f30ef999308ac416a57966683ed8cd8f30c249535112c5e
Instruction Fuzzy Hash: DD718271A00218EBDF14DF94CC49BEE7774FB44701F108169F5066B190DBB86A89DF52

Function 00757690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,00000000), ref: 007576DD
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,000000FF), ref: 007576FE

Strings

\v, xrefs: 007576BD

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: \v
API String ID: 4153817207-4064502150
Opcode ID: fcf0b560c4aa75ae1cfe4437d0d32db07ba38d131f88a26ca3beca000a6b03c3
Instruction ID: 373cb5d4f9592fdf9646c6858d30920a4e65160066f96392ee64da804603b234
Opcode Fuzzy Hash: fcf0b560c4aa75ae1cfe4437d0d32db07ba38d131f88a26ca3beca000a6b03c3
Instruction Fuzzy Hash: BB014FB5A18304BBEB04DBE4EC49FAAB7B8EB48701F104456FE0597290D6B89904EB61

Function 00759860 Relevance: 4.7, APIs: 3, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00756A00), ref: 00759A9A
LoadLibraryA.KERNELBASE(?,?,00756A00), ref: 00759AAB
LoadLibraryA.KERNELBASE(?,?,00756A00), ref: 00759ACF

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7d762fcc6c6cb6cd68c74d3f4131f8771e0afb8622e5959cca24b38ecc75270e
Instruction ID: f77661bdd04e1b85b5b14c96b70f82ea79bb46bc07a1e4024860d28656d1bfbf
Opcode Fuzzy Hash: 7d762fcc6c6cb6cd68c74d3f4131f8771e0afb8622e5959cca24b38ecc75270e
Instruction Fuzzy Hash: 8BA14AB692C2409FF344EFA8ED889663BF9F74C701704451BA605C3364D63DA852FB22

Function 007447B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCrackUrlA.WININET(00000000,00000000), ref: 00744849

Strings

<, xrefs: 007447C9

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: CrackInternet
String ID: <
API String ID: 1381609488-4251816714
Opcode ID: f063bd80a8b60a03a2e7dda2713b284abe79417ec4ceab9caa7e74246acf868f
Instruction ID: 3974c39ee433df4be0a9802e738b528efd6c66203f165e029e8ef903a81f83d9
Opcode Fuzzy Hash: f063bd80a8b60a03a2e7dda2713b284abe79417ec4ceab9caa7e74246acf868f
Instruction Fuzzy Hash: 94211AB1D00209ABDF14DFA4E849ADE7B74FB44321F108225F925A72D0EBB46A05DF91

Function 00744FB0 Relevance: 3.1, APIs: 2, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00744FD1
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 0074508A

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateDispatcherExceptionHeapUser
String ID:
API String ID: 3515689010-0
Opcode ID: 33cea44835b96e253b2589e8b4db23edef2755131bf677634771e71e3e26c83f
Instruction ID: 158233a403abe141e61f77b630404968a809cd7d6bf6ec3bae75c717ae0d8b88
Opcode Fuzzy Hash: 33cea44835b96e253b2589e8b4db23edef2755131bf677634771e71e3e26c83f
Instruction Fuzzy Hash: 083107B4A00218ABDB20CF54DC85BDDB7B4EB48704F5081D9FB09A7281D7746EC59F99

Function 007583DC Relevance: 3.1, APIs: 2, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00758426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0075847B
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400), ref: 007584EC
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00760B34), ref: 00758599
RegCloseKey.KERNELBASE(00000000), ref: 00758608

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID:
API String ID: 2041898428-0
Opcode ID: 8f1d8abc3aa23dfb47c294c833a0c1a474c8b81253eaaaade415228cf3e25176
Instruction ID: 2ec124d25884957ff1cabd8d52f3422dbd2636c7bfbb2cc443ebbf6950f0f5c4
Opcode Fuzzy Hash: 8f1d8abc3aa23dfb47c294c833a0c1a474c8b81253eaaaade415228cf3e25176
Instruction Fuzzy Hash: 61213BB1910218ABEB64DB54CC85FE9B3B8FB48701F00C5D9E609A6240DF75AA85CFE5

Function 00757E00 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?), ref: 00757E5E
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,000000FF,000000FF), ref: 00757E7F

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 50e2c2a0d35a6a5ad8e20a4f4e9ff4410ea438b3805f8c17454bc0ad63c501d1
Instruction ID: 445b78bc2cfa8f153fe60bb9d131470fba7bc105aa014b27d639a2e921320a5f
Opcode Fuzzy Hash: 50e2c2a0d35a6a5ad8e20a4f4e9ff4410ea438b3805f8c17454bc0ad63c501d1
Instruction Fuzzy Hash: D3114FB1A58205EBE714CF94DD4AFBBBBB8EB04711F10415AFA05A7380D7B85C04DBA1

Function 00757720 Relevance: 3.0, APIs: 2, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,007576B9), ref: 0075775B
RegQueryValueExA.KERNELBASE(007576B9,00760AAC,00000000,00000000,?,000000FF), ref: 0075777A

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: aa7bc8209e7abfac37f946ba8be1b41538440eb2a633580fad205696ed6c134a
Instruction ID: 1953919b96c4c150c128dca91faaf8bda274666d4af3fefae41aeee7161c0a51
Opcode Fuzzy Hash: aa7bc8209e7abfac37f946ba8be1b41538440eb2a633580fad205696ed6c134a
Instruction Fuzzy Hash: E90144B5E54308BBE700DBE0DC49FAEB7B8EB48701F004555FA05A7281D67455009BA1

Function 007569F0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00741160: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00756A17,00760AEF), ref: 0074116A

Part of subcall function 00741110: VirtualAllocExNuma.KERNELBASE(00000000,?,?,00756A1C), ref: 00741132

Part of subcall function 00741220: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0074123E
Part of subcall function 00741220: __aulldiv.LIBCMT ref: 00741258
Part of subcall function 00741220: __aulldiv.LIBCMT ref: 00741266

GetUserDefaultLCID.KERNELBASE ref: 00756A26

Part of subcall function 00757850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0075789F

Part of subcall function 007578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0075792F

