Edit tour

Windows Analysis Report
Installer.exe

Overview

General Information

Sample name:	Installer.exe
Analysis ID:	1585378
MD5:	34a3481203725a7a71f3d1396f3af901
SHA1:	f6227c6d79fe5f7ba3b6b978fd97e69fc34796f0
SHA256:	312fad54a43a1288c4df1aac24ee0809f30b38a2d6b9837110d3343aa8f04cdd
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Installer.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: 34A3481203725A7A71F3D1396F3AF901)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Installer.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\Installer.exe" MD5: 34A3481203725A7A71F3D1396F3AF901)

WerFault.exe (PID: 7720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 164 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rabidcowse.shop", "fancywaxxers.shop", "abruptyopsn.shop", "tirepublicerj.shop", "noisycuttej.shop", "wholersorie.shop", "nearycrepso.shop", "cloudewahsj.shop", "framekgirus.shop"], "Build id": "yau6Na--6331801298"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Installer.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1312035887.0000000000232000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.Installer.exe.230000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Installer.exe.36e9550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Installer.exe.36e9550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:55.400019+0100	2028371	3	Unknown Traffic	192.168.2.9	49712	104.102.49.254	443	TCP
2025-01-07T15:36:56.907969+0100	2028371	3	Unknown Traffic	192.168.2.9	49721	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:37:30.471217+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49721	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:37:30.471217+0100	2049836	1	A Network Trojan was detected	192.168.2.9	49721	104.21.96.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.507079+0100	2058598	1	Domain Observed Used for C2 Detected	192.168.2.9	58029	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.693448+0100	2058606	1	Domain Observed Used for C2 Detected	192.168.2.9	55548	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.482803+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.9	54224	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.529489+0100	2058610	1	Domain Observed Used for C2 Detected	192.168.2.9	60901	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.495908+0100	2058616	1	Domain Observed Used for C2 Detected	192.168.2.9	54599	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.650999+0100	2058618	1	Domain Observed Used for C2 Detected	192.168.2.9	57327	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.676732+0100	2058622	1	Domain Observed Used for C2 Detected	192.168.2.9	64196	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.552115+0100	2058628	1	Domain Observed Used for C2 Detected	192.168.2.9	57219	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:54.518469+0100	2058632	1	Domain Observed Used for C2 Detected	192.168.2.9	58157	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T15:36:56.263111+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.9	49712	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://sputnik-1985.com/api&	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apim	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.Installer.exe.36e9550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["rabidcowse.shop", "fancywaxxers.shop", "abruptyopsn.shop", "tirepublicerj.shop", "noisycuttej.shop", "wholersorie.shop", "nearycrepso.shop", "cloudewahsj.shop", "framekgirus.shop"], "Build id": "yau6Na--6331801298"}

Multi AV Scanner detection for submitted file

Source: Installer.exe

ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: Installer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fancywaxxers.shop
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: yau6Na--6331801298

Source: Installer.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49721 version: TLS 1.2

Source: Installer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbSystem.ni.dll source: WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.pdb) source: WERF160.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: Installer.exe, WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERF160.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], ecx	3_2_0040C1A8
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [eax+edx]	3_2_0040BADE
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-10h]	3_2_0040A2E6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov dword ptr [esp], esi	3_2_004086E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-1B13ED05h]	3_2_00427050
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [eax], bl	3_2_0040D035
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+00000298h]	3_2_004180D5
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042A0AE
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6A911B6Ch	3_2_004198BC
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	3_2_0041912A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00409130
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 75827ABFh	3_2_0041993C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	3_2_0041993C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, dword ptr [0044F8E4h]	3_2_004161F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebx, ecx	3_2_0043F9F4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx]	3_2_0043F9F4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then jmp eax	3_2_004191AB
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then not eax	3_2_004191AB
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebx, eax	3_2_00405A50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebp, eax	3_2_00405A50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov edx, ecx	3_2_0040DA5B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx]	3_2_00440275
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_00444A1B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movsx edx, byte ptr [esi+ecx]	3_2_00444A1B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ecx, eax	3_2_0040EA2B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_00420230
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then add ecx, FFFFFFFEh	3_2_0043F2A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then jmp eax	3_2_0042CB4C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+1Ah]	3_2_004093F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_00430B9B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebp, dword ptr [esp+1Ch]	3_2_00415BA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000174h]	3_2_004313A6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [ecx], bl	3_2_004303A9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov esi, ecx	3_2_0040DC60
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 53585096h	3_2_0042BC60
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_00445480
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h	3_2_00445480
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movsx edx, byte ptr [esi+ecx]	3_2_00444C90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 53585096h	3_2_0042BC60
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	3_2_0042BD1E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movsx edx, byte ptr [esi+ecx]	3_2_00444D20
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043B5D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ch]	3_2_0041CDA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004225A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_00430DAC
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]	3_2_004075B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	3_2_004075B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	3_2_0042C5B2
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042D5B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movsx edx, byte ptr [esi+ecx]	3_2_00444DB0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_00431E4C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov eax, ebx	3_2_0041DE50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+2C360ABEh]	3_2_00427614
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then test esi, esi	3_2_0043F680
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	3_2_00402E90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042EEA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_00430B9B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042FF1E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042FF1E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-4Bh]	3_2_0042FF1E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000CAh]	3_2_0041BF35
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_0041A7D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042FFE7
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042FFE7
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-4Bh]	3_2_0042FFE7
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042FFF6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042FFF6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-4Bh]	3_2_0042FFF6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-75h]	3_2_00441F90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042FFA9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042FFA9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-4Bh]	3_2_0042FFA9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058628 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop) : 192.168.2.9:57219 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058598 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop) : 192.168.2.9:58029 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.9:54224 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058618 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop) : 192.168.2.9:57327 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058622 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop) : 192.168.2.9:64196 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.9:55548 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058616 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) : 192.168.2.9:54599 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058632 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop) : 192.168.2.9:58157 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058610 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop) : 192.168.2.9:60901 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.9:49712 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49721 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49721 -> 104.21.96.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: fancywaxxers.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: framekgirus.shop

