Windows Analysis Report
Loader.exe

Overview

General Information

Sample name: Loader.exe
Analysis ID: 1546098
MD5: cf19765d8a9a2c2fd11a7a8c4ba3deda
SHA1: 63b5142b07b7773d4201932e7834ac11eafa1ab3
SHA256: 60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Loader.exe Avira: detected
Found malware configuration
Source: 0.2.Loader.exe.6e4f0000.3.unpack Malware Configuration Extractor: LummaC {"C2 url": ["seallysl.site", "servicedny.site", "goalyfeastz.site", "mafnufacut.cyou", "dilemmadu.site", "contemteny.site", "opposezmny.site", "authorisev.site", "faulteyotk.site"], "Build id": "HpOoIh--17a9517add07"}
Multi AV Scanner detection for submitted file
Source: Loader.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gdi32.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Loader.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: servicedny.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: authorisev.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: faulteyotk.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: dilemmadu.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: contemteny.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: goalyfeastz.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: opposezmny.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: seallysl.site
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: mafnufacut.cyou
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033AD5AF CryptUnprotectData, 3_2_033AD5AF
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4FCB0B FindFirstFileExW, 0_2_6E4FCB0B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch] 0_2_6E534E60
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh] 0_2_6E549ED0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h 0_2_6E50B6D5
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edi, edx 0_2_6E52BF40
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx esi, byte ptr [eax] 0_2_6E54E780
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h 0_2_6E50B400
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_6E50B400
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ecx, ebx 0_2_6E52B43A
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [edi+ebx] 0_2_6E50FC20
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ecx, eax 0_2_6E518CD6
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_6E526CCE
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h 0_2_6E545570
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ebx, byte ptr [edx+esi] 0_2_6E516D60
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [ebx], dl 0_2_6E51AD0D
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [ebx], dl 0_2_6E51AD3E
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx esi, byte ptr [eax] 0_2_6E54E5F0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h] 0_2_6E52E5E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ecx, eax 0_2_6E518D96
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then jmp eax 0_2_6E527A3E
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_6E526AE0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h] 0_2_6E549BE0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edi, esi 0_2_6E5290DE
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov word ptr [ebx], ax 0_2_6E529910
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_6E529910
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov ebx, eax 0_2_6E517900
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edx, ecx 0_2_6E51B92B
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 0_2_6E51A9B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 0_2_6E51B1AC
Source: C:\Users\user\Desktop\Loader.exe Code function: 4x nop then mov edx, ecx 0_2_6E51B1AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 3_2_033D137E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], cl 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, eax 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then lea edx, dword ptr [eax-80h] 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch] 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh] 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 3_2_033D13D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 3_2_033A0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], dl 3_2_033A0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 3_2_033A0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 3_2_033A0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 3_2_033A0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 3_2_033A011A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], dl 3_2_033A011A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 3_2_033A011A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 3_2_033A011A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 3_2_033A011A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, eax 3_2_033CA97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h 3_2_033CA97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h 3_2_033CA97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx esi, byte ptr [eax] 3_2_033D41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_033AD5AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, ebx 3_2_033B1333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, edx 3_2_033B1B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp edx 3_2_033D33B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 3_2_033D33B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx esi, byte ptr [eax] 3_2_033D4380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_033BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_033BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch] 3_2_033BAA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_033BAA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh] 3_2_033CFAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h 3_2_033912D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp edx 3_2_033D32C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 3_2_033D32C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h 3_2_033CB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [edx+esi] 3_2_0339C960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, eax 3_2_0339E996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h] 3_2_033B41E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp edx 3_2_033D31D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 3_2_033D31D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [edi+ebx] 3_2_03395820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 3_2_033BE870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, eax 3_2_0339E8D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_033AC8CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 3_2_033D3720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h] 3_2_033D1720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_033B5F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, word ptr [edx] 3_2_033B8F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h] 3_2_033CF7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h 3_2_033D0E3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_033BDE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h] 3_2_033D1648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_033AC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, dword ptr [esp+54h] 3_2_033BCEDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 3_2_033CC6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [ebx], ax 3_2_033AF510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [esi], cl 3_2_033AF510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ebx, eax 3_2_0339D500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 3_2_033BE400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp al, 2Eh 3_2_033BAC04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_033C7CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, esi 3_2_033AECDE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49730 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49712 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49724 -> 104.21.41.158:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: mafnufacut.cyou
Source: Malware configuration extractor URLs: dilemmadu.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: faulteyotk.site
