Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1466920
MD5:	c34e8f27e5e41acc13f476298be901f5
SHA1:	1857dfcf2bbb4e91fed3595395cc6ea1b6e5e425
SHA256:	8c09b0520cd0a587ccdab5f16b202ef013d9bf3b4fc7653b5afdf480417d33f1
Tags:	exelummac2
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

LummaC encrypted strings found

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

Setup.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: C34E8F27E5E41ACC13F476298BE901F5)

more.com (PID: 6812 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SearchIndexer.exe (PID: 7380 cmdline: C:\Windows\SysWOW64\SearchIndexer.exe MD5: CF7BEFBA5E20F2F4C7851D016067B89C)

WerFault.exe (PID: 7592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 408 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "pedestriankodwu.xyz",
    "towerxxuytwi.xyz",
    "ellaboratepwsz.xyz",
    "penetratedpoopp.xyz",
    "swellfrrgwwos.xyz",
    "contintnetksows.shop",
    "foodypannyjsud.shop",
    "potterryisiw.shop",
    "prettilikeopwp.shop"
  ],
  "Build id": "long--try"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: penetratedpoopp.xyz	Avira URL Cloud: Label: malware
Source: foodypannyjsud.shop	Avira URL Cloud: Label: malware
Source: ellaboratepwsz.xyz	Avira URL Cloud: Label: malware
Source: contintnetksows.shop	Avira URL Cloud: Label: malware
Source: pedestriankodwu.xyz	Avira URL Cloud: Label: malware
Source: potterryisiw.shop	Avira URL Cloud: Label: malware
Source: towerxxuytwi.xyz	Avira URL Cloud: Label: malware
Source: swellfrrgwwos.xyz	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: more.com.6812.2.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "prettilikeopwp.shop"], "Build id": "long--try"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

ReversingLabs: Detection: 70%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pedestriankodwu.xyz
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: towerxxuytwi.xyz
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ellaboratepwsz.xyz
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: penetratedpoopp.xyz
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: swellfrrgwwos.xyz
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: contintnetksows.shop
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: foodypannyjsud.shop
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: potterryisiw.shop
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: prettilikeopwp.shop
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String decryptor: HbVgyI--nn

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Jenkins\workspace\AURAServiceSetup\Release\LightingService.pdb source: Setup.exe
Source:	Binary string: D:\Jenkins\workspace\AURAServiceSetup\Release\LightingService.pdbW source: Setup.exe
Source:	Binary string: wiascanprofiles.pdbGCTL source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614709959.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, uhfglxslkuxod.2.dr
Source:	Binary string: wntdll.pdbUGP source: Setup.exe, 00000000.00000002.1246980935.0000000003915000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247589635.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247751717.0000000004AC5000.00000004.00000001.00020000.00000000.sdmp, more.com, 00000002.00000002.1457380870.0000000004810000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457599161.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615168753.0000000004900000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614845204.000000000449F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Setup.exe, 00000000.00000002.1246980935.0000000003915000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247589635.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247751717.0000000004AC5000.00000004.00000001.00020000.00000000.sdmp, more.com, 00000002.00000002.1457380870.0000000004810000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457599161.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615168753.0000000004900000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614845204.000000000449F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wiascanprofiles.pdb source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614709959.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, uhfglxslkuxod.2.dr
Source:	Binary string: mscoree.pdb source: Setup.exe, 00000000.00000002.1246256329.0000000002D36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscoree.pdbGCTL source: Setup.exe, 00000000.00000002.1246256329.0000000002D36000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyz
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyz
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: prettilikeopwp.shop

Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net
Source: Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004B73000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.00000000047FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Windows\SysWOW64\SearchIndexer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 408

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe, 00000000.00000002.1247751717.0000000004BE8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Setup.exe
Source: Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs Setup.exe
Source: Setup.exe, 00000000.00000002.1246379932.0000000002F9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLightingService.exe@ vs Setup.exe
Source: Setup.exe, 00000000.00000002.1247589635.000000000483D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameLightingService.exe@ vs Setup.exe

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/8@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7380
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user~1\AppData\Local\Temp\7bc69e1d

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 408
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: mssrch.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: Setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Setup.exe

Static file information: File size 6063976 > 1048576

Source: Setup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x393800
Source: Setup.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x137000

Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Jenkins\workspace\AURAServiceSetup\Release\LightingService.pdb source: Setup.exe
Source:	Binary string: D:\Jenkins\workspace\AURAServiceSetup\Release\LightingService.pdbW source: Setup.exe
Source:	Binary string: wiascanprofiles.pdbGCTL source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614709959.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, uhfglxslkuxod.2.dr
Source:	Binary string: wntdll.pdbUGP source: Setup.exe, 00000000.00000002.1246980935.0000000003915000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247589635.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247751717.0000000004AC5000.00000004.00000001.00020000.00000000.sdmp, more.com, 00000002.00000002.1457380870.0000000004810000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457599161.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615168753.0000000004900000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614845204.000000000449F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Setup.exe, 00000000.00000002.1246980935.0000000003915000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247589635.0000000004710000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1247751717.0000000004AC5000.00000004.00000001.00020000.00000000.sdmp, more.com, 00000002.00000002.1457380870.0000000004810000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457599161.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615168753.0000000004900000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614845204.000000000449F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wiascanprofiles.pdb source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1614709959.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, uhfglxslkuxod.2.dr
Source:	Binary string: mscoree.pdb source: Setup.exe, 00000000.00000002.1246256329.0000000002D36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscoree.pdbGCTL source: Setup.exe, 00000000.00000002.1246256329.0000000002D36000.00000004.00000020.00020000.00000000.sdmp

Source: Setup.exe	Static PE information: section name: _RDATA
Source: uhfglxslkuxod.2.dr	Static PE information: section name: ibb

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

Jump to dropped file

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UHFGLXSLKUXOD

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Setup.exe	API/Special instruction interceptor: Address: 73C57B27
Source: C:\Users\user\Desktop\Setup.exe	API/Special instruction interceptor: Address: 73C5781D
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 73C53B97
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 61DC57

Source: C:\Windows\SysWOW64\more.com

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

Jump to dropped file

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: Amcache.hve.17.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: vmci.sys
Source: SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.17.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\SearchIndexer.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Setup.exe	NtQuerySystemInformation: Direct from: 0x77757B2E			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	NtSetInformationThread: Direct from: 0x534E1D			Jump to behavior

LummaC encrypted strings found

Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: towerxxuytwi.xyz
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: swellfrrgwwos.xyz
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: contintnetksows.shop
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: potterryisiw.shop
Source: more.com, 00000002.00000002.1457329024.0000000002F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: prettilikeopwp.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Setup.exe

Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 61B300			Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\SearchIndexer.exe base: 390000			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com			Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\SearchIndexer.exe C:\Windows\SysWOW64\SearchIndexer.exe			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\7bc69e1d VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_0081E300 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0081E300

Source: Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	11 DLL Side-Loading	211 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 DLL Side-Loading	211 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Setup.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\uhfglxslkuxod	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\uhfglxslkuxod	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\uhfglxslkuxod	71%	ReversingLabs	Win32.Spyware.Lummastealer