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49721 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49712 -> 104.102.49.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: fancywaxxers.shop
Source: global traffic	DNS traffic detected: DNS query: nearycrepso.shop
Source: global traffic	DNS traffic detected: DNS query: abruptyopsn.shop
Source: global traffic	DNS traffic detected: DNS query: wholersorie.shop
Source: global traffic	DNS traffic detected: DNS query: framekgirus.shop
Source: global traffic	DNS traffic detected: DNS query: tirepublicerj.shop
Source: global traffic	DNS traffic detected: DNS query: noisycuttej.shop
Source: global traffic	DNS traffic detected: DNS query: rabidcowse.shop
Source: global traffic	DNS traffic detected: DNS query: cloudewahsj.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Installer.exe, 00000003.00000002.1676958858.000000000140F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: Installer.exe, 00000003.00000002.1676958858.000000000140F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: Installer.exe, 00000003.00000002.1676772022.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api&
Source: Installer.exe, 00000003.00000002.1676958858.000000000140F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apim
Source: Installer.exe, 00000003.00000002.1676860090.00000000013D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Installer.exe, 00000003.00000002.1676860090.00000000013D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.9:49721 version: TLS 1.2

Source: C:\Users\user\Desktop\Installer.exe

Code function: 3_2_00438F80 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00438F80

Source: C:\Users\user\Desktop\Installer.exe

Code function: 3_2_00438F80 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00438F80

Source: C:\Users\user\Desktop\Installer.exe

Code function: 3_2_00439BC8 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00439BC8

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_00B40870	0_2_00B40870
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_00B40860	0_2_00B40860
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0040AD90	3_2_0040AD90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00443662	3_2_00443662
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004086E0	3_2_004086E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0040B701	3_2_0040B701
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00423040	3_2_00423040
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00427050	3_2_00427050
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00431062	3_2_00431062
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043F830	3_2_0043F830
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0040D035	3_2_0040D035
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004180D5	3_2_004180D5
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004370D4	3_2_004370D4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043C0E4	3_2_0043C0E4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042B08F	3_2_0042B08F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00409890	3_2_00409890
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043789F	3_2_0043789F
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042A0AE	3_2_0042A0AE
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004038B0	3_2_004038B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004130B0	3_2_004130B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042C967	3_2_0042C967
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00431104	3_2_00431104
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00445920	3_2_00445920
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041993C	3_2_0041993C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004351E4	3_2_004351E4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004259EE	3_2_004259EE
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004161F0	3_2_004161F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043F9F4	3_2_0043F9F4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041E190	3_2_0041E190
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004191AB	3_2_004191AB
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041EA40	3_2_0041EA40
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00405A50	3_2_00405A50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00404260	3_2_00404260
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00444A1B	3_2_00444A1B
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043CA2A	3_2_0043CA2A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004182C8	3_2_004182C8
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042B2D4	3_2_0042B2D4
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00402AE0	3_2_00402AE0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004172E8	3_2_004172E8
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004442E9	3_2_004442E9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00408A80	3_2_00408A80
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043F2A0	3_2_0043F2A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00406340	3_2_00406340
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00417B4C	3_2_00417B4C
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00429BE0	3_2_00429BE0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00445BE0	3_2_00445BE0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004093F0	3_2_004093F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042CBF6	3_2_0042CBF6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00415BA0	3_2_00415BA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043DBA0	3_2_0043DBA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0040DC60	3_2_0040DC60
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00427400	3_2_00427400
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00436430	3_2_00436430
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004124E0	3_2_004124E0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00430483	3_2_00430483
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00444C90	3_2_00444C90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004374AC	3_2_004374AC
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00404D50	3_2_00404D50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00438D60	3_2_00438D60
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00445560	3_2_00445560
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00408D10	3_2_00408D10
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042BD1E	3_2_0042BD1E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041ED20	3_2_0041ED20
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00444D20	3_2_00444D20
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0040E532	3_2_0040E532
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0040CDCC	3_2_0040CDCC
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00433DE9	3_2_00433DE9
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004235F0	3_2_004235F0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041CDA0	3_2_0041CDA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041E5A0	3_2_0041E5A0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004075B0	3_2_004075B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00444DB0	3_2_00444DB0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041DE50	3_2_0041DE50
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041C66A	3_2_0041C66A
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00438602	3_2_00438602
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043DE00	3_2_0043DE00
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00427614	3_2_00427614
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00433615	3_2_00433615
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004426D0	3_2_004426D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00421EE0	3_2_00421EE0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00415680	3_2_00415680
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00402E90	3_2_00402E90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00416EA7	3_2_00416EA7
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004326B0	3_2_004326B0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043D6B8	3_2_0043D6B8
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00445F70	3_2_00445F70
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00420700	3_2_00420700
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00436710	3_2_00436710
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0043E710	3_2_0043E710
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042FF1E	3_2_0042FF1E
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004067D0	3_2_004067D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0041A7D0	3_2_0041A7D0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_004117F2	3_2_004117F2
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042FFF6	3_2_0042FFF6
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00429F80	3_2_00429F80
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00441F90	3_2_00441F90
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_00405FA0	3_2_00405FA0
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0042FFA9	3_2_0042FFA9

Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 00415670 appears 118 times
Source: C:\Users\user\Desktop\Installer.exe	Code function: String function: 004080D0 appears 46 times

Source: C:\Users\user\Desktop\Installer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 164

Source: Installer.exe, 00000000.00000002.1461600851.00000000009BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Installer.exe

Source: Installer.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Installer.exe

Static PE information: Section: .bss ZLIB complexity 1.000333021313364

Source: Installer.exe, Gq5hSfo2NxEmlo5Bpu.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Installer.exe, Gq5hSfo2NxEmlo5Bpu.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Installer.exe.36e9550.0.raw.unpack, Gq5hSfo2NxEmlo5Bpu.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Installer.exe.36e9550.0.raw.unpack, Gq5hSfo2NxEmlo5Bpu.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/5@11/2