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49716 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49724 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49730 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 104.21.41.158:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.6:49756
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mafnufacut.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: mafnufacut.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12866Host: mafnufacut.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15112Host: mafnufacut.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19970Host: mafnufacut.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1241Host: mafnufacut.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1142Host: mafnufacut.cyou
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: mafnufacut.cyou
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mafnufacut.cyou
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mafnufacut.cyou
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2224998411.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168775207.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168503506.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168731170.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2214118301.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168437867.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168539185.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2213943534.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168486617.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2198964863.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2183061646.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2196049342.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181667282.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2198830822.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181132499.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2195854584.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168815356.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2213899457.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/2U
Source: aspnet_regiis.exe, 00000003.00000003.2154322168.000000000368B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/A
Source: aspnet_regiis.exe, 00000003.00000003.2198830822.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2195854584.0000000005B09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/The
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/api
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/apiZ
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/apiu
Source: aspnet_regiis.exe, 00000003.00000003.2224953764.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/gra
Source: aspnet_regiis.exe, 00000003.00000003.2168503506.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168437867.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168539185.0000000005B05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/h
Source: aspnet_regiis.exe, 00000003.00000003.2180903731.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/nkkpib0
Source: aspnet_regiis.exe, 00000003.00000003.2168503506.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/p
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/pi
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/piE
Source: aspnet_regiis.exe, 00000003.00000003.2224953764.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/r
Source: aspnet_regiis.exe, 00000003.00000003.2180903731.0000000005B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou/t7c5
Source: aspnet_regiis.exe, 00000003.00000003.2183061646.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181667282.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181132499.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mafnufacut.cyou:443/api
Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000003.00000003.2182980628.0000000005B2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: aspnet_regiis.exe, 00000003.00000003.2182980628.0000000005B2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C5210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_033C5210
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C5210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_033C5210
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C59B7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 3_2_033C59B7

System Summary
barindex
.NET source code contains very large array initializations
Source: Loader.exe, -Module-.cs Large array initialization: _202B_200E_202E_206B_202D_206B_202B_206C_206A_202D_206B_206D_206F_206B_206A_206C_202B_206B_202A_206A_206D_200D_206C_206F_206E_200C_200E_202A_200B_202B_200D_206D_206B_206A_206C_200E_206C_200C_206C_202E_202E: array initializer size 62208
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F38A0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle, 0_2_6E4F38A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F3120 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW, 0_2_6E4F3120
Detected potential crypto function
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F38A0 0_2_6E4F38A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F3120 0_2_6E4F3120
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F11B0 0_2_6E4F11B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F7650 0_2_6E4F7650
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F2760 0_2_6E4F2760
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E5030D5 0_2_6E5030D5
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E514670 0_2_6E514670
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E515660 0_2_6E515660
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E548630 0_2_6E548630
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E50B6D5 0_2_6E50B6D5
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E512740 0_2_6E512740
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E52BF40 0_2_6E52BF40
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E52AF06 0_2_6E52AF06
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E50B728 0_2_6E50B728
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E51FFD8 0_2_6E51FFD8
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E5367E0 0_2_6E5367E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E54C780 0_2_6E54C780
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E51EFBF 0_2_6E51EFBF
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E543FA0 0_2_6E543FA0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E54CC50 0_2_6E54CC50
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E513C45 0_2_6E513C45
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E50B400 0_2_6E50B400
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E51EC2A 0_2_6E51EC2A
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E50DCE0 0_2_6E50DCE0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E50F48B 0_2_6E50F48B
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E543D40 0_2_6E543D40
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E511D60 0_2_6E511D60
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E54ED20 0_2_6E54ED20
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E52E5E0 0_2_6E52E5E0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E521210 0_2_6E521210
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E534AD0 0_2_6E534AD0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E52CAA0 0_2_6E52CAA0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E517B60 0_2_6E517B60
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E511360 0_2_6E511360
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E514B30 0_2_6E514B30
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E51B3EB 0_2_6E51B3EB
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E51439C 0_2_6E51439C
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E53F380 0_2_6E53F380
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E54C380 0_2_6E54C380
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E53F060 0_2_6E53F060
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E549020 0_2_6E549020
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E5290DE 0_2_6E5290DE