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
String ID:
API String ID: 3178950686-0
Opcode ID: 01d2cbd3942845e2e12e6de68f2f72a800b91fa1152942564224f376bd9ce0e4
Instruction ID: e7ea5e5fc5473b33ce404c0d82a7bc467abeaa8db81f1d9ab3ab480b204264e1
Opcode Fuzzy Hash: 01d2cbd3942845e2e12e6de68f2f72a800b91fa1152942564224f376bd9ce0e4
Instruction Fuzzy Hash: BB312071D14208EADB05F7F0DC5EAEE7778AF04302F504629F912A2191EFBC6949D7A2

Function 007578E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0075792F

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 37688fe1740ef69d390f596910bd33693993366318ebd9114eaa5dd67681855b
Instruction ID: 16282c8d625d390fd527fd35bb2cb5906bf6433e84514dd49960fe28c5bb4493
Opcode Fuzzy Hash: 37688fe1740ef69d390f596910bd33693993366318ebd9114eaa5dd67681855b
Instruction Fuzzy Hash: 040162B1908204EBD714DF94DD45FAAFBB8F704B11F10421AEA45A2380C7B859048BA1

Function 00757ED0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(00760E2C), ref: 00757F00

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 86939e5a5fbaabf3462abc34a4d8bbb678973adb7f522ef4fcee26fdbe23ef39
Instruction ID: 4daddf8041458a7bc356f78aea91a862637d3bcb386e670ff955243ff75cb017
Opcode Fuzzy Hash: 86939e5a5fbaabf3462abc34a4d8bbb678973adb7f522ef4fcee26fdbe23ef39
Instruction Fuzzy Hash: 6BF062F1D04208EBD714CF85DC45FAAB7BCF744614F00466AF91592280D7B959448BD1

Function 00759470 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 007594A5

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 50754fdfaf25990d4289fb0f0a3a252eca4d0d76f2ada069c4209013095623da
Instruction ID: 37b39a01bc741e8436bb3e4b97d64e626b6c8ea031ce64b77f21f7d0e71f0603
Opcode Fuzzy Hash: 50754fdfaf25990d4289fb0f0a3a252eca4d0d76f2ada069c4209013095623da
Instruction Fuzzy Hash: B8F05E7490020CFBEB04DFA4DC4AFEE7778EB08301F004598BB0997290D6B46E85DB91

Function 00741110 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,00756A1C), ref: 00741132

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: bbe0d8e8b5783ac0a6d9d56ed2ca2e26b889e68205eeb7e111c82997d332c8ec
Instruction ID: 68ec37bcaaaedf2a5d1279b2c10646505d9bf1cb9319f967524c65211a59deb3
Opcode Fuzzy Hash: bbe0d8e8b5783ac0a6d9d56ed2ca2e26b889e68205eeb7e111c82997d332c8ec
Instruction Fuzzy Hash: 84E0E67099930CFBF710ABA09C0EB097678AB04B41F504055F709762D0D7B92640A7AA

Function 007410A0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0074114E,?,?,00756A1C), ref: 007410B3

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cee38879f1bd988db2ae84995a2e3d877abe4bcf526c9053cd61c2506472ae6f
Instruction ID: 5be293e4c88943a55eee7057e722796cb394cd6bb2f8e53ddd01a3c3e3b3ecbe
Opcode Fuzzy Hash: cee38879f1bd988db2ae84995a2e3d877abe4bcf526c9053cd61c2506472ae6f
Instruction Fuzzy Hash: ADF0E271641208BBE714AAA4AC49FAAB7ECE705B15F300448F904E3290D671AE40DBA1

Non-executed Functions

Function 00759750 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 0075C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0075C74E

Part of subcall function 0075BF9F: __getptd_noexit.LIBCMT ref: 0075BFA2
Part of subcall function 0075BF9F: __amsg_exit.LIBCMT ref: 0075BFAF

__getptd.LIBCMT ref: 0075C765
__amsg_exit.LIBCMT ref: 0075C773
__lock.LIBCMT ref: 0075C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0075C797

Memory Dump Source

Source File: 00000006.00000002.2408782062.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_740000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 96e955a7fa83634030a7d482e6f17eab0d3904fad534e672f89dacb33cec4e94
Instruction ID: c1a4d91efe66a336bece0f307a154497e203ee45cc0deb5b9de9424b8275fb8a
Opcode Fuzzy Hash: 96e955a7fa83634030a7d482e6f17eab0d3904fad534e672f89dacb33cec4e94
Instruction Fuzzy Hash: CEF0F032900700EFD722BBB8480B7D933A06F04723F244549FC05A65D2CFEC59898E46

Analysis Process: aspnet_regiis.exePID: 5092, Parent PID: 5960COMMON

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1163
Total number of Limit Nodes:	6

Executed Functions

Function 03017B90 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNELBASE(?,00000002,?,00000200), ref: 03017C62

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 340312ccfc71ec4f54423e031f95974c664b4c5f282b2d1bdab97239308211a3
Instruction ID: 576e995357c97a6c95f9a08c79d703fb1d4270a681076a742fd4fae8217ca5e7
Opcode Fuzzy Hash: 340312ccfc71ec4f54423e031f95974c664b4c5f282b2d1bdab97239308211a3
Instruction Fuzzy Hash: AD413D75942218ABDB24DB94EC98FEEB7B8FB44710F1041D9E00966180DB746F96CFA0

Function 03019C10 Relevance: 12.7, APIs: 8, Instructions: 684
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A03D
LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A04E
LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A060
LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A072
LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A083
LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A095
LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A0A7
LoadLibraryA.KERNELBASE(?,?,03015CA3,?,00000034,00000064,03016600,?,0000002C,00000064,030165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0301A0B8

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 35b3f4558264589b7a6332e0c426950a34baf5fc7b6dd9b03ac8420b76eb69c7
Instruction ID: 1fa9f6cd11fe135e133a047c1b2faa795dcac146f6700dc2c6bd4c35e516f75f
Opcode Fuzzy Hash: 35b3f4558264589b7a6332e0c426950a34baf5fc7b6dd9b03ac8420b76eb69c7
Instruction Fuzzy Hash: 3F62F9BD6C1240AFD764FFA8FA8C96A3BF9F78C601714C51AA60AC724CD7399441DB60

Function 03018320 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000,030205B6), ref: 030183A4
RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 03018426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0301847B