Source: C:\Users\user\Desktop\Installer.exe

Code function: 3_2_00437C46 CoCreateInstance,

3_2_00437C46

Source: C:\Users\user\Desktop\Installer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7516

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b899d532-02df-46b7-861c-46d3fea61985

Jump to behavior

Source: Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Installer.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Installer.exe

ReversingLabs: Detection: 44%

Source: Installer.exe

String found in binary or memory: file:///C:/Users/user/Desktop/Installer.exe

Source: C:\Users\user\Desktop\Installer.exe

File read: C:\Users\user\Desktop\Installer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 164
Source: C:\Users\user\Desktop\Installer.exe	Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Installer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdbSystem.ni.dll source: WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.pdb) source: WERF160.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: Installer.exe, WERF160.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERF160.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERF160.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Installer.exe, Gq5hSfo2NxEmlo5Bpu.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Installer.exe.36e9550.0.raw.unpack, Gq5hSfo2NxEmlo5Bpu.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Installer.exe

Static PE information: 0xFDE635DB [Fri Dec 26 08:18:35 2104 UTC]

Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0044AB84 push 780047B5h; retf	3_2_0044AB89
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0044BCF0 push esi; retf	3_2_0044BCF1
Source: C:\Users\user\Desktop\Installer.exe	Code function: 3_2_0044BD10 push esi; retf	3_2_0044BD11

Source: Installer.exe, Gq5hSfo2NxEmlo5Bpu.cs	High entropy of concatenated method names: 'FyRv9EUDee', 'nW4lBacjpc', 'CTsbJpA4ZL', 'jSAbXGMaP2', 'I0SbRUKCEN', 'ssAbtib8AI', 'IsmbaxBX5H', 'bh1Q2Kaev', 'HGLqt3UNH', 'G8OsJVsYV'
Source: 0.2.Installer.exe.36e9550.0.raw.unpack, Gq5hSfo2NxEmlo5Bpu.cs	High entropy of concatenated method names: 'FyRv9EUDee', 'nW4lBacjpc', 'CTsbJpA4ZL', 'jSAbXGMaP2', 'I0SbRUKCEN', 'ssAbtib8AI', 'IsmbaxBX5H', 'bh1Q2Kaev', 'HGLqt3UNH', 'G8OsJVsYV'

Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe TID: 7660

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Installer.exe, 00000003.00000002.1676958858.000000000140F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Installer.exe, 00000003.00000002.1676772022.00000000013BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 8A
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Installer.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe

Code function: 3_2_004432F0 LdrInitializeThunk,

3_2_004432F0

Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_026E8635 mov edi, dword ptr fs:[00000030h]		0_2_026E8635
Source: C:\Users\user\Desktop\Installer.exe	Code function: 0_2_026E87B2 mov edi, dword ptr fs:[00000030h]		0_2_026E87B2

Source: C:\Users\user\Desktop\Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Installer.exe

Code function: 0_2_026E8635 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_026E8635

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Installer.exe

Memory written: C:\Users\user\Desktop\Installer.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Installer.exe, 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\Installer.exe