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E5190C0 0_2_6E5190C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E5180B0 0_2_6E5180B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E516170 0_2_6E516170
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E529910 0_2_6E529910
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E5151D0 0_2_6E5151D0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E53D9B0 0_2_6E53D9B0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA10B8 0_2_00DA10B8
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA41FC 0_2_00DA41FC
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA59A0 0_2_00DA59A0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA6178 0_2_00DA6178
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3BD2 0_2_00DA3BD2
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA1540 0_2_00DA1540
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA2500 0_2_00DA2500
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA08C0 0_2_00DA08C0
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA4011 0_2_00DA4011
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA100D 0_2_00DA100D
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA5990 0_2_00DA5990
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3910 0_2_00DA3910
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3902 0_2_00DA3902
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA4259 0_2_00DA4259
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3C8F 0_2_00DA3C8F
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3C42 0_2_00DA3C42
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3C6D 0_2_00DA3C6D
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA2DC8 0_2_00DA2DC8
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA2DB9 0_2_00DA2DB9
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3D63 0_2_00DA3D63
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3E82 0_2_00DA3E82
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA4FD8 0_2_00DA4FD8
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA4FE8 0_2_00DA4FE8
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3FED 0_2_00DA3FED
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E546B00 0_2_6E546B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BEB60 3_2_033BEB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033CA2E0 3_2_033CA2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033A0130 3_2_033A0130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033A011A 3_2_033A011A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033CA97E 3_2_033CA97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339F970 3_2_0339F970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B6800 3_2_033B6800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B509D 3_2_033B509D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033A00C5 3_2_033A00C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D4620 3_2_033D4620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BA6D0 3_2_033BA6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033AD5AF 3_2_033AD5AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339132D 3_2_0339132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339DB20 3_2_0339DB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03398340 3_2_03398340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B1B40 3_2_033B1B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033A4BBF 3_2_033A4BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D33B0 3_2_033D33B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C9BA0 3_2_033C9BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D2380 3_2_033D2380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BC3E0 3_2_033BC3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033A5BD8 3_2_033A5BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033CE230 3_2_033CE230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B0A24 3_2_033B0A24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339A270 3_2_0339A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BCA72 3_2_033BCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339B260 3_2_0339B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339F250 3_2_0339F250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BAA40 3_2_033BAA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033AE298 3_2_033AE298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033912D5 3_2_033912D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D32C0 3_2_033D32C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D4920 3_2_033D4920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03397960 3_2_03397960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C9940 3_2_033C9940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C1980 3_2_033C1980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B41E0 3_2_033B41E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B91E0 3_2_033B91E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C31DE 3_2_033C31DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D31D0 3_2_033D31D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033A482A 3_2_033A482A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03391000 3_2_03391000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D2850 3_2_033D2850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033938E0 3_2_033938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339A730 3_2_0339A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B9494 3_2_033B9494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D3720 3_2_033D3720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D1720 3_2_033D1720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B8F00 3_2_033B8F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339D760 3_2_0339D760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03396F60 3_2_03396F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B762D 3_2_033B762D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03399FA8 3_2_03399FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03394FA0 3_2_03394FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03399F9C 3_2_03399F9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B6F82 3_2_033B6F82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C4F80 3_2_033C4F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D1F80 3_2_033D1F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BB7FE 3_2_033BB7FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BB7D9 3_2_033BB7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B762D 3_2_033B762D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033A6E10 3_2_033A6E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BBE10 3_2_033BBE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B2E50 3_2_033B2E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BD642 3_2_033BD642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B26A0 3_2_033B26A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C86FE 3_2_033C86FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033AF510 3_2_033AF510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B9D00 3_2_033B9D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339BD70 3_2_0339BD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C35B0 3_2_033C35B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_03398DA0 3_2_03398DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B55A4 3_2_033B55A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C2D80 3_2_033C2D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339ADD0 3_2_0339ADD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033CEC20 3_2_033CEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033BAC04 3_2_033BAC04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C4C60 3_2_033C4C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D4C50 3_2_033D4C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033994BF 3_2_033994BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B9494 3_2_033B9494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033AECDE 3_2_033AECDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033B7CD2 3_2_033B7CD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0339ECC0 3_2_0339ECC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 6E4F8610 appears 33 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 6E5266A0 appears 87 times