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
prettilikeopwp.shop	0%	Avira URL Cloud	safe
penetratedpoopp.xyz	100%	Avira URL Cloud	malware
foodypannyjsud.shop	100%	Avira URL Cloud	malware
http://www.vmware.com/0	0%	Avira URL Cloud	safe
http://www.info-zip.org/	0%	Avira URL Cloud	safe
ellaboratepwsz.xyz	100%	Avira URL Cloud	malware
http://www.vmware.com/0/	0%	Avira URL Cloud	safe
contintnetksows.shop	100%	Avira URL Cloud	malware
pedestriankodwu.xyz	100%	Avira URL Cloud	malware
potterryisiw.shop	100%	Avira URL Cloud	malware
towerxxuytwi.xyz	100%	Avira URL Cloud	malware
swellfrrgwwos.xyz	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
prettilikeopwp.shop	true	Avira URL Cloud: safe	unknown
foodypannyjsud.shop	true	Avira URL Cloud: malware	unknown
pedestriankodwu.xyz	true	Avira URL Cloud: malware	unknown
contintnetksows.shop	true	Avira URL Cloud: malware	unknown
potterryisiw.shop	true	Avira URL Cloud: malware	unknown
penetratedpoopp.xyz	true	Avira URL Cloud: malware	unknown
ellaboratepwsz.xyz	true	Avira URL Cloud: malware	unknown
swellfrrgwwos.xyz	true	Avira URL Cloud: malware	unknown
towerxxuytwi.xyz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.vmware.com/0	Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.info-zip.org/	Setup.exe, 00000000.00000002.1247206464.0000000003BD7000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004B73000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.00000000047FB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.17.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/cps0(	Setup.exe, 00000000.00000002.1247206464.0000000003E4D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000002.00000002.1457508139.0000000004BBB000.00000004.00000800.00020000.00000000.sdmp, SearchIndexer.exe, 0000000D.00000002.1615065688.0000000004843000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466920
Start date and time:	2024-07-03 15:16:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/8@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 20.42.73.29
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, time.windows.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
Execution Graph export aborted for target Setup.exe, PID 6464 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
09:17:22	API Interceptor	1x Sleep call for process: more.com modified
10:37:48	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_eb7ea5f1-6d89-4f27-9cf2-db8ba34b91ba\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	65536
Entropy (8bit):	0.8086568454651846
Encrypted:	false
SSDEEP:	192:y436jkeuJH2Q0BU/oBRjiqzuiF4Z24IO8XOn:pkuHsBU/wjHzuiF4Y4IO8g
MD5:	F7858C83057882E7501493A093480EB7
SHA1:	4A3B21B09D9F963A8F72809F6C8346F7475FEDC4
SHA-256:	D5F154989532D464BB9E068C922899038A62873285508603A6B77072DB6F9B33
SHA-512:	0063D09A513937B4D43A218BFD6D06D3D8735A7D567DC7347341A83A54417813298D5464982570E8D7F7092A299125A3A37CF2BCDA81F203ECE2469834ABCCA6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.8.6.2.4.3.3.1.8.5.5.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.8.6.2.4.3.8.0.2.9.0.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.7.e.a.5.f.1.-.6.d.8.9.-.4.f.2.7.-.9.c.f.2.-.d.b.8.b.a.3.4.b.9.1.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.1.9.a.c.0.2.-.0.5.9.a.-.4.b.2.0.-.a.7.b.a.-.f.4.f.0.b.d.0.7.c.6.0.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.e.a.r.c.h.I.n.d.e.x.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.5.7.a.e.-.6.2.5.3.4.b.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.0.4.6.4.a.9.c.6.7.f.c.b.d.d.9.3.e.b.5.6.9.6.a.9.e.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jul 3 13:17:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	26726
Entropy (8bit):	2.22386555842152
Encrypted:	false
SSDEEP:	192:LkGzFtvr7OdMntl2N1cXkUV7XcY2AZ8eQ:HzFtuvNkFVPqe
MD5:	8C58F4CA393D25857ABDBD92B35F7826
SHA1:	CC87E9B57EF51E29C958B954AFACB754F9D0FB37
SHA-256:	C7CC401D2FA1135BDAB88E2FA1A65D0E4109BBEEDE2AE4D6A3247E934EDE7098
SHA-512:	A2CF70E7A01BC18E2DFAD998177323E4C489CDDEF85FD2543EC4223F553FF5EE2A257008B39E7992484DC8F9E46306E4A6F5FF7BB16253A03FCFFB0839CE29B0
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......cO.f............4...............<.......d...`...........T.......8...........T...........X....V......................................................................................................eJ..............GenuineIntel............T...........\O.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E86.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6324
Entropy (8bit):	3.725119004118895
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbBEN6+QzYkyQE/DTn5aM4Up89bX3sfZQ9m:R6l7wVeJBEN6JYkyFprp89bX3sf69m
MD5:	A3225749729091D070AC43073A8F9C9F
SHA1:	D3B20118369F21CEE7A936CF47DE9CD6729A9761
SHA-256:	926581E5D5540347AE94DFD88F9C3AB30DEE1BA5DA6A7AC44991DA74226D927E
SHA-512:	5491CA6B239FE0B8EB4862C35CC119AEA72EFB4358FDC0A842C07AB0AFFEF89C7BF7A19202776354159090BC98A944293543225C49282FDC8E64F8B674414151
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EB6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.485133363047952
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEJg77aI94CCWpW8VYtYm8M4JUA+P/lFs+q81Qn3+t7KSJoYd:uIjfCI7yCD7VJJUAY/MEQnutRJoYd
MD5:	FE23335A0A2EAB606E4347E2C550B35F
SHA1:	1764B4F19FAD08630D80591B6D2AC838C50FF651
SHA-256:	82A0887C507C8CB76B51B0CFC84B0F3A697AC9F622C8ECCDA646892E2B74DB2E
SHA-512:	7AAA503EC9859245DCDA469AAC8E3BA8FBAD230E5E6E2662A969352B2D7DC99520FC36E8DD05CA7E0FDB78E8057CC6BF4EE8441E403B0BA9EEF376763A39BD80
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394820" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\7bc69e1d