Process created: C:\Users\user\Desktop\Installer.exe "C:\Users\user\Desktop\Installer.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe	Queries volume information: C:\Users\user\Desktop\Installer.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Installer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Installer.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.36e9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.36e9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1312035887.0000000000232000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Installer.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Installer.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.36e9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Installer.exe.36e9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1312035887.0000000000232000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	3 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Installer.exe	45%	ReversingLabs	ByteCode-MSIL.Ransomware.FileCrypt
Installer.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://sputnik-1985.com/api&	100%	Avira URL Cloud	malware
https://sputnik-1985.com/	100%	Avira URL Cloud	malware
https://sputnik-1985.com/apim	100%	Avira URL Cloud	malware
https://sputnik-1985.com/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.96.1	true	false	high
fancywaxxers.shop	unknown	unknown	false	high
cloudewahsj.shop	unknown	unknown	false	high
noisycuttej.shop	unknown	unknown	true	unknown
nearycrepso.shop	unknown	unknown	true	unknown
framekgirus.shop	unknown	unknown	true	unknown
rabidcowse.shop	unknown	unknown	true	unknown
wholersorie.shop	unknown	unknown	true	unknown
tirepublicerj.shop	unknown	unknown	true	unknown
abruptyopsn.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudewahsj.shop	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://sputnik-1985.com/api	true	Avira URL Cloud: malware	unknown
fancywaxxers.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sputnik-1985.com/apim	Installer.exe, 00000003.00000002.1676958858.000000000140F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://steamcommunity.com/	Installer.exe, 00000003.00000002.1676860090.00000000013D2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/api&	Installer.exe, 00000003.00000002.1676772022.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/	Installer.exe, 00000003.00000002.1676958858.000000000140F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	sputnik-1985.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585378
Start date and time:	2025-01-07 15:36:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/5@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 13 Number of non-executed functions: 63
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.246.45, 20.190.160.20, 20.12.23.50, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
09:36:53	API Interceptor	3x Sleep call for process: Installer.exe modified
09:37:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.21.96.1
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
steamcommunity.com	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.102.49.254
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	Airbornemx_PAYOUT7370.odt	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://ipfs.io/ipfs/bafybeifkk7tuizumzirz7qfuxbcoggonud2b6gcvttaa7ewfdgltpybls4/index1.html?err=KHPGKXW3AEO13L6ZGUK&dispatch=B34&id=2849c1C900c31C62B159B3002c63C5#engineering@vanas.eu	Get hash	malicious	Unknown	Browse	104.17.24.14
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.25.52
	SET_UP.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	104.21.25.52
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	https://sos-ch-gva-2.exo.io/ready/seah/continue/complete-this-to-continue.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	te13.exe	Get hash	malicious	Metasploit	Browse	104.21.16.1
AKAMAI-ASUS	miori.spc.elf	Get hash	malicious	Unknown	Browse	95.100.160.33
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	miori.mpsl.elf	Get hash	malicious	Unknown	Browse	96.17.17.162
	miori.arm.elf	Get hash	malicious	Unknown	Browse	23.7.233.54
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	104.116.11.240
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	104.102.49.254
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	23.57.90.169
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	184.28.90.27
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	23.45.0.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.96.1
	64pOGv7k4N.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254 104.21.96.1
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	H565rymIuO.doc	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.96.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Installer.exe_eaf59025957578de3dc17eaaa4ee0532955b6d_ff0f320d_b6604058-c252-4567-a150-f0bdc103ed4e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8852862684170268
Encrypted:	false
SSDEEP:	192:uwW6cMgA0LR3FdsaGGzuiFcCZ24IO8XM2:XW6cMgbLR30aHzuiFcCY4IO8Xt
MD5:	6663D6BFE2430C530BCB640BC6CC07C4
SHA1:	68C6878C2ED14DDF4ACF89DCC858B14388F3B148
SHA-256:	F7EE575167C7296B7F08CF69AEDD227BDCA12157CAA04B08BB7ECB34D4319654
SHA-512:	04C2878508B74AA1285158A04B9C96F1928669F5F7037EABA883E2DB3859C686622B209DC8B7A81876A8C724F490CCF4E810BD686DDF51A603B6FB35A8087106
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.7.3.4.2.1.4.3.3.0.5.0.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.7.3.4.2.1.5.6.1.1.7.3.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.6.0.4.0.5.8.-.c.2.5.2.-.4.5.6.7.-.a.1.5.0.-.f.0.b.d.c.1.0.3.e.d.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.a.9.b.e.c.7.-.4.0.4.b.-.4.1.4.f.-.a.6.1.3.-.c.d.e.7.8.3.8.e.f.b.1.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.s.t.a.l.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.c.-.0.0.0.1.-.0.0.1.4.-.3.0.f.1.-.4.3.9.8.1.1.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.d.8.9.b.e.5.0.3.d.2.d.5.1.5.d.0.1.9.8.e.3.c.2.c.c.8.2.d.1.d.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.2.2.7.c.6.d.7.9.f.e.5.f.7.b.a.3.b.6.b.9.7.8.f.d.9.7.e.6.9.f.c.3.4.7.9.6.f.0.!.I.n.s.t.a.l.l.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.1.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF160.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 7 14:36:54 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	153794
Entropy (8bit):	3.7375526909618304
Encrypted:	false
SSDEEP:	1536:qK9Ls7ICHU1cCDetT8t9xJHuBojRxpN4uE2aOALTgDgquxAnfx8:J9gQIgtfvd4uEqALTgMqRJ
MD5:	4541D9584140D89A38FFFD27E189A012
SHA1:	C5FEC73EA9AFF66A105F36DA05D429FEC58D6F42
SHA-256:	0092676E7E061E6AA256A3C71D73E1540E56843C5FC2F26311DD210D2BFC5897
SHA-512:	3C19E54445CC5492E1D6145381176D0D1ABF6D27FA43CB52BF0550688E72C492BF69D3B190ED3842461849BFB04E878D64E5716E7F5FBDD14EBCD4E8B4FB4C91
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........<}g....................................$................/..........`.......8...........T...........($...4......................................................................................................eJ......P.......GenuineIntel............T.......\....<}g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF26B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8378
Entropy (8bit):	3.6875673152919792
Encrypted:	false
SSDEEP:	192:R6l7wVeJCMh6r+6YcDCSU9UjlgmfCVJJprr89bQNsfwwm:R6lXJF6i6YlSU9UjlgmfCVJYQGf+
MD5:	A58E0CC11F2D9D3F138BE11BB5B7BAE4
SHA1:	94F829D45A10BA132438CC1C5CA0578A62F31996
SHA-256:	70BB04A3E693A35141771D792DDD4DC3790A0907EA0BF4B75D512E6A746BDAA0
SHA-512:	A0AE7E156CAC086B3DC419EA46BD36EEF6B0F910B7BCA183B8DB618131E30470F14F4F3464D443C9F9D97C581FA760570E1D0E082C9047D0DD18F17A02BE7D4E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF28B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4687
Entropy (8bit):	4.440119144705082
Encrypted:	false
SSDEEP:	96:uIjfPBI7G27VNJ7nf9KGnfV3eEwTVJzid:uIzBYG275L3hUrzg
MD5:	00BF2ACF2054092F33670485686FC398
SHA1:	76142995971EDBEAB8EF093E576FE1D084CC85C5
SHA-256:	532C3228A67F0CC9994B38DF1C19FB4F5AE9BD3A053FBCBBEBE6AD11BEB64C94
SHA-512:	A3F71EA47773FCDD979EDFF7CC038372AC8BC638995E4D9DCEEE4D5B1FEAA78705BB6C5E571C98A0B3F0EAC266251CC51DEE9380783F500440F89E6A7258CCAE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="665619" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.393912878682799
Encrypted:	false
SSDEEP:	6144:Bl4fiJoH0ncNXiUjt10qAG/gaocYGBoaUMMhA2NX4WABlBuNAwOBSqa:34vFAMYQUMM6VFYSwU
MD5:	BD0C4BA58FDC412590F507309B9A935F
SHA1:	0FB9AC7332B26EF99D8668166CCAAAA164ADCDE3
SHA-256:	F44C0C4E7002448D41C77057EA671AB23BFC4DC8E9963A1B15DF35147F12FD1C
SHA-512:	3580B2E9753ABA936754832F09214863726DDDDA7FE6588D5960BB54129840270A9CC9298C8AA5A0C3635B4CAD9C801E7349A0D5F7C72B264E928517CD470B5B
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....a..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.933081351074051
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Installer.exe
File size:	370'176 bytes
MD5:	34a3481203725a7a71f3d1396f3af901
SHA1:	f6227c6d79fe5f7ba3b6b978fd97e69fc34796f0
SHA256:	312fad54a43a1288c4df1aac24ee0809f30b38a2d6b9837110d3343aa8f04cdd
SHA512:	52458c8be4fb6c47c1899994b332fc3ec0a09705f477c0424b4850eeeacd7dccb4a869ec16b45a3bbb0f4c62947123400927bdc29e143988871d5c20354ea0af
SSDEEP:	6144:6BNgBIBbkWunVDgLQzDN8xj+3/0j2qSL6qLsVCaXzOxNjIfuKuu5QkpnQ:9BsQW+VaQPN8xj+P0j2qPq4VCqz2dIfI
TLSH:	B8742214FB47D16AD17E1B3118D2A1615A35E78DA303BBAA2FCE715D8B13B932703B81
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5................0.................. ........@.. ....................... .......{....`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40a4ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFDE635DB [Fri Dec 26 08:18:35 2104 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa460	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa416	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x84b4	0x8600	369d001326e883543c707b14540fb32b	False	0.5007870802238806	data	5.924417678622339	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x242	0x400	14d8e51a66bfa2cb04d0bad62fb2e968	False	0.3037109375	data	3.5160679793070893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	d0f37ca255b52359c01ecedc95631520	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x10000	0x51600	0x51600	416afabc9620a36bde84f512e5ef52b2	False	1.000333021313364	data	7.999440904071402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T15:36:54.482803+0100	2058656	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)	1	192.168.2.9	54224	1.1.1.1	53	UDP
2025-01-07T15:36:54.495908+0100	2058616	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)	1	192.168.2.9	54599	1.1.1.1	53	UDP