Strings

?, xrefs: 0301837A

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID: ?
API String ID: 462099255-1684325040
Opcode ID: 2a08078269c94bfcf3d6cea6767f4bce768cda416974f5eb5f2a568c4e522cd7
Instruction ID: 5a60551030d21f3e5abb70d81e41107d10900eafa3caff6d0fcf847f66569c57
Opcode Fuzzy Hash: 2a08078269c94bfcf3d6cea6767f4bce768cda416974f5eb5f2a568c4e522cd7
Instruction Fuzzy Hash: 84810B759522189BEB24EB50DD94FEEB7B8FB48710F00C699E109A6140DF716B85CFA0

Function 03017500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0301757F

Strings

C, xrefs: 0301754C
\, xrefs: 03017560
:, xrefs: 0301755C

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: 6d0c35c832915b3ff0150f4c67616605f653501574f7d31594df16de58377466
Instruction ID: d5e11a0a32162399e5e432ab8457d383bd169be3e76c21952bb6af06b6267975
Opcode Fuzzy Hash: 6d0c35c832915b3ff0150f4c67616605f653501574f7d31594df16de58377466
Instruction Fuzzy Hash: E5419FB5D41348ABDB10DF94DC88BEEBBB8EF48704F004098F5096B280D774AB54CBA5

Function 03018100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,00000040,00000000), ref: 03018158
__aulldiv.LIBCMT ref: 03018172
__aulldiv.LIBCMT ref: 03018180

Strings

@, xrefs: 0301814D

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 2e994ac6bd63ddc2e5ab8bd573bb2c5b8cf64ee3dbd9508fcb41441fe6628007
Instruction ID: 0bcf428e438c5a2a05856f018c0595376d531cfc3a8b2954185eecd856172946
Opcode Fuzzy Hash: 2e994ac6bd63ddc2e5ab8bd573bb2c5b8cf64ee3dbd9508fcb41441fe6628007
Instruction Fuzzy Hash: A7211DB1E45318ABDB00DFD8DC49FAEB7B8FB44B14F108609F615BB284D77869008BA5

Function 03001220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0300123E
__aulldiv.LIBCMT ref: 03001258
__aulldiv.LIBCMT ref: 03001266

Strings

@, xrefs: 03001233

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: b3a73a8c2b7af1265022a38f42300e8ab44da388ab16a7bd56b124f1033f4da4
Instruction ID: baf26bd17701a061df941858a3a33e7986d39236a420958ff795dc4b8ff6697d
Opcode Fuzzy Hash: b3a73a8c2b7af1265022a38f42300e8ab44da388ab16a7bd56b124f1033f4da4
Instruction Fuzzy Hash: 810186B4D86308FBEB14DBD4DC49B9DB778AB44701F248044F705BB1C0D77495518759

Function 03018680 Relevance: 6.1, APIs: 4, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,030205B7), ref: 030186CA
Process32First.KERNEL32(?,00000128), ref: 030186DE
Process32Next.KERNEL32(?,00000128), ref: 030186F3
CloseHandle.KERNELBASE(?), ref: 03018761

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d46e82e8a8b263fcb84c4bbdc2eca0840060eb0e795f010c190ffcb58f83a81a
Instruction ID: f4ba556a425da5481f0e85d2e9cf31cc99e14c8ae152c6d8af0530f58ea83546
Opcode Fuzzy Hash: d46e82e8a8b263fcb84c4bbdc2eca0840060eb0e795f010c190ffcb58f83a81a
Instruction Fuzzy Hash: 30316076A03218EBCB24EF54DD44FEEB778EF45710F008199E10AAA190DB706B55CFA0

Function 03019860 Relevance: 4.7, APIs: 3, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,03016A00), ref: 03019A9A
LoadLibraryA.KERNELBASE(?,?,03016A00), ref: 03019AAB
LoadLibraryA.KERNELBASE(?,?,03016A00), ref: 03019ACF

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9e07d61c7e70f4f4af2ec2c2ea1b36cb5d4bbc755d5708e9f1769f98ad0bfdf8
Instruction ID: b3777c8c20aa6326018a03b228bb1e06e5f13f5b3c2e82f8e631730eea2eb448
Opcode Fuzzy Hash: 9e07d61c7e70f4f4af2ec2c2ea1b36cb5d4bbc755d5708e9f1769f98ad0bfdf8
Instruction Fuzzy Hash: 93A11ABE5C52409FE364FFA8FA9CA6A3BF9F748701704C51AE60A8724CD7399441DB50

Function 03006280 Relevance: 4.7, APIs: 3, Instructions: 191
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 030047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 03004849

InternetOpenA.WININET(03020DFE,00000001,00000000,00000000,00000000,03020DFB), ref: 030062E1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 03006335
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 030063D1

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Internet$ConnectCrackHttpOpenRequestSend
String ID:
API String ID: 906070938-0
Opcode ID: 9b29e739940def0c11258315aa6f44cbd95f8833da350ecb980a2c5c1b53a60a
Instruction ID: cc5a9190e6c4ac4539052ece69fc4329236e1c61bbd9224c0a2cd4250553a100
Opcode Fuzzy Hash: 9b29e739940def0c11258315aa6f44cbd95f8833da350ecb980a2c5c1b53a60a
Instruction Fuzzy Hash: 8A715375A42318ABEB14EFA0DC48BDE77B5FB44700F108198F5056B5C4DBB56A85CF50

Function 030047B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCrackUrlA.WININET(00000000,00000000), ref: 03004849

Strings

<, xrefs: 030047C9

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: CrackInternet
String ID: <
API String ID: 1381609488-4251816714
Opcode ID: 991ac4fe407fc565cf514fbb09cfa8b73e4316d71c501f7f69334fda43eb142c
Instruction ID: ddc0d8e7b692cc2fb342f6b433e073c622d7563e3de53fba02bf03a407a37dee
Opcode Fuzzy Hash: 991ac4fe407fc565cf514fbb09cfa8b73e4316d71c501f7f69334fda43eb142c
Instruction Fuzzy Hash: 3F2129B5D01209ABDF14EFA4E949BDD7B74FF44320F108225F925AB280EB706A15CF91

Function 030045C0 Relevance: 3.1, APIs: 2, Instructions: 114
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,030169FB), ref: 0300460E
VirtualProtect.KERNELBASE(?,00000004,00000100,00000000), ref: 0300479C