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PNG image data, 1536 x 2163, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1264980
Entropy (8bit):	7.9878393869406175
Encrypted:	false
SSDEEP:	24576:DxssDS2butUOO58es6ku1SaSbDoWnEa6g1mlO9ZHyEGZdfTKjIuZ90IfcutF:Vs3aIO6c1SlEYc8ZSECujn
MD5:	D85456BC93BC20DE97041FB8F7F79247
SHA1:	D155E82D273925A86EF370C9F3FDA0A0CB1112EF
SHA-256:	9046BBD0BCB00410590FF77DB0766C8C26F26AFA4EB6431B4FB7D5E5AA8D00BF
SHA-512:	C6CA930FE9F95058C05EC1C2852645C4C2C967E9423BB058633503541E09BD59BDD42B8EB4A1C11892ADF73E2774CE11E90303B01F1F31798D56E5AE23F9DE7C
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.......s........... .IDATx..;.$..z...~...}...[....;.."`...\aH.....U..1...u5.$.tw....8..'".......7..c:.2............+A........:.m........h.a.._7.....R.[.s..i..u......G..!..B...G8.3.h...0..G...G..........,......r).......x)rw)%.,K.....\JkM....g..<.....])..R.e.m.Bp..K1.....]..+....u..8.\|].d.....A..X............_...o.5.-.0.0.N6...._7,_kM.5.....` ..6...........B =....\|.Z;..R.;.!.w.]........Ck]..e...1..&.-..!.....a....c..f...\.2..7..$.1....R.3p....\|.\.#.f..w......L.5P..y..~e.....H..K)..A..+\|..$#.......CE..uw)8..P./...J..i.j.....s&...,(..,.......D...4........_'..1..;.`..M.....\|....../E..>,...'....ng..:H..3.A.............\|.{5...Q...,..{..p..]v3.....c.@..-....".;9H.......\+n..+p.q.....~....c..........V....[....?c.O.l....H...,.g.@...m.hY~S;.)......J2.'.\|.$..D.............../%..@..J.....i..m'.a.x..oz....b.....B....j.Q.........{..I>...8.]B..$..V..n....s....P.;..w..7..G...(.. C......G*.Y{w.q.".p.d..p.$4Mm....z8...a!......

C:\Users\user\AppData\Local\Temp\7c7f2e09

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	modified
Size (bytes):	1041050
Entropy (8bit):	7.505429337534013
Encrypted:	false
SSDEEP:	12288:OwBNIeUVovhm05nFNR7wk+P8N8wfojgRsjJqSvBfIdM+Fppj2RxRK3c54O01XXi7:OwBNBmSXwdwAMRmqu+pYAayiMMRKDKf
MD5:	1DF0408322B0B7D75295AFAC99058C0D
SHA1:	0C8D1766548B98D553B6F5765D0C1623ADF8073D
SHA-256:	10C21623D225DD49C4A4AF409CB3C4D2B2DAFE33F73D943B34F6E6EB6C0305BD
SHA-512:	FB56ABA5F4F8974D14E2FFECB9FD6DE7DBF5393E308AD25C36DCBF01CDFBF1015702F3388512AF9E27E4817D8D2541715A9B5E8940E0BD6AB457293235A47CF8
Malicious:	false
Reputation:	low
Preview:	K`.)H`.)H`.)H`.)I`.).`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)m!.y.!.hm<.@+..Z'..u...M'..u...[<@.L&..y:..[)..u...[<..)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)...G!..H$..L...)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)...[-..L...])..LH`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)m7.g.)...-.J:..F...g.4.o:..L?..BH`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)>R..fU..zW.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)H`.)