2025-01-07T15:36:54.507079+0100	2058598	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)	1	192.168.2.9	58029	1.1.1.1	53	UDP
2025-01-07T15:36:54.518469+0100	2058632	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop)	1	192.168.2.9	58157	1.1.1.1	53	UDP
2025-01-07T15:36:54.529489+0100	2058610	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop)	1	192.168.2.9	60901	1.1.1.1	53	UDP
2025-01-07T15:36:54.552115+0100	2058628	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)	1	192.168.2.9	57219	1.1.1.1	53	UDP
2025-01-07T15:36:54.650999+0100	2058618	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop)	1	192.168.2.9	57327	1.1.1.1	53	UDP
2025-01-07T15:36:54.676732+0100	2058622	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop)	1	192.168.2.9	64196	1.1.1.1	53	UDP
2025-01-07T15:36:54.693448+0100	2058606	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)	1	192.168.2.9	55548	1.1.1.1	53	UDP
2025-01-07T15:36:55.400019+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49712	104.102.49.254	443	TCP
2025-01-07T15:36:56.263111+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.9	49712	104.102.49.254	443	TCP
2025-01-07T15:36:56.907969+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49721	104.21.96.1	443	TCP
2025-01-07T15:37:30.471217+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.9	49721	104.21.96.1	443	TCP
2025-01-07T15:37:30.471217+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49721	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:36:54.716928959 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:54.716968060 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:54.717025995 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:54.722703934 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:54.722717047 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:55.399938107 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:55.400018930 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:55.525969028 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:55.525990009 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:55.526315928 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:55.579670906 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:55.613800049 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:55.659341097 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.263158083 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.263184071 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.263191938 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.263206959 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.263215065 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.263228893 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.263243914 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.263282061 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.263323069 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.356560946 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.356597900 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.356645107 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.356689930 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.356703997 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.356738091 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.361644983 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.361723900 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.366043091 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.366089106 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.366092920 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.366149902 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.390117884 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.390151978 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.390444040 CET	49712	443	192.168.2.9	104.102.49.254
Jan 7, 2025 15:36:56.390450954 CET	443	49712	104.102.49.254	192.168.2.9
Jan 7, 2025 15:36:56.427943945 CET	49721	443	192.168.2.9	104.21.96.1
Jan 7, 2025 15:36:56.427997112 CET	443	49721	104.21.96.1	192.168.2.9
Jan 7, 2025 15:36:56.428082943 CET	49721	443	192.168.2.9	104.21.96.1
Jan 7, 2025 15:36:56.428682089 CET	49721	443	192.168.2.9	104.21.96.1
Jan 7, 2025 15:36:56.428694963 CET	443	49721	104.21.96.1	192.168.2.9
Jan 7, 2025 15:36:56.907895088 CET	443	49721	104.21.96.1	192.168.2.9
Jan 7, 2025 15:36:56.907968998 CET	49721	443	192.168.2.9	104.21.96.1
Jan 7, 2025 15:36:56.909830093 CET	49721	443	192.168.2.9	104.21.96.1
Jan 7, 2025 15:36:56.909847975 CET	443	49721	104.21.96.1	192.168.2.9
Jan 7, 2025 15:36:56.910098076 CET	443	49721	104.21.96.1	192.168.2.9
Jan 7, 2025 15:36:56.911366940 CET	49721	443	192.168.2.9	104.21.96.1
Jan 7, 2025 15:36:56.911596060 CET	49721	443	192.168.2.9	104.21.96.1
Jan 7, 2025 15:36:56.911634922 CET	443	49721	104.21.96.1	192.168.2.9
Jan 7, 2025 15:37:30.470621109 CET	49721	443	192.168.2.9	104.21.96.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 15:36:54.482803106 CET	54224	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.491561890 CET	53	54224	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.495908022 CET	54599	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.504463911 CET	53	54599	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.507078886 CET	58029	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.516155958 CET	53	58029	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.518469095 CET	58157	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.527393103 CET	53	58157	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.529489040 CET	60901	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.538995981 CET	53	60901	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.552114964 CET	57219	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.634059906 CET	53	57219	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.650999069 CET	57327	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.659646034 CET	53	57327	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.676732063 CET	64196	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.685765982 CET	53	64196	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.693448067 CET	55548	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.702892065 CET	53	55548	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:54.704274893 CET	55008	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:54.711167097 CET	53	55008	1.1.1.1	192.168.2.9
Jan 7, 2025 15:36:56.393348932 CET	55756	53	192.168.2.9	1.1.1.1
Jan 7, 2025 15:36:56.427131891 CET	53	55756	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 15:36:54.482803106 CET	192.168.2.9	1.1.1.1	0xb867	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.495908022 CET	192.168.2.9	1.1.1.1	0xbd70	Standard query (0)	nearycrepso.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.507078886 CET	192.168.2.9	1.1.1.1	0xdc	Standard query (0)	abruptyopsn.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.518469095 CET	192.168.2.9	1.1.1.1	0x41ca	Standard query (0)	wholersorie.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.529489040 CET	192.168.2.9	1.1.1.1	0x66ff	Standard query (0)	framekgirus.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.552114964 CET	192.168.2.9	1.1.1.1	0xa3ad	Standard query (0)	tirepublicerj.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.650999069 CET	192.168.2.9	1.1.1.1	0x7cb7	Standard query (0)	noisycuttej.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.676732063 CET	192.168.2.9	1.1.1.1	0x6888	Standard query (0)	rabidcowse.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.693448067 CET	192.168.2.9	1.1.1.1	0x3d0f	Standard query (0)	cloudewahsj.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.704274893 CET	192.168.2.9	1.1.1.1	0x307b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.393348932 CET	192.168.2.9	1.1.1.1	0xe413	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 15:36:54.491561890 CET	1.1.1.1	192.168.2.9	0xb867	Name error (3)	fancywaxxers.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.504463911 CET	1.1.1.1	192.168.2.9	0xbd70	Name error (3)	nearycrepso.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.516155958 CET	1.1.1.1	192.168.2.9	0xdc	Name error (3)	abruptyopsn.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.527393103 CET	1.1.1.1	192.168.2.9	0x41ca	Name error (3)	wholersorie.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.538995981 CET	1.1.1.1	192.168.2.9	0x66ff	Name error (3)	framekgirus.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.634059906 CET	1.1.1.1	192.168.2.9	0xa3ad	Name error (3)	tirepublicerj.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.659646034 CET	1.1.1.1	192.168.2.9	0x7cb7	Name error (3)	noisycuttej.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.685765982 CET	1.1.1.1	192.168.2.9	0x6888	Name error (3)	rabidcowse.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.702892065 CET	1.1.1.1	192.168.2.9	0x3d0f	Name error (3)	cloudewahsj.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:54.711167097 CET	1.1.1.1	192.168.2.9	0x307b	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.427131891 CET	1.1.1.1	192.168.2.9	0xe413	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.427131891 CET	1.1.1.1	192.168.2.9	0xe413	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.427131891 CET	1.1.1.1	192.168.2.9	0xe413	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.427131891 CET	1.1.1.1	192.168.2.9	0xe413	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.427131891 CET	1.1.1.1	192.168.2.9	0xe413	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.427131891 CET	1.1.1.1	192.168.2.9	0xe413	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 15:36:56.427131891 CET	1.1.1.1	192.168.2.9	0xe413	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49712	104.102.49.254	443	7616	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:36:55 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-07 14:36:56 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 07 Jan 2025 14:36:56 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=42a710869e9f1b24b7aa3d40; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-07 14:36:56 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-07 14:36:56 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-07 14:36:56 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-07 14:36:56 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49721	104.21.96.1	443	7616	C:\Users\user\Desktop\Installer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 14:36:56 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-07 14:36:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life

