Windows Analysis Report
173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe

Overview

General Information

Sample name: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe
Analysis ID: 1543225
MD5: 6973d6be4ecb4fa2cec58b35b0dde577
SHA1: ad03ef6a442070f7c0bdf63d4cd788cac3ae9936
SHA256: 5131eee2232ca51f902577bae64a8afe58d107af2e2fa9a38c020ddc34157e16
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected potential crypto function
One or more processes crash
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Malware Configuration Extractor: LummaC {"C2 url": ["necklacedmny.store", "fadehairucw.store", "navygenerayk.store", "crisiwarny.store", "withdrwblon.cyou", "scriptyprefej.store", "presticitpo.store", "founpiuer.store", "thumbystriw.store"], "Build id": "HpOoIh--@dxrkl0rd"}
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe ReversingLabs: Detection: 21%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Joe Sandbox ML: detected
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: scriptyprefej.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: navygenerayk.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: founpiuer.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: necklacedmny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: thumbystriw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: fadehairucw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: crisiwarny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: presticitpo.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: withdrwblon.cyou
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: TeslaBrowser/5.5
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: - Screen Resoluton:
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: - Physical Installed Memory:
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: Workgroup: -
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe String decryptor: HpOoIh--@dxrkl0rd
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

barindex
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: withdrwblon.cyou
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_004072DD 0_2_004072DD
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_00407306 0_2_00407306
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_0040C90C 0_2_0040C90C
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_00407315 0_2_00407315
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_0040B189 0_2_0040B189
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_0040D3A7 0_2_0040D3A7
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 224
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Static PE information: No import functions for PE file found
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.evad.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3660
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3ed81f5-90b4-44ac-b8a7-c496a9e02f5b Jump to behavior
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe "C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe"
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 224
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_004114E4 push ebx; retf 0_2_004114E5
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Code function: 0_2_00401525 push dword ptr [edx+eax-77h]; ret 0_2_0040152A
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: scriptyprefej.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: navygenerayk.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: founpiuer.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: necklacedmny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: thumbystriw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: fadehairucw.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: crisiwarny.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: presticitpo.store
Source: 173003262828c2e446493e5b399a9ad32e1686ad7eda9989a2ad6f14168b61b16d6b56a7a5348.dat-decoded.exe, 00000000.00000000.1692523298.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: withdrwblon.cyou
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
No contacted IP infos