C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

Download File

Process:	C:\Windows\SysWOW64\more.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	315904
Entropy (8bit):	6.696220858854551
Encrypted:	false
SSDEEP:	6144:rHOqKYOqnTHw6zVlUcvkKqQAChXNDvhXqHt06vMSgsoFe:rH3KDsDJsKAC7JKt06EXFe
MD5:	9C25EF97C3EB8B18E9D89BD1C0FB0B3E
SHA1:	31B5C6D5EED4331E0D570548BAE1E4E17BB63CCF
SHA-256:	5B417F714BD9A10871B17CF730058187EF682F4C246687A131686E5D337125F0
SHA-512:	655B903949F693D6E921BB0ED63A65AD2BB98DEE074B16F4CFED661706E81D1E33672E93F8AB65A2A606CAC2C871E02223615741ABC46A9491949CB2CB94A6F6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....R[............................`.............@.......................................@.....................................x............................0..lM...................................................................................text............................... ..`.rdata...*.......,..................@..@.data...P........~..................@....reloc..lM...0...N...p..............@..Bibb...... ..........................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417481732991209
Encrypted:	false
SSDEEP:	6144:acifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNS5+:3i58oSWIZBk2MM6AFBko
MD5:	887540091B903CA3B76C5D55427D4AF6
SHA1:	F4CC37224204CF8FB0E3742D2056D0105081FE1F
SHA-256:	228DECE75BF12370F7A384FA5B7CD4C6A192EBB7F8BDBB71E29257CD8453709F
SHA-512:	E4B67C2465CF7615052700618989B53B747E8A2BEA7F18B3FFDC8B8C4502DE0B31B2AC4CDE174B5E4D8A9EFEB65AF6E1F073048169226EE5ECB38408E3655183
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..OWK...............................................................................................................................................................................................................................................................................................................................................7.Yc........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.708595290817905
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	6'063'976 bytes
MD5:	c34e8f27e5e41acc13f476298be901f5
SHA1:	1857dfcf2bbb4e91fed3595395cc6ea1b6e5e425
SHA256:	8c09b0520cd0a587ccdab5f16b202ef013d9bf3b4fc7653b5afdf480417d33f1
SHA512:	ccc416d96d36b792c59bdfd23c5e2e3b2c08c3498e43af7e0e5b873e0828c23fb30c1f21428fb8f984df99255d232e718422ce95acc8bba888da082f465c6709
SSDEEP:	98304:vsMDHDRm8rcgEqQQ5izvWtb2ZaQ9kclxrg/bYzO6TEYJYEHjHO:RHDRLrcgEq55izvWtDaxbBOLYJYmu
TLSH:	82563812B386C96BE16141F1392CE6AA005DB9320B75C8CBF2C14F5F2574AEB6672F17
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......'Ezlc$.?c$.?c$.?.B.>D$.?.B.>.$.?...?b$.?1L.>x$.?1L.>.$.?1L.>E$.?.B.>b$.?.B.>D$.?.B.>D$.?c$.?.%.?.M.>a$.?.M.>.$.?.M.?b$.?c$.?b$.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6ecdad
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x650168E0 [Wed Sep 13 07:46:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8d56c23948c3cf94c3e1df460ac1d81c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/10/2021 02:00:00 23/10/2024 01:59:59
Subject Chain	CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.1.3.6.1.4.1.311.60.2.1.3=TW, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	F6A44C3675A46BC86A016417105762C1
Thumbprint SHA-1:	7C9C6E22B13E3A435852D4B9EBFC6450F0FA3827
Thumbprint SHA-256:	1EA0CBC94CC5AD5A288F32DAEBA6EAAA4F84BE905E33C709F76B7FBEEEFBC7F4
Serial:	0BBE02C8838FBF02AB56EDABB1E34C19