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateHeapProtectVirtual
String ID:
API String ID: 1542196881-0
Opcode ID: 53c87bae456867156331a3edb8938b9a3b97c281be398898fc5c28919d107860
Instruction ID: e66f7728faaf15cb063b2976baa04f85f752e25749840fae687bccd44aeda8c8
Opcode Fuzzy Hash: 53c87bae456867156331a3edb8938b9a3b97c281be398898fc5c28919d107860
Instruction Fuzzy Hash: 4041FC71643214EFC71EFBE4EC8DA5DBF74AB49706B408040FA269D149C6B8D581DB3A

Function 030169F0 Relevance: 3.1, APIs: 2, Instructions: 94
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03001160: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,03016A17,03020AEF), ref: 0300116A

Part of subcall function 03001110: VirtualAllocExNuma.KERNELBASE(00000000,?,?,03016A1C), ref: 03001132

Part of subcall function 03001220: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0300123E
Part of subcall function 03001220: __aulldiv.LIBCMT ref: 03001258
Part of subcall function 03001220: __aulldiv.LIBCMT ref: 03001266

GetUserDefaultLCID.KERNELBASE ref: 03016A26

Part of subcall function 03017850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0301789F

Part of subcall function 030178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0301792F

Sleep.KERNELBASE(00001770), ref: 03016B04

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaSleepStatusSystemVirtual
String ID:
API String ID: 1990115934-0
Opcode ID: 548191ace84bd1e8d687dcec2d5851cab8c4ab44e8da7b3be0391eed0f464f76
Instruction ID: 50c43d4a6b748a13438552e7209e67e1f942a8f8c48e889f0dcc9885f47feda2
Opcode Fuzzy Hash: 548191ace84bd1e8d687dcec2d5851cab8c4ab44e8da7b3be0391eed0f464f76
Instruction Fuzzy Hash: AF310E79A43308ABDB08FBF0ED55BEE7778AF84750F404518E512AA180DFB06956CBA1

Function 03004FB0 Relevance: 3.1, APIs: 2, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 03004FD1
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 0300508A

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateDispatcherExceptionHeapUser
String ID:
API String ID: 3515689010-0
Opcode ID: ace0ffa0fe90d0189e04c56b7f667d348ca0cc9868648b44dcbaf06e090ed57c
Instruction ID: 7f00477b429312138b79485dba771c6d5590afd08f0dcb321dd895127e34ca54
Opcode Fuzzy Hash: ace0ffa0fe90d0189e04c56b7f667d348ca0cc9868648b44dcbaf06e090ed57c
Instruction Fuzzy Hash: DF3116B4A41218ABEB20DF54DD88BDDB7B4FB48704F1081D8FB09A7284D7706AC58F98

Function 030183DC Relevance: 3.1, APIs: 2, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 03018426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0301847B
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400), ref: 030184EC
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,03020B34), ref: 03018599
RegCloseKey.KERNELBASE(00000000), ref: 03018608

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID:
API String ID: 2041898428-0
Opcode ID: 3c1ddab1e1e2fc495b8b75f483d3fbbb7b950b77f480818bd8b03cdfb0cb63c0
Instruction ID: 3171f417cebdf3cacdacc63076334654e4a812c6486e47a7bf01df1550f873e7
Opcode Fuzzy Hash: 3c1ddab1e1e2fc495b8b75f483d3fbbb7b950b77f480818bd8b03cdfb0cb63c0
Instruction Fuzzy Hash: DB210775A5122CABDB64DB54DC84FE9B3B8FB48704F00C5D8A609A6140DF716A85CFD4

Function 03017E00 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?), ref: 03017E5E
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,000000FF,000000FF), ref: 03017E7F

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: d70d6ed18108f476b7397f00f9b0b143f4d25a9867fc9826adcaca58aec8c67b
Instruction ID: da56fe5c6bf95f9e3b0675eea83ae9cf83de47cc32a7c9206718051b7a4810a8
Opcode Fuzzy Hash: d70d6ed18108f476b7397f00f9b0b143f4d25a9867fc9826adcaca58aec8c67b
Instruction Fuzzy Hash: 09115EB5A80209EBD710DF94E94AFBFBBFCFB08B10F108119F615A7284D77458008BA1

Function 03017690 Relevance: 3.0, APIs: 2, Instructions: 43
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,00000000), ref: 030176DD
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,000000FF), ref: 030176FE

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 2cfe81a1bbcb633de7b3cba97630941a00741b67bf408183887777fba70dc298
Instruction ID: 8374164d645a88533f95a60ed2dc300c67e27e27cb3530c15864cf5c31c19afc
Opcode Fuzzy Hash: 2cfe81a1bbcb633de7b3cba97630941a00741b67bf408183887777fba70dc298
Instruction Fuzzy Hash: 6601FFB9A81308BBE710EBE4F94DFAEB7BCEB48B01F108454FA0597284E77499148B50

Function 03017720 Relevance: 3.0, APIs: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,030176B9), ref: 0301775B
RegQueryValueExA.KERNELBASE(030176B9,03020AAC,00000000,00000000,?,000000FF), ref: 0301777A

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 658aae03dfb541944ec6bb47c328ce1dffcd115f36223d5b86f2d80427a4e5ac
Instruction ID: d4fd76622e5d63bccb7c5e96d10d6359219f996125a92ccac99d5054f04d4292
Opcode Fuzzy Hash: 658aae03dfb541944ec6bb47c328ce1dffcd115f36223d5b86f2d80427a4e5ac
Instruction Fuzzy Hash: E90144B9A40308BBE710EBE0EC4DFAEB7BCEB48700F008154FA05A7285D77056008F51

Function 03017A30 Relevance: 1.5, APIs: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(?,?,?,?,00000000,00000000,?,?,00000000,?,03020E10,00000000,?,00000000,00000000,?), ref: 03017A7D

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: e3e0fb6b9507e79d8c374bc2d4851707a5349562b7e314bffb4938cc7d5ecf97
Instruction ID: 4d75731ba4c3e5244998a2b97a9316662a2d2a58fab45549f14327a322f33224
Opcode Fuzzy Hash: e3e0fb6b9507e79d8c374bc2d4851707a5349562b7e314bffb4938cc7d5ecf97
Instruction Fuzzy Hash: FC1152B1946228DFEB10DB54EC49FAAB7B8F744711F004795E51693280D7745A44CF51