Target ID:	0
Start time:	09:36:53
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Installer.exe"
Imagebase:	0x230000
File size:	370'176 bytes
MD5 hash:	34A3481203725A7A71F3D1396F3AF901
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1312035887.0000000000232000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1462173833.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:36:53
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:36:53
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\Installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Installer.exe"
Imagebase:	0xf00000
File size:	370'176 bytes
MD5 hash:	34A3481203725A7A71F3D1396F3AF901
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:36:54
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 164
Imagebase:	0xdd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.8%
Total number of Nodes:	26
Total number of Limit Nodes:	3

Executed Functions

Function 026E8635 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,026E85A7,026E8597), ref: 026E87CD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026E87E0
Wow64GetThreadContext.KERNEL32(000000AC,00000000), ref: 026E87FE
ReadProcessMemory.KERNELBASE(000000A8,?,026E85EB,00000004,00000000), ref: 026E8822
VirtualAllocEx.KERNELBASE(000000A8,?,?,00003000,00000040), ref: 026E884D
WriteProcessMemory.KERNELBASE(000000A8,00000000,?,?,00000000,?), ref: 026E88A5
WriteProcessMemory.KERNELBASE(000000A8,00400000,?,?,00000000,?,00000028), ref: 026E88F0
WriteProcessMemory.KERNELBASE(000000A8,?,?,00000004,00000000), ref: 026E892E
Wow64SetThreadContext.KERNEL32(000000AC,02650000), ref: 026E896A
ResumeThread.KERNELBASE(000000AC), ref: 026E8979

Strings

GetThreadContext, xrefs: 026E870F
Load, xrefs: 026E8673
ReadProcessMemory, xrefs: 026E8722
VirtualAllocEx, xrefs: 026E8735
aryA, xrefs: 026E867B
TerminateProcess, xrefs: 026E885C
VirtualAlloc, xrefs: 026E86FC
GetP, xrefs: 026E86B7
SetThreadContext, xrefs: 026E875B
ress, xrefs: 026E86BF
ResumeThread, xrefs: 026E8771
WriteProcessMemory, xrefs: 026E8748
CreateProcessW, xrefs: 026E86E9

Memory Dump Source

Source File: 00000000.00000002.1462135774.00000000026E8000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e8000_Installer.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: 6e9a9d91fd6d0d5cf38606e91c1ea058f463df94397b445f153bd6f2f3d5bf8f
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: 87B1187664124AAFDB60CF68CC80BDA73A5FF88714F158124EA0DAB351D770FA51CB94