Entrypoint Preview

Instruction
call 00007F91DCE00830h
jmp 00007F91DCDFF10Fh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F91DCDFDE9Dh
jmp 00007F91DCDFF270h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007F91DCDFDE8Ch
jmp 00007F91DCDFF25Fh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00856944h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00856944h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00856944h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x453fd8	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x474000	0x136fa1	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5c5800	0x2f68	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5ab000	0x2fdcc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3f6140	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3f6238	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3f6198	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x395000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x393786	0x393800	f061065962c59fa6461e3bce05726a8a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x395000	0xc0c7c	0xc0e00	bed6ef4fc442514d906fd92b173aaa09	False	0.2947142842676604	data	4.7365920152246375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x456000	0x1ca20	0x9e00	49895d7cca3372e21af66f67b2c233e7	False	0.17711629746835442	data	4.925239385536749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x473000	0x20	0x200	a713a886e740eebbf93d8e0fe58b9918	False	0.046875	data	0.14736507530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x474000	0x136fa1	0x137000	343ebc82a7a1802d661d947f2c5e2faf	False	0.9864584380024116	data	7.983199896322195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5ab000	0x2fdbc	0x2fe00	6ded2b408c00b77f236d0f0b924f6889	False	0.4907188315926893	data	6.639278525890994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CI	0x474274	0x134d54	PNG image data, 1536 x 2163, 8-bit/color RGB, non-interlaced	English	United States	0.9942522048950195
REGISTRY	0x5a8fc8	0xc	ASCII text, with CRLF line terminators	English	United States	1.6666666666666667
REGISTRY	0x5a8fd4	0x2eb	ASCII text, with CRLF line terminators	Chinese	Taiwan	0.42704149933065594
TYPELIB	0x5a92c0	0x17e0	data	English	United States	0.4162303664921466
RT_STRING	0x5aaaa0	0x3e	data	English	United States	0.6451612903225806
RT_RCDATA	0x5aaae0	0x10	data	Chinese	China	1.5625
RT_VERSION	0x5aaaf0	0x334	data	English	United States	0.4317073170731707
RT_MANIFEST	0x5aae24	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
POWRPROF.dll	CallNtPowerInformation
AVRT.dll	AvSetMmThreadCharacteristicsW, AvRevertMmThreadCharacteristics
WINMM.dll	timeKillEvent, timeSetEvent, timeGetDevCaps, timeEndPeriod, timeBeginPeriod
WTSAPI32.dll	WTSEnumerateSessionsW, WTSFreeMemory, WTSQueryUserToken
USERENV.dll	DestroyEnvironmentBlock, CreateEnvironmentBlock
KERNEL32.dll	FlushFileBuffers, ReadFile, WriteFile, PeekNamedPipe, DecodePointer, RaiseException, InitializeCriticalSectionEx, DeleteCriticalSection, GetCurrentDirectoryW, CreateThread, SetThreadPriority, TerminateThread, GetExitCodeThread, ResumeThread, GetCurrentProcessId, GetCurrentThreadId, GetCommandLineW, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleHandleW, LoadLibraryExW, LoadResource, SizeofResource, FindResourceW, SetDllDirectoryW, GetEnvironmentVariableW, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, LocalFree, FormatMessageW, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, CreateDirectoryW, GetFileAttributesW, LocalAlloc, lstrcmpW, GetSystemTimes, FormatMessageA, GetWindowsDirectoryW, FindResourceExW, LockResource, SetThreadExecutionState, GetFileAttributesExW, WritePrivateProfileStringW, SetWaitableTimer, CancelWaitableTimer, WaitForMultipleObjects, CreateWaitableTimerW, DeleteFileW, SetEnvironmentVariableW, GetFullPathNameW, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetFileType, GetDriveTypeW, VirtualQuery, GetModuleHandleExW, ExitThread, RtlUnwind, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, VirtualFree, VirtualProtect, VirtualAlloc, GetVersionExW, OutputDebugStringW, GetTickCount64, QueryPerformanceFrequency, QueryPerformanceCounter, GetModuleFileNameA, CreateEventW, ResetEvent, SetEvent, lstrcmpiW, SetThreadAffinityMask, GetCurrentThread, TerminateProcess, GetLastError, DuplicateHandle, WaitForSingleObject, CloseHandle, GetModuleFileNameW, FreeLibrary, WideCharToMultiByte, MultiByteToWideChar, GetModuleHandleA, GetTickCount, GetSystemInfo, GetCurrentProcess, LoadLibraryW, GetProcAddress, Sleep, ExitProcess, GetStdHandle, GetFileSizeEx, GetConsoleMode, ReadConsoleW, GetDateFormatW, FreeLibraryAndExitThread, GetThreadTimes, UnregisterWait, RegisterWaitForSingleObject, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SignalObjectAndWait, CreateTimerQueue, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCPInfo, GetSystemTimeAsFileTime, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, SetLastError, EncodePointer, AcquireSRWLockShared, AcquireSRWLockExclusive, ReleaseSRWLockShared, ReleaseSRWLockExclusive, SwitchToThread, WaitForSingleObjectEx, GetStringTypeW, AreFileApisANSI, SetFilePointerEx, SetEndOfFile, GetFileInformationByHandle, FindNextFileW, FindFirstFileExW, FindClose, TryEnterCriticalSection, CreateFileW, GetTimeFormatW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleCP, SetStdHandle, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, RemoveDirectoryW
USER32.dll	CreateWindowExW, TranslateMessage, DispatchMessageW, RegisterPowerSettingNotification, PostThreadMessageW, DefWindowProcW, PostQuitMessage, RegisterClassExW, DestroyWindow, ShowWindow, CharUpperW, CharNextW, UpdateWindow, MessageBoxW, LoadCursorW, LoadIconW, RegisterDeviceNotificationW, UnregisterDeviceNotification, wsprintfW, LoadStringW, MessageBoxA, GetMessageW
GDI32.dll	GetObjectW, DeleteObject
ADVAPI32.dll	RegisterServiceCtrlHandlerW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetNamedSecurityInfoW, RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryInfoKeyA, RegQueryInfoKeyW, RegQueryValueExA, RegQueryValueExW, RegSetValueExW, BuildTrusteeWithSidW, GetNamedSecurityInfoW, GetAce, FreeSid, EqualSid, DeleteAce, AllocateAndInitializeSid, CreateProcessAsUserW, RegEnumValueW, StartServiceW, StartServiceCtrlDispatcherW, SetServiceStatus, OpenServiceW, OpenSCManagerW, DeleteService, CreateServiceW, ControlService, CloseServiceHandle, ChangeServiceConfigW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, ReportEventW, RegisterEventSourceW, DeregisterEventSource, RegCreateKeyExW, RegOpenKeyExW
ole32.dll	CoRevokeClassObject, CoAddRefServerProcess, CoRegisterClassObject, CoUninitialize, CoInitializeEx, CLSIDFromProgID, CoReleaseServerProcess, CoInitializeSecurity, StringFromGUID2, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, StringFromCLSID, CLSIDFromString, PropVariantClear, CoCreateInstance, CoResumeClassObjects
OLEAUT32.dll	SysAllocString, VarUI4FromStr, LoadTypeLib, LoadRegTypeLib, RegisterTypeLib, GetErrorInfo, UnRegisterTypeLib, SysStringByteLen, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElement, VariantInit, SysFreeString, VariantClear, SysStringLen
WS2_32.dll	WSAStartup, WSACleanup, WSAGetLastError, setsockopt, htonl, inet_addr, socket, send, recv, htons, connect, closesocket, inet_pton
CRYPT32.dll	CertCloseStore, CertFindCertificateInStore, CertFreeCertificateContext, CertGetNameStringW, CryptMsgGetParam, CryptMsgClose, CryptQueryObject
SHLWAPI.dll	PathFileExistsW, StrCpyNW, PathFileExistsA
pdh.dll	PdhOpenQueryW, PdhGetFormattedCounterValue, PdhAddEnglishCounterW, PdhCollectQueryData, PdhCloseQuery
WINTRUST.dll	WinVerifyTrust