Function 030178E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0301792F

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 784a74a341ab64cfe0fe320cbf0b3b4554d8f9617343160e6682d0fe3fee76f3
Instruction ID: dc9a60619341943e14fd79834870d9ef222a7eecd0140238f9518dbf284593d1
Opcode Fuzzy Hash: 784a74a341ab64cfe0fe320cbf0b3b4554d8f9617343160e6682d0fe3fee76f3
Instruction Fuzzy Hash: 7101A4B1A45208EFD700DF98E949BAFBBFCFB04B21F10425AFA45E3280C37459048BA1

Function 03017850 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0301789F

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7170628863fa0e261dc163437cf8962038cc222a4faf9d27f898f6dc0316a022
Instruction ID: 43c1f7c83430484d8ab736c067ceebd3f7b71a7f59eb26d7c35628ad76d9a3d7
Opcode Fuzzy Hash: 7170628863fa0e261dc163437cf8962038cc222a4faf9d27f898f6dc0316a022
Instruction Fuzzy Hash: 07F04FB5985208EFC710DF98E949BAEBBB8EB04B11F10465AFA15A2680C77415048BA1

Function 03017ED0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(03020E2C), ref: 03017F00

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ee2d397246628077d00c16b0ca79215db3a5a111e065cfd3548694313971430e
Instruction ID: 4f4ff272cdc2142c07cf4ca5f809034abbc4e654df17799356b8b655075a6e7a
Opcode Fuzzy Hash: ee2d397246628077d00c16b0ca79215db3a5a111e065cfd3548694313971430e
Instruction Fuzzy Hash: 02F0F6B1940218EFCB10DF84EC45FAEF7BCF744A10F004669F51592640D37529048BD0

Function 03019470 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 030194A5

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 4fc58b8528ba46fa34305869a35ca3dbe3baaeedbb67c42330990d985e3d7b9c
Instruction ID: a4fb889a383ce071cd376f06bed0114efff40c2afdf8008fcb2cad483e353c72
Opcode Fuzzy Hash: 4fc58b8528ba46fa34305869a35ca3dbe3baaeedbb67c42330990d985e3d7b9c
Instruction Fuzzy Hash: 67F0547994020CFBDB15EF94EC4DFED7778EB08710F008454BA095B180D7B45A85CB90

Function 03001110 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,03016A1C), ref: 03001132

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 802dfad3297e466209cd6a167a078182725109781702f2aadfdc66f8b16dc2b9
Instruction ID: ecac5561627ec86e1c40491935c6ee6ccf9c7d731f742486db4842b189af5f5f
Opcode Fuzzy Hash: 802dfad3297e466209cd6a167a078182725109781702f2aadfdc66f8b16dc2b9
Instruction Fuzzy Hash: F5E0E678985308FBF754BBA5FD0EB4D76B8EF04B05F504054F7097A1C4D7B526009699

Function 03001160 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,03016A17,03020AEF), ref: 0300116A

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0bd171d6c86b6a24e0f6f53f1f3e731d0a6bb3589d387311ef86645ed4c6578a
Instruction ID: fd86e55cf88d53bfadebec0238851e73bc238aea7f1e4d5073e88d7288cbf616
Opcode Fuzzy Hash: 0bd171d6c86b6a24e0f6f53f1f3e731d0a6bb3589d387311ef86645ed4c6578a
Instruction Fuzzy Hash: AFD05E78D4030CDBDB14EFE4E94D6DDBB78FB08311F000594E90562340EB306481CAA5

Function 030010A0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0300114E,?,?,03016A1C), ref: 030010B3

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ddea72b1fba015e6116bee463e87dff8438e9dfc578f0fe217d02666f7775e32
Instruction ID: 98e9fb7fba78baa96df9cf5ffcdd829a5adb3f6e956d02cd71c7fbdf7f5c3917
Opcode Fuzzy Hash: ddea72b1fba015e6116bee463e87dff8438e9dfc578f0fe217d02666f7775e32
Instruction Fuzzy Hash: A0F0E275682308BBE714EAA8AD49FAEB7E8E705B15F304448F544E7280D6719F00CAA0

Non-executed Functions

Function 0301C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0301C74E

Part of subcall function 0301BF9F: __getptd_noexit.LIBCMT ref: 0301BFA2
Part of subcall function 0301BF9F: __amsg_exit.LIBCMT ref: 0301BFAF

__getptd.LIBCMT ref: 0301C765
__amsg_exit.LIBCMT ref: 0301C773
__lock.LIBCMT ref: 0301C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0301C797

Memory Dump Source

Source File: 00000007.00000002.2655410531.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3000000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 9ec809c7665464ed317ac8c52ad5f4da0138a64fc0e979b7f78106c3fda5c408
Instruction ID: 109331962446417125b812f4b08c54dcc6bdef115245fc072145cd564ae4f165
Opcode Fuzzy Hash: 9ec809c7665464ed317ac8c52ad5f4da0138a64fc0e979b7f78106c3fda5c408
Instruction Fuzzy Hash: 9FF0F077A837109FE720FBF8540578E33E06F80724F24414CE004AF1C0CFA898608B45

Analysis Process: aspnet_regiis.exePID: 5276, Parent PID: 5344COMMON

Execution Graph

Execution Coverage:	19.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1163
Total number of Limit Nodes:	6

Executed Functions

Function 03197B90 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNELBASE(?,00000002,?,00000200), ref: 03197C62

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 197df7a1ea7ca13079d964ab4362b006bd7ae55af18a0a6e83c715f5c1846b5e
Instruction ID: 59b1a0372aee4d5e45ce97d2423e0160a5172b8d7a8733a5d5d962c192000562
Opcode Fuzzy Hash: 197df7a1ea7ca13079d964ab4362b006bd7ae55af18a0a6e83c715f5c1846b5e
Instruction Fuzzy Hash: 89413C75950218ABEF24DB94DC98BEEB7B8FF48701F5041DAE00966180DB346F89CFA0

Function 03199C10 Relevance: 12.7, APIs: 8, Instructions: 684
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A03D
LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A04E
LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A060
LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A072
LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A083
LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A095
LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A0A7
LoadLibraryA.KERNELBASE(?,?,03195CA3,?,00000034,00000064,03196600,?,0000002C,00000064,031965A0,?,00000030,00000064,Function_00015AD0,?), ref: 0319A0B8