Function 026E87B2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,026E85A7,026E8597), ref: 026E87CD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026E87E0
Wow64GetThreadContext.KERNEL32(000000AC,00000000), ref: 026E87FE
ReadProcessMemory.KERNELBASE(000000A8,?,026E85EB,00000004,00000000), ref: 026E8822
VirtualAllocEx.KERNELBASE(000000A8,?,?,00003000,00000040), ref: 026E884D
WriteProcessMemory.KERNELBASE(000000A8,00000000,?,?,00000000,?), ref: 026E88A5
WriteProcessMemory.KERNELBASE(000000A8,00400000,?,?,00000000,?,00000028), ref: 026E88F0
WriteProcessMemory.KERNELBASE(000000A8,?,?,00000004,00000000), ref: 026E892E
Wow64SetThreadContext.KERNEL32(000000AC,02650000), ref: 026E896A
ResumeThread.KERNELBASE(000000AC), ref: 026E8979

Strings

TerminateProcess, xrefs: 026E885C

Memory Dump Source

Source File: 00000000.00000002.1462135774.00000000026E8000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26e8000_Installer.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: TerminateProcess
API String ID: 2687962208-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: ce1c5f1ba4271a594224e3e244ff2cfd97f753980291782fe68b7aeed48f06c4
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: AB312D72641646ABDB34CF94CC91FEA7365BFC8B15F148508EB09AF281C6B4BA018B94

Function 00B42C40 Relevance: 1.7, APIs: 1, Instructions: 249
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(036E3588,00000000,?,?), ref: 00B42F41

Memory Dump Source

Source File: 00000000.00000002.1461792673.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Installer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f76c0cefc02390fd835f917f54d2922225f5a84c24929c9b92589594fb16b06f
Instruction ID: c2e013a5a7e8c6de5ebe1f17f400b5d65cedeb1573a68e81627780b1a306114b
Opcode Fuzzy Hash: f76c0cefc02390fd835f917f54d2922225f5a84c24929c9b92589594fb16b06f
Instruction Fuzzy Hash: 3CB15D709002599FCB05CFA9D480AEDFFF1BF49314F59C599E858AB356C330A981DBA4

Function 00B406E8 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(036E3588,00000000,?,?), ref: 00B42F41

Memory Dump Source

Source File: 00000000.00000002.1461792673.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Installer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 19e5850e82c37cdc764e3a3bc7542933bf6477a7562825c6bc3f62bc21580653
Instruction ID: cc9b67b89a7e778800d4709a0e86fe3cd14fdbaf95ef4a824439681097d1958e
Opcode Fuzzy Hash: 19e5850e82c37cdc764e3a3bc7542933bf6477a7562825c6bc3f62bc21580653
Instruction Fuzzy Hash: A421E3B5D00219AFCB00DF9AD884ADEFBF4FB08310F50816AE918A7240C3B46A54CBE1

Non-executed Functions

Function 00B40860 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461792673.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e38fb952e6dd727e36d502accbb792fdfb69950c66d2958bff9a9f7aa7c790d
Instruction ID: 438658d695d76b45ee1c634281f1faf3d5885b486a4a07e42d0ccc7d9118e542
Opcode Fuzzy Hash: 3e38fb952e6dd727e36d502accbb792fdfb69950c66d2958bff9a9f7aa7c790d
Instruction Fuzzy Hash: 4F614E75A14244CFE70AEF7AE85069ABBE3BFC8300F14D129D0189F36AEB3159499F51

Function 00B40870 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461792673.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2666efe7b579ea672b49bc5f60858619bc022a30454c5e91e1282481b8e7744
Instruction ID: a5a2f7678f64a4a9a9fcbea17c86b2f46c2e9509ffa962ce6cb6c5ff006c7050
Opcode Fuzzy Hash: f2666efe7b579ea672b49bc5f60858619bc022a30454c5e91e1282481b8e7744
Instruction Fuzzy Hash: AF512CB5A14244CFE709EF7AE84069ABBE3BBC8300F14D129D0189F36AEF3159499F51

Analysis Process: Installer.exePID: 7616, Parent PID: 7516COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.6%
Total number of Nodes:	54
Total number of Limit Nodes:	4

Executed Functions

Function 0040BADE Relevance: 10.2, Strings: 8, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R P&, xrefs: 0040BEC3
7D%J, xrefs: 0040BD8E
TZ, xrefs: 0040BDAA
C0Q6, xrefs: 0040BEEB
^$W*, xrefs: 0040BECD
6@3F, xrefs: 0040BD87
[([., xrefs: 0040BED7
_,_2, xrefs: 0040BEE1

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 6@3F$7D%J$C0Q6$R P&$[([.$^$W*$_,_2$TZ
API String ID: 0-3713476870
Opcode ID: 50107483028f6669b2a3e4ba003ebf37a78b3812e1cd49496b9529f50ab54a72
Instruction ID: 1ce9335a2001f4a3d2f66c807296d79e4f62f7eb002acf8c61fa8a7bf6427300
Opcode Fuzzy Hash: 50107483028f6669b2a3e4ba003ebf37a78b3812e1cd49496b9529f50ab54a72
Instruction Fuzzy Hash: 42C1FCF0915344DFE354CF21CA89BA57BA1BB01300F1A86E9D2592F376C779844ACF99

Function 004086E0 Relevance: 7.8, APIs: 5, Instructions: 292
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408704
GetCurrentThreadId.KERNEL32 ref: 0040870D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087DB
GetForegroundWindow.USER32 ref: 004087F0
ExitProcess.KERNEL32 ref: 00408A6D

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 3eed64d929eee2b9499c927cde6d6fcde07e0bf390feb32ac105c1ef8736e949
Instruction ID: 2bea2bb01e7bd981f2993c0e9aedfded19c5a313d9b777b2ccb8f50afee8e61d
Opcode Fuzzy Hash: 3eed64d929eee2b9499c927cde6d6fcde07e0bf390feb32ac105c1ef8736e949
Instruction Fuzzy Hash: A8918B73F447144FE318AFB9CD4236AB6D29BD4310F0A863EA899E73D1ED789C058685

Function 0040A2E6 Relevance: 3.8, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ke, xrefs: 0040A340
wq, xrefs: 0040A32B
sm, xrefs: 0040A332

