Windows Analysis Report
1Gvue8ItW8.exe

Overview

General Information

Sample name: 1Gvue8ItW8.exe
renamed because original name is a hash value
Original sample name: fe70eb0688b5c73484c90d5ac6f0fc19.exe
Analysis ID: 1465835
MD5: fe70eb0688b5c73484c90d5ac6f0fc19
SHA1: 2dd1e471d617369e56bfcc99856655ed8dd23b96
SHA256: 694bc44ca9827716a989fef8d775bd817d4eab31d510a77f96dee09955bf054d
Tags: 32exetrojan
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://feighminoritsjda.shop/ Avira URL Cloud: Label: malware
Source: marathonbeedksow.shop Avira URL Cloud: Label: malware
Source: https://richardflorespoew.shop/api Avira URL Cloud: Label: malware
Source: https://marathonbeedksow.shop/ Avira URL Cloud: Label: malware
Source: feighminoritsjda.shop Avira URL Cloud: Label: malware
Source: https://feighminoritsjda.shop/% Avira URL Cloud: Label: malware
Source: https://strwawrunnygjwu.shop/api Avira URL Cloud: Label: malware
Source: backcreammykiel.shop Avira URL Cloud: Label: malware
Source: https://justifycanddidatewd.shop/api Avira URL Cloud: Label: malware
Source: https://raiseboltskdlwpow.shop/api Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.1Gvue8ItW8.exe.b90000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["richardflorespoew.shop", "strwawrunnygjwu.shop", "justifycanddidatewd.shop", "raiseboltskdlwpow.shop", "falseaudiencekd.shop", "pleasurenarrowsdla.shop", "feighminoritsjda.shop", "marathonbeedksow.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@SEFYALUV"}
Multi AV Scanner detection for submitted file
Source: 1Gvue8ItW8.exe ReversingLabs: Detection: 73%
Source: 1Gvue8ItW8.exe Virustotal: Detection: 59% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 1Gvue8ItW8.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: richardflorespoew.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: strwawrunnygjwu.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: justifycanddidatewd.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: raiseboltskdlwpow.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: falseaudiencekd.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: pleasurenarrowsdla.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: feighminoritsjda.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: marathonbeedksow.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: backcreammykiel.shop
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String decryptor: LPnhqo--@SEFYALUV
Uses 32bit PE files
Source: 1Gvue8ItW8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1Gvue8ItW8.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BAF66C FindFirstFileExW, 0_2_00BAF66C
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 22D223F1h 1_2_0043878E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 1_2_004389A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000888h] 1_2_0041E274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [esi], ax 1_2_00420210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 1_2_0041F2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then lea eax, dword ptr [edi+04h] 1_2_00421288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then push esi 1_2_00416556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 1_2_0043857C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 1_2_0041C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_004165D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esi+28h] 1_2_004275B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 1_2_00403630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 1_2_004146A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edi, ebx 1_2_00437740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov esi, dword ptr [esp+60h] 1_2_004177BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+60h] 1_2_004177BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000238h] 1_2_004138FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 1_2_00439899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_00424920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then inc ebx 1_2_004159F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h 1_2_0041FA7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp] 1_2_00422AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, eax 1_2_0041CB1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000238h] 1_2_00410B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, edi 1_2_00424BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_00426C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000148h] 1_2_00413C3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h 1_2_00415E0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00415E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 1_2_0041FE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 1_2_0040CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], 0000002Bh 1_2_00425F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_00426FB0