Source: C:\Users\user\Desktop\Loader.exe Code function: String function: 6E516CC0 appears 65 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 0339C8C0 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 033AC2A0 appears 176 times
Sample file is different than original file name gathered from version info
Source: Loader.exe, 00000000.00000002.2133612238.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Loader.exe
Source: Loader.exe Binary or memory string: OriginalFilenameNathanOliviaChloe.YpP vs Loader.exe
Uses 32bit PE files
Source: Loader.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Loader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/2@1/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033C3950 CoCreateInstance, 3_2_033C3950
Source: C:\Users\user\Desktop\Loader.exe File created: C:\Users\user\AppData\Roaming\gdi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_03
Source: Loader.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Loader.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Loader.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: aspnet_regiis.exe, 00000003.00000003.2169111393.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2154923285.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168913374.0000000005B27000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2154642914.0000000005B28000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Loader.exe ReversingLabs: Detection: 42%
Source: unknown Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Loader.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Loader.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Loader.exe, -Module-.cs .Net Code: _200D_200B_200E_202A_206A_206C_200F_206D_200E_206A_206A_202E_200D_202B_206A_206F_202A_202C_206A_202B_200E_206A_202B_200E_202E_202A_202E_202E_202D_206D_200D_206C_202C_200B_206D_202D_200B_206E_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E503804 push ecx; ret 0_2_6E503817
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_00DA3866 push 00000035h; retf 0_2_00DA3869
Source: Loader.exe Static PE information: section name: .text entropy: 7.856893494807448
Drops PE files
Source: C:\Users\user\Desktop\Loader.exe File created: C:\Users\user\AppData\Roaming\gdi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Loader.exe PID: 4560, type: MEMORYSTR
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe System information queried: FirmwareTableInformation Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 2D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 2B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 5170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 6170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 62A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 72A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 7630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 8630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: 9630000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Loader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Loader.exe TID: 6484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 5972 Thread sleep time: -90000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4FCB0B FindFirstFileExW, 0_2_6E4FCB0B
Source: C:\Users\user\Desktop\Loader.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: aspnet_regiis.exe, 00000003.00000003.2169054454.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2154322168.0000000003677000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gFHNSRWNQuMfmd1lSKnRfXzO/vNgRSts+PyOlZzV7C6fEuIETcpVqEmungkL/9As]
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_033D0D90 LdrInitializeThunk, 3_2_033D0D90
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4FC45A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4FC45A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4FE22F GetProcessHeap, 0_2_6E4FE22F
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F7FC1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4F7FC1
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4FC45A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4FC45A
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F849A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4F849A
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Loader.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3390000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3390000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Loader.exe String found in binary or memory: opposezmny.site
Source: Loader.exe String found in binary or memory: seallysl.site
Source: Loader.exe String found in binary or memory: mafnufacut.cyou
Source: Loader.exe String found in binary or memory: faulteyotk.site
Source: Loader.exe String found in binary or memory: dilemmadu.site
Source: Loader.exe String found in binary or memory: contemteny.site
Source: Loader.exe String found in binary or memory: goalyfeastz.site
Source: Loader.exe String found in binary or memory: servicedny.site
Source: Loader.exe String found in binary or memory: authorisev.site
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3390000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3391000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D6000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D9000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33E9000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3391000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D6000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D9000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33E9000 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3130008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Loader.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F8658 cpuid 0_2_6E4F8658
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Loader.exe Queries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe Code function: 0_2_6E4F80E3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E4F80E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 2096, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe, 00000003.00000003.2154322168.000000000368B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000003.00000003.2198933386.0000000003677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe, 00000003.00000003.2198979767.000000000368B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 2096, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aspnet_regiis.exe PID: 2096, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546098 Sample: Loader.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 21 mafnufacut.cyou 2->21 25 Suricata IDS alerts for network traffic 2->25 27 Found malware configuration 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 11 other signatures 2->31 7 Loader.exe 3 2->7         started        signatures3 process4 file5 17 C:\Users\user\AppData\Roaming\gdi32.dll, PE32 7->17 dropped 19 C:\Users\user\AppData\...\Loader.exe.log, ASCII 7->19 dropped 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 Injects a PE file into a foreign processes 7->37 11 aspnet_regiis.exe 7->11         started        15 conhost.exe 7->15         started        signatures6 process7 dnsIp8 23 mafnufacut.cyou 104.21.41.158, 443, 49711, 49712 CLOUDFLARENETUS United States 11->23 39 Query firmware table information (likely to detect VMs) 11->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 11->41 43 Tries to harvest and steal browser information (history, passwords, etc) 11->43 45 Tries to steal Crypto Currency Wallets 11->45 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.41.158
 mafnufacut.cyou United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
mafnufacut.cyou 104.21.41.158 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
servicedny.site true
    		unknown
    https://mafnufacut.cyou/api true
      		unknown
      goalyfeastz.site true
        		unknown
        contemteny.site true
          		unknown
          opposezmny.site true
            		unknown
            authorisev.site true
              		unknown
              faulteyotk.site true
                		unknown
                seallysl.site true
                  		unknown
                  mafnufacut.cyou true
                    		unknown
                    dilemmadu.site true
                      		unknown