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d9740c5cf27f5f3c9be43b683bd5fb0386f7d401136714d810cf3fff9c313d2a
Instruction ID: 61d22691fe8d52311e94164383e3e4dcb553aa4e27a8afead5d70da87b54c4fa
Opcode Fuzzy Hash: d9740c5cf27f5f3c9be43b683bd5fb0386f7d401136714d810cf3fff9c313d2a
Instruction Fuzzy Hash: D562F9B6520208AFD744FFA8E9D89663BFDF78C702F14851AB609C324CDA39B851DB54

Function 03198320 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000,031A05B6), ref: 031983A4
RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 03198426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0319847B

Strings

?, xrefs: 0319837A

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID: ?
API String ID: 462099255-1684325040
Opcode ID: 6d95b2f35f1b949f156435190ca20865f8595999f161a1ad28d92d9ab6864a2c
Instruction ID: 46d8649f85c7a820fff90b490975e29313ed7cfd5bdc7a5ba4edf33e8d081931
Opcode Fuzzy Hash: 6d95b2f35f1b949f156435190ca20865f8595999f161a1ad28d92d9ab6864a2c
Instruction Fuzzy Hash: F881ED7592021C9BEB28EB54CD95FEAB7BCBF48701F0082D9E109A6140DF756B89CF90

Function 03197500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0319757F

Strings

:, xrefs: 0319755C
C, xrefs: 0319754C
\, xrefs: 03197560

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: e00fa41c4ff01edd4f88242fcbb0ba0e162b2bdbc33f6e641d21f394d3f463e4
Instruction ID: 2586ef0586b15d784d35ee9648aca4be2b49e133e8a69830f5cf7ef9235336e9
Opcode Fuzzy Hash: e00fa41c4ff01edd4f88242fcbb0ba0e162b2bdbc33f6e641d21f394d3f463e4
Instruction Fuzzy Hash: 154194B5D10358ABEF10DF94DC85BEEBBB8EF0C704F000199E509AB280D7756A84CBA5

Function 03198100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,00000040,00000000), ref: 03198158
__aulldiv.LIBCMT ref: 03198172
__aulldiv.LIBCMT ref: 03198180

Strings

@, xrefs: 0319814D

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 989007267a273c8575987b43778335dfae08703a0cac9f25825c7d2a0a7118b6
Instruction ID: 8060b1d21f03210d298361f0978b17b4e9af270bef3a676f16bfa626bf904419
Opcode Fuzzy Hash: 989007267a273c8575987b43778335dfae08703a0cac9f25825c7d2a0a7118b6
Instruction Fuzzy Hash: 5F213BB1E44308ABEB00DFD4DD49FAEB7B8FB49B01F104119F605BB280C77869008BA5

Function 03181220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0318123E
__aulldiv.LIBCMT ref: 03181258
__aulldiv.LIBCMT ref: 03181266

Strings

@, xrefs: 03181233

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 2297d5de4116f02b8d47c405d2184f20356bc5988db09d2743a706fe56b12b91
Instruction ID: f4e860dbe8561afb797f760a535edbaaa35722ba5f883e506589e249bca8fe69
Opcode Fuzzy Hash: 2297d5de4116f02b8d47c405d2184f20356bc5988db09d2743a706fe56b12b91
Instruction Fuzzy Hash: 1A01FBB1D44308BBEF10EBE4DC49B9EBB79AB0C705F248059E605BA280D774A5468B9D

Function 03198680 Relevance: 6.1, APIs: 4, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,031A05B7), ref: 031986CA
Process32First.KERNEL32(?,00000128), ref: 031986DE
Process32Next.KERNEL32(?,00000128), ref: 031986F3
CloseHandle.KERNELBASE(?), ref: 03198761

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: bb758eb9bc775b669406012e7b6f577e74728e46df1a704b0db95855ea32c081
Instruction ID: d2f5781430de1f044c384423d005415cb36db3bec09e808369a8e3face9cdeef
Opcode Fuzzy Hash: bb758eb9bc775b669406012e7b6f577e74728e46df1a704b0db95855ea32c081
Instruction Fuzzy Hash: 3B315E75911218ABDF28EF95DC94FEEB77CFF49701F00419AE10AA6190DB306A49CFA0

Function 03199860 Relevance: 4.7, APIs: 3, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,03196A00), ref: 03199A9A
LoadLibraryA.KERNELBASE(?,?,03196A00), ref: 03199AAB
LoadLibraryA.KERNELBASE(?,?,03196A00), ref: 03199ACF

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 28dd0660db64834f4d80bdd472951e124dad8c28a6277bb2e9b32d5e46230f96
Instruction ID: 710e733630aa584e0f8584122193e4ac1e1ac5a6a25e4d58e8cce5df4f774361
Opcode Fuzzy Hash: 28dd0660db64834f4d80bdd472951e124dad8c28a6277bb2e9b32d5e46230f96
Instruction Fuzzy Hash: 40A108B55202489FD344FBA8F9C8A663BFDF74C302F14851AB6158324CDB39B852DB54

Function 03186280 Relevance: 4.7, APIs: 3, Instructions: 191
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 031847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 03184849

InternetOpenA.WININET(031A0DFE,00000001,00000000,00000000,00000000,031A0DFB), ref: 031862E1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 03186335
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 031863D1

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Internet$ConnectCrackHttpOpenRequestSend
String ID:
API String ID: 906070938-0
Opcode ID: 774f6448bc9ab2bac47a86613b447205f53d21f2b7ae97cbd678caf5d49bba9a
Instruction ID: 6686b654b552a4a4f8bc50c47c490009c8eef3d21a9bfcae67a8578fd449cdef
Opcode Fuzzy Hash: 774f6448bc9ab2bac47a86613b447205f53d21f2b7ae97cbd678caf5d49bba9a
Instruction Fuzzy Hash: 91715275A10318ABEF14EF94CC49BEEB778BF48701F104199E6096B184DB746A89CF50

Function 031847B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCrackUrlA.WININET(00000000,00000000), ref: 03184849

Strings

<, xrefs: 031847C9

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: CrackInternet
String ID: <
API String ID: 1381609488-4251816714
Opcode ID: 4fa6c58432d2c69b48a522038071f9cb7a35550f80ab6906d539a845191b8c9b
Instruction ID: 5a7e3ae9b849178a858a56ce611dd3ff07464430a23854f24782c928f8d6d992
Opcode Fuzzy Hash: 4fa6c58432d2c69b48a522038071f9cb7a35550f80ab6906d539a845191b8c9b
Instruction Fuzzy Hash: 80210EB5D00219ABDF14EFA4E845BDD7B74FF44321F108225F915AB280EB706A15CF91