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2053812 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (backcreammykiel .shop) 192.168.2.4:53429 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053682 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop) 192.168.2.4:58922 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053680 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop) 192.168.2.4:60118 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053678 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop) 192.168.2.4:59335 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053676 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop) 192.168.2.4:53223 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053674 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop) 192.168.2.4:64289 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053672 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop) 192.168.2.4:64375 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053670 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop) 192.168.2.4:59976 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2053668 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop) 192.168.2.4:60066 -> 1.1.1.1:53
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: richardflorespoew.shop
Source: Malware configuration extractor URLs: strwawrunnygjwu.shop
Source: Malware configuration extractor URLs: justifycanddidatewd.shop
Source: Malware configuration extractor URLs: raiseboltskdlwpow.shop
Source: Malware configuration extractor URLs: falseaudiencekd.shop
Source: Malware configuration extractor URLs: pleasurenarrowsdla.shop
Source: Malware configuration extractor URLs: feighminoritsjda.shop
Source: Malware configuration extractor URLs: marathonbeedksow.shop
Source: Malware configuration extractor URLs: backcreammykiel.shop
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: feighminoritsjda.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: justifycanddidatewd.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: falseaudiencekd.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: pleasurenarrowsdla.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: richardflorespoew.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: backcreammykiel.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: marathonbeedksow.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: strwawrunnygjwu.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: raiseboltskdlwpow.shop replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: backcreammykiel.shop
Source: global traffic DNS traffic detected: DNS query: marathonbeedksow.shop
Source: global traffic DNS traffic detected: DNS query: feighminoritsjda.shop
Source: global traffic DNS traffic detected: DNS query: pleasurenarrowsdla.shop
Source: global traffic DNS traffic detected: DNS query: falseaudiencekd.shop
Source: global traffic DNS traffic detected: DNS query: raiseboltskdlwpow.shop
Source: global traffic DNS traffic detected: DNS query: justifycanddidatewd.shop
Source: global traffic DNS traffic detected: DNS query: strwawrunnygjwu.shop
Source: global traffic DNS traffic detected: DNS query: richardflorespoew.shop
Source: 1Gvue8ItW8.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: 1Gvue8ItW8.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1Gvue8ItW8.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1Gvue8ItW8.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 1Gvue8ItW8.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: 1Gvue8ItW8.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1Gvue8ItW8.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1Gvue8ItW8.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 1Gvue8ItW8.exe String found in binary or memory: http://ocsp.digicert.com0
Source: 1Gvue8ItW8.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: 1Gvue8ItW8.exe String found in binary or memory: http://ocsp.entrust.net02
Source: 1Gvue8ItW8.exe String found in binary or memory: http://ocsp.entrust.net03
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: 1Gvue8ItW8.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: 1Gvue8ItW8.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://falseaudiencekd.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feighminoritsjda.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://feighminoritsjda.shop/%
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://justifycanddidatewd.shop/%
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://justifycanddidatewd.shop/api
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marathonbeedksow.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raiseboltskdlwpow.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raiseboltskdlwpow.shop/api
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raiseboltskdlwpow.shop/apib
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/:W=
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.1660995734.0000000000B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://richardflorespoew.shop/api
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://strwawrunnygjwu.shop/
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://strwawrunnygjwu.shop/api
Source: 1Gvue8ItW8.exe String found in binary or memory: https://www.entrust.net/rpa0
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042EAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_0042EAD0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042EAD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_0042EAD0
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042F61A GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 1_2_0042F61A
Detected potential crypto function
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BA1880 0_2_00BA1880
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BAD2CE 0_2_00BAD2CE
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00B97A00 0_2_00B97A00
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BB1CA0 0_2_00BB1CA0
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BA95A9 0_2_00BA95A9
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BB3DC6 0_2_00BB3DC6
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BA464E 0_2_00BA464E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0043A090 1_2_0043A090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0043C0B0 1_2_0043C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00420210 1_2_00420210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041F2E1 1_2_0041F2E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00421288 1_2_00421288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00408340 1_2_00408340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0043A310 1_2_0043A310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042D33A 1_2_0042D33A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042B3F9 1_2_0042B3F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00404450 1_2_00404450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00434400 1_2_00434400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00429500 1_2_00429500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0043A5C0 1_2_0043A5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004165D4 1_2_004165D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004225E3 1_2_004225E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00406630 1_2_00406630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041D6F0 1_2_0041D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042D73D 1_2_0042D73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00410810 1_2_00410810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042B8B3 1_2_0042B8B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00420947 1_2_00420947
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00427973 1_2_00427973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042792E 1_2_0042792E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004039E0 1_2_004039E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00427986 1_2_00427986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0043A990 1_2_0043A990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00405994 1_2_00405994
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0041CB1E 1_2_0041CB1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00420BC0 1_2_00420BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00424BC0 1_2_00424BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00422CD6 1_2_00422CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0043BD90 1_2_0043BD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00404E30 1_2_00404E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00401F40 1_2_00401F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00423F2F 1_2_00423F2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00436FA0 1_2_00436FA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: String function: 00B9CC80 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00408D40 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004109A0 appears 198 times
One or more processes crash
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268
PE / OLE file has an invalid certificate
Source: 1Gvue8ItW8.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: 1Gvue8ItW8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/5@9/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0042B0B2 CoCreateInstance, 1_2_0042B0B2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0409bcb2-feca-49d1-9075-fa1d0b4d516d Jump to behavior
Source: 1Gvue8ItW8.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1Gvue8ItW8.exe ReversingLabs: Detection: 73%
Source: 1Gvue8ItW8.exe Virustotal: Detection: 59%
Source: unknown Process created: C:\Users\user\Desktop\1Gvue8ItW8.exe "C:\Users\user\Desktop\1Gvue8ItW8.exe"
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 268
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: 1Gvue8ItW8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1Gvue8ItW8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1Gvue8ItW8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1Gvue8ItW8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1Gvue8ItW8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1Gvue8ItW8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1Gvue8ItW8.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 1Gvue8ItW8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1Gvue8ItW8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1Gvue8ItW8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1Gvue8ItW8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1Gvue8ItW8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1Gvue8ItW8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00B9C56A push ecx; ret 0_2_00B9C57D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00442101 push 0000007Bh; retf 1_2_00442103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004422EE push cs; retf 1_2_004422EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0043F35B pushad ; iretd 1_2_0043F369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00442386 push ebp; iretd 1_2_00442387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004426F6 push esp; iretd 1_2_004426E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_004426F6 push es; retf 1_2_00442709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00441689 push D379FC65h; retf 1_2_0044168E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00442692 push esp; iretd 1_2_004426E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_0044173B push 6E8C8D5Fh; ret 1_2_00441745
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe API coverage: 9.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7500 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BAF66C FindFirstFileExW, 0_2_00BAF66C
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000001.00000002.1660995734.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 1_2_00438320 LdrInitializeThunk, 1_2_00438320
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BA0943 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BA0943
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BA6C75 mov ecx, dword ptr fs:[00000030h] 0_2_00BA6C75
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BADFC5 mov eax, dword ptr fs:[00000030h] 0_2_00BADFC5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BB2DB5 GetProcessHeap, 0_2_00BB2DB5
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00BA0943 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BA0943
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00B9CA5E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B9CA5E
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00B9CBBA SetUnhandledExceptionFilter, 0_2_00B9CBBA
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00B9CCF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B9CCF3