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan
Chinese	China

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• Setup.exe
• more.com
• conhost.exe
• SearchIndexer.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Setup.exe
• more.com
• conhost.exe
• SearchIndexer.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: Setup.exePID: 6464, Parent PID: 4056

Function Logs

General

Target ID:	0
Start time:	09:16:59
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x530000
File size:	6'063'976 bytes
MD5 hash:	C34E8F27E5E41ACC13F476298BE901F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	09:17:01
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\more.com
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\more.com
Imagebase:	0xe50000
File size:	24'576 bytes
MD5 hash:	03805AE7E8CBC07840108F5C80CF4973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	13
Start time:	09:17:16
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\SearchIndexer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\SearchIndexer.exe
Imagebase:	0x5e0000
File size:	711'680 bytes
MD5 hash:	CF7BEFBA5E20F2F4C7851D016067B89C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	17
Start time:	09:17:23
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 408
Imagebase:	0x5d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SearchIndexer.ex_cd53bb3f2f8e47747a257a3577baa06d94df3e33_9e0a92cb_eb7ea5f1-6d89-4f27-9cf2-db8ba34b91ba\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D7B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E86.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EB6.tmp.xml

C:\Users\user\AppData\Local\Temp\7bc69e1d

C:\Users\user\AppData\Local\Temp\7c7f2e09

C:\Users\user\AppData\Local\Temp\uhfglxslkuxod

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Setup.exe