Function 031845C0 Relevance: 3.1, APIs: 2, Instructions: 114
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,031969FB), ref: 0318460E
VirtualProtect.KERNELBASE(?,00000004,00000100,00000000), ref: 0318479C

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateHeapProtectVirtual
String ID:
API String ID: 1542196881-0
Opcode ID: 157f6698090a99676dcb43f0f2f846eaf06462e09a222e16519fcc68235cb491
Instruction ID: 97d9a48e7e0a3748aff9d00d1733dd740506d49265337954b3883b272894806b
Opcode Fuzzy Hash: 157f6698090a99676dcb43f0f2f846eaf06462e09a222e16519fcc68235cb491
Instruction Fuzzy Hash: 1641C979744604EFC71CFBE8E8CDA5C7B72BB4D603B4A8046F5629910ACBB0D5819B32

Function 031969F0 Relevance: 3.1, APIs: 2, Instructions: 94
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03181160: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,03196A17,031A0AEF), ref: 0318116A

Part of subcall function 03181110: VirtualAllocExNuma.KERNELBASE(00000000,?,?,03196A1C), ref: 03181132

Part of subcall function 03181220: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0318123E
Part of subcall function 03181220: __aulldiv.LIBCMT ref: 03181258
Part of subcall function 03181220: __aulldiv.LIBCMT ref: 03181266

GetUserDefaultLCID.KERNELBASE ref: 03196A26

Part of subcall function 03197850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0319789F

Part of subcall function 031978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0319792F

Sleep.KERNELBASE(00001770), ref: 03196B04

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaSleepStatusSystemVirtual
String ID:
API String ID: 1990115934-0
Opcode ID: d24fe0a241ebe362e9b51716534f2246f04a7b7ce4e8879049943b8004b75db4
Instruction ID: 706771be6f874207d4694c121ce62883b4b30e6ffa012656953c2c1d909ed0b8
Opcode Fuzzy Hash: d24fe0a241ebe362e9b51716534f2246f04a7b7ce4e8879049943b8004b75db4
Instruction Fuzzy Hash: 2F311A79A50308ABEF04FBF0DC55AEE7778BF0C741F40456AE112AA180EF706909CBA5

Function 03184FB0 Relevance: 3.1, APIs: 2, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 03184FD1
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 0318508A

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateDispatcherExceptionHeapUser
String ID:
API String ID: 3515689010-0
Opcode ID: c14bfa4dc583be234af3da9e4b56cfc585df15b1c787e6c9f29d5fac722cecaf
Instruction ID: 82e96ba516e0d5895d52bd106eca9dfa783efd84335c09ea6c3fd0203d014e90
Opcode Fuzzy Hash: c14bfa4dc583be234af3da9e4b56cfc585df15b1c787e6c9f29d5fac722cecaf
Instruction Fuzzy Hash: 5A31F7B4A4021CABDB24DF54DC85BDCB7B9FB48705F1081D9F609A7284D7706AC58FA8

Function 031983DC Relevance: 3.1, APIs: 2, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 03198426
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0319847B
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400), ref: 031984EC
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,031A0B34), ref: 03198599
RegCloseKey.KERNELBASE(00000000), ref: 03198608

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID:
API String ID: 2041898428-0
Opcode ID: cd49d97c5300413459ced9047d3b83341159e109e0881070fcb00776009173e9
Instruction ID: d74e9dc112953635b50f0e87ac7b2e0dd001bc517c9936bb35a682720486b0ce
Opcode Fuzzy Hash: cd49d97c5300413459ced9047d3b83341159e109e0881070fcb00776009173e9
Instruction Fuzzy Hash: 8321197191022CABEB24DB54DC85FE9B7B8FB48701F00C1D9E609A6140DF71AA85CFD4

Function 03197E00 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?), ref: 03197E5E
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,000000FF,000000FF), ref: 03197E7F

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 9c9f04e6177d42f6147be3cb72731168d00d92bcc05e389e93c47c6c52361394
Instruction ID: 67c157dd5baa58de05e86e3b37b15cbdc1ad394bb0be99ce87853f497aa59d7c
Opcode Fuzzy Hash: 9c9f04e6177d42f6147be3cb72731168d00d92bcc05e389e93c47c6c52361394
Instruction Fuzzy Hash: 4D115EB1A54209EFEB04DFD5D989FBBBBBCFB48B11F10411AF615A7284D77468008BA1

Function 03197690 Relevance: 3.0, APIs: 2, Instructions: 43
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,00000000), ref: 031976DD
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,000000FF), ref: 031976FE

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 9c32544b159ffc645d988d67d7e5cb45e86dc6fed905aaf59f6cc3c6d44d3a27
Instruction ID: 6eb8e91911fe44518add5922862e7ea9075b8dc87214ec0264e45dac224213a3
Opcode Fuzzy Hash: 9c32544b159ffc645d988d67d7e5cb45e86dc6fed905aaf59f6cc3c6d44d3a27
Instruction Fuzzy Hash: 95014FB9A10308BBEB04EBE4DD8DFA9BBBCEB48701F004055FA04D7284D770A9448B50

Function 03197720 Relevance: 3.0, APIs: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,031976B9), ref: 0319775B
RegQueryValueExA.KERNELBASE(031976B9,031A0AAC,00000000,00000000,?,000000FF), ref: 0319777A

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: a2f7b4dbdddd16a06fad838a7c297a7f297f96835b22d372e5746d49aaf224e5
Instruction ID: ec71cb6f565e0fcb711596bcfdfad8df6d9d494016187c0c1f8e294cd0bc43f9
Opcode Fuzzy Hash: a2f7b4dbdddd16a06fad838a7c297a7f297f96835b22d372e5746d49aaf224e5
Instruction Fuzzy Hash: 4701F4B9A50308BBEB00EBE4DC89FAEB7BCFB48705F104555FA05A7285D77065408B51

Function 03197A30 Relevance: 1.5, APIs: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(?,?,?,?,00000000,00000000,?,?,00000000,?,031A0E10,00000000,?,00000000,00000000,?), ref: 03197A7D