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_009D018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_009D018D
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: richardflorespoew.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: strwawrunnygjwu.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: justifycanddidatewd.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: raiseboltskdlwpow.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: falseaudiencekd.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: pleasurenarrowsdla.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: feighminoritsjda.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: marathonbeedksow.shop
Source: 1Gvue8ItW8.exe, 00000000.00000002.1792953808.0000000000BC5000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: backcreammykiel.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000 Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000 Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 87B008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00B9C745 cpuid 0_2_00B9C745
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetLocaleInfoW, 0_2_00BB2855
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: EnumSystemLocalesW, 0_2_00BAA198
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00BB21EF
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00BB297E
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetLocaleInfoW, 0_2_00BB2A84
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetLocaleInfoW, 0_2_00BB23EA
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00BB2B53
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: EnumSystemLocalesW, 0_2_00BB2491
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: EnumSystemLocalesW, 0_2_00BB24DC
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: EnumSystemLocalesW, 0_2_00BB2577
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetLocaleInfoW, 0_2_00BAA6BE
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00BB2602
Source: C:\Users\user\Desktop\1Gvue8ItW8.exe Code function: 0_2_00B9C954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00B9C954
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465835 Sample: 1Gvue8ItW8.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 17 strwawrunnygjwu.shop 2->17 19 richardflorespoew.shop 2->19 21 7 other IPs or domains 2->21 23 Snort IDS alert for network traffic 2->23 25 Found malware configuration 2->25 27 Antivirus detection for URL or domain 2->27 29 6 other signatures 2->29 7 1Gvue8ItW8.exe 2->7         started        signatures3 process4 signatures5 31 Contains functionality to inject code into remote processes 7->31 33 Writes to foreign memory regions 7->33 35 Allocates memory in foreign processes 7->35 37 2 other signatures 7->37 10 WerFault.exe 21 16 7->10         started        13 RegAsm.exe 7->13         started        process6 file7 15 C:\ProgramData\Microsoft\...\Report.wer, Unicode 10->15 dropped
No contacted IP infos

Contacted Domains

Name IP Active
justifycanddidatewd.shop unknown unknown
richardflorespoew.shop unknown unknown
strwawrunnygjwu.shop unknown unknown
falseaudiencekd.shop unknown unknown
raiseboltskdlwpow.shop unknown unknown
backcreammykiel.shop unknown unknown
marathonbeedksow.shop unknown unknown
feighminoritsjda.shop unknown unknown
pleasurenarrowsdla.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
justifycanddidatewd.shop true
  • Avira URL Cloud: safe
 unknown
marathonbeedksow.shop true
  • Avira URL Cloud: malware
 unknown
pleasurenarrowsdla.shop true
  • Avira URL Cloud: safe
 unknown
richardflorespoew.shop true
  • Avira URL Cloud: safe
 unknown
falseaudiencekd.shop true
  • Avira URL Cloud: safe
 unknown
feighminoritsjda.shop true
  • Avira URL Cloud: malware
 unknown
strwawrunnygjwu.shop true
  • Avira URL Cloud: safe
 unknown
raiseboltskdlwpow.shop true
  • Avira URL Cloud: safe
 unknown
backcreammykiel.shop true
  • Avira URL Cloud: malware
 unknown