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 289178865a20f3157423bb443d7ee5a0e75e78e3bbca86063a90d1e0a2811052
Instruction ID: 0e813ffbba7047547efd35f0e0bea5b2a8dcd529fca44eb470c84a3ebba31788
Opcode Fuzzy Hash: 289178865a20f3157423bb443d7ee5a0e75e78e3bbca86063a90d1e0a2811052
Instruction Fuzzy Hash: B7115EB1945218EFEB20DB54DD49FA9BBBCFB08722F00479AE91A932C0D7746A44CF51

Function 031978E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0319792F

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: d489fed550e30467e7d48c6dfc2c8748108ab7e7c53325af16400c74df24d15b
Instruction ID: a9091cf2d4ed59bb9f183ed7ebd4023a503dd08858e9d4d36c207124e3b0f673
Opcode Fuzzy Hash: d489fed550e30467e7d48c6dfc2c8748108ab7e7c53325af16400c74df24d15b
Instruction Fuzzy Hash: 8E0186B1A14208EFDB04EF98D945BAEBBBCFB08B22F10425AF545E3280C37455048BA1

Function 03197850 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0319789F

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8a50c8a40e7cd7ae2c3095dad535f8d0f41ee79c76ea3480ab35d044fe451161
Instruction ID: 2a8942105ae5f748ff0fa7809590d3cc17ef451b33c6402315e5854f866a3aaa
Opcode Fuzzy Hash: 8a50c8a40e7cd7ae2c3095dad535f8d0f41ee79c76ea3480ab35d044fe451161
Instruction Fuzzy Hash: 02F044B1D54208AFDB14DF95D945BAEBBBCFB09711F10015AF615A2680C77425048BA1

Function 03197ED0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(031A0E2C), ref: 03197F00

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 25b8f9af2181f60d120b75c616d4c710056bb07dd782996418179b8f7bde367c
Instruction ID: ca7819d1ffd6c64e61b991edc0b4b78c85e6b8f29844ba40343e10eeaafd0631
Opcode Fuzzy Hash: 25b8f9af2181f60d120b75c616d4c710056bb07dd782996418179b8f7bde367c
Instruction Fuzzy Hash: E7F096B1910608EFDB14DF84DC45FAAF7BCFB48A15F00066AF51592280D77569448BD0

Function 03199470 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 031994A5

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 106b1e6de074b9973e97802a6996886e69919c41b917c06bea6eb4511aca0536
Instruction ID: 29d1eaa9e611a97cc99bfdb450b23863c965cc3b117f06181eabdbd02fda4a85
Opcode Fuzzy Hash: 106b1e6de074b9973e97802a6996886e69919c41b917c06bea6eb4511aca0536
Instruction Fuzzy Hash: 31F0307490020CEBDB05EFA4D88AFED7778FB08701F004558BA0957180D7B06A85CB90

Function 03181110 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,03196A1C), ref: 03181132

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: f52190c9b4b3b525d2147d9e5ab221d1a4fb5286177574c95ff3ab5dcf9cd4de
Instruction ID: 22003b47b384828875f0913440eda86e520129dc85635045e3c1253ace4bd203
Opcode Fuzzy Hash: f52190c9b4b3b525d2147d9e5ab221d1a4fb5286177574c95ff3ab5dcf9cd4de
Instruction Fuzzy Hash: 28E0E67199530CFBE710BBA19C4EB097A7CBB04B02F104154F6097A1C4D7B536019B99

Function 03181160 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,03196A17,031A0AEF), ref: 0318116A

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a389cb6c74f0ef370e0dc56550b07a180e0dd44a2b5da63f2dca1cd4392a4ef9
Instruction ID: 7f8a06a559bae3d59396a72aa95c2eedcd4ca3a2d9c75ae44f78c18be4a8f57d
Opcode Fuzzy Hash: a389cb6c74f0ef370e0dc56550b07a180e0dd44a2b5da63f2dca1cd4392a4ef9
Instruction Fuzzy Hash: 2AD0177490020C9BCB00EBE0D88969DBB7CFB08312F000594E80562340EA3064828BA5

Function 031810A0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0318114E,?,?,03196A1C), ref: 031810B3

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4bdbe47adea3508d3bf0b9cf2d320a58b04c4e7046ba325c147084b436346a65
Instruction ID: 1818f0494564ac0be8e1bdd8269dd32cb042e6e2233113a377f273bdbf6ecba7
Opcode Fuzzy Hash: 4bdbe47adea3508d3bf0b9cf2d320a58b04c4e7046ba325c147084b436346a65
Instruction Fuzzy Hash: F3F0E971641308BBE714E7A49C49FAAB7ECE709715F300454F504E7280D6716E00CB54

Non-executed Functions

Function 0319C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0319C74E

Part of subcall function 0319BF9F: __getptd_noexit.LIBCMT ref: 0319BFA2
Part of subcall function 0319BF9F: __amsg_exit.LIBCMT ref: 0319BFAF

__getptd.LIBCMT ref: 0319C765
__amsg_exit.LIBCMT ref: 0319C773
__lock.LIBCMT ref: 0319C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0319C797

Memory Dump Source

Source File: 0000000A.00000002.2661315717.0000000003180000.00000040.00000400.00020000.00000000.sdmp, Offset: 03180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3180000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: d6948bfd0cceedd3d3c4ed296984fd955fc3f649873c3feec903f6bf49530e32
Instruction ID: 260f208b5584e1812254d615652e13ca3d03dec74f8fcab5b7143dd6fd7f4ee9
Opcode Fuzzy Hash: d6948bfd0cceedd3d3c4ed296984fd955fc3f649873c3feec903f6bf49530e32
Instruction Fuzzy Hash: 34F0B47A908B009BFF28FBBC684175E77A06F0C721F15818BE454AF1C0DB6459809AD6

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msvcp110.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_6d2334a9-d117-4c9d-a14b-c975bce9f6c7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_73e42fea-b641-47b7-9191-6583a7169bb0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_c7496913b9c4ddf6a8ea5944b8f620d91bfba12_edfe2fff_e6cff271-b88a-43cf-821c-19466915ba55\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER264A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2745.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2765.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A03.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AA0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AE0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC16.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC119.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
msvcp110.dll

Function 00758680 Relevance: 6.1, APIs: 4, Instructions: 77
processCOMMON

Function 007445C0 Relevance: 3.1, APIs: 2, Instructions: 114
memoryCOMMON

Function 00759C10 Relevance: 12.7, APIs: 8, Instructions: 684
libraryCOMMON