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ke$sm$wq
API String ID: 0-1070796638
Opcode ID: 82aed4301e1b5c445e25654c070a1cbbe31837e64c0184223e4e58fdcc52bca2
Instruction ID: 635dc1dde54d75914a28477100aab8951c330a8601bbcd013b2387e3860f289a
Opcode Fuzzy Hash: 82aed4301e1b5c445e25654c070a1cbbe31837e64c0184223e4e58fdcc52bca2
Instruction Fuzzy Hash: 033165F9960254CFD7488F16C982E6A7F72FF95305B2A9198E125AF726CB74C801CF48

Function 004432F0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044639B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0044331E

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040C1A8 Relevance: .2, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05ea201cce5a834cdc4e5da85a552669609d691de9ad3919792fc6320572fb2
Instruction ID: 876313698d5d4bea57630c4eef8f86ae7af812e09adc284ab8bed25d77851534
Opcode Fuzzy Hash: a05ea201cce5a834cdc4e5da85a552669609d691de9ad3919792fc6320572fb2
Instruction Fuzzy Hash: D361D675B142158FCB18CF58DCA1BAB77B2FF89310F194269D851AB3A1D7389901CB94

Function 0043D43C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043D461

Strings

o, xrefs: 0043D47D
R, xrefs: 0043D476
l, xrefs: 0043D484
X, xrefs: 0043D46F

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: R$X$l$o
API String ID: 95929093-4278219656
Opcode ID: aa5e156c1cb9ffab9ffa112cdc40fb14b38ed3d8acdbdc33af45385fd0034982
Instruction ID: 07120493f8f6b819594b2452504ef42649066ea2d72d8637259f9bb8730821e7
Opcode Fuzzy Hash: aa5e156c1cb9ffab9ffa112cdc40fb14b38ed3d8acdbdc33af45385fd0034982
Instruction Fuzzy Hash: 54115676E181A48BDB15CB389C0439A7FA1BB9A310F1941FDC8CD6738AC6395C448F91

Function 0044360E Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0044360E
GetForegroundWindow.USER32 ref: 00443620

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: cf6c287888752ad8f8ede0e9be996827efa14765949ef5c3f19d0fe3bfba9ddf
Instruction ID: 9746a7a5242b47e8803ee6f897c3a848e9385d6712280fa86ac3ef3b2663e0cd
Opcode Fuzzy Hash: cf6c287888752ad8f8ede0e9be996827efa14765949ef5c3f19d0fe3bfba9ddf
Instruction Fuzzy Hash: F3D05BF9F0044ACBEF04EBF1ED4A85E7379BB463097044039D506C3113E534B9068B49

Function 00443260 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B8C9,?,00000000), ref: 00443292

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 11f28028ee3bfb7474188700700e9ce0212af473829c9dccb294b65ca42e175a
Instruction ID: 579e7fdfa3a30c030e85feb1f24788ea1c96196a65c0c1bb3de329ad90868e1c
Opcode Fuzzy Hash: 11f28028ee3bfb7474188700700e9ce0212af473829c9dccb294b65ca42e175a
Instruction Fuzzy Hash: 55F024B6518210FBE2005F26BC019573768BF87746F05087AE40162122DB39E901C6AF

Function 00441900 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,1D1C4322,?,004089BA,1D1C4322), ref: 00441910

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: db8b90a30670b51f87b38448b02a4d82cdd5c8817a3f4e7aad21af0b3ba051b1
Instruction ID: e5a79229dd06da2e6182fc3858bc9936b34db5da2afdbdf4180c95aacf9e5ece
Opcode Fuzzy Hash: db8b90a30670b51f87b38448b02a4d82cdd5c8817a3f4e7aad21af0b3ba051b1
Instruction Fuzzy Hash: 78C09B71155130BBE5112B15FC05FC73F54DF45362F010465B00467072C761BC91D6D8

Non-executed Functions

Function 00427614 Relevance: 40.1, Strings: 31, Instructions: 1338COMMON

Download Yara Rule

Strings

=d?z, xrefs: 00428149
~CzM, xrefs: 00427E58
{H, xrefs: 00427A4C
g4a*, xrefs: 00427AE6
KxM~, xrefs: 00428154
{x, xrefs: 00427B75
l8r>, xrefs: 00427AC5
z(~., xrefs: 00427AF1
K<A2, xrefs: 004280AF
:@=F, xrefs: 004280E6
/P"V, xrefs: 00428112
~,|", xrefs: 00427AFC
Bp@v, xrefs: 0042816A
7X^, xrefs: 004280FC
$T*j, xrefs: 0042811D
*\)R, xrefs: 00428107
N|Jr, xrefs: 0042815F
Xl&b, xrefs: 00428133
h8L>, xrefs: 004280A4
j<z2, xrefs: 00427AD0
H4YJ, xrefs: 004280C5
@0B6, xrefs: 004280BA
I, xrefs: 00427B5F
@A, xrefs: 00427D93
Q~N|, xrefs: 00427859
~M, xrefs: 00427A57
L(L., xrefs: 00428078
<L7B, xrefs: 004280DB
d, xrefs: 0042803C
V`&f, xrefs: 0042813E
"D2Z, xrefs: 004280F1

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "D2Z$$T*j$*\)R$/P"V$7X^$:@=F$<L7B$=d?z$@0B6$@A$Bp@v$H4YJ$I$K<A2$KxM~$L(L.$N|Jr$Q~N|$V`&f$Xl&b$d$g4a*$h8L>$j<z2$l8r>$z(~.${x${H$~,|"$~CzM$~M
API String ID: 0-2257973543
Opcode ID: 02f008eca3e182c90fd0a89467243a696d1a7687e85b10e0b56220567cd95367
Instruction ID: 9d81d03beae1fa287d7fc0644b55993790578dc391a3280a540ea9dbb54cbedf
Opcode Fuzzy Hash: 02f008eca3e182c90fd0a89467243a696d1a7687e85b10e0b56220567cd95367
Instruction Fuzzy Hash: BCB2A4B560D3918BD334CF24D8817AFBBF2FB82300F44892DD4999B255EB758A05CB96

Function 0041912A Relevance: 12.6, Strings: 10, Instructions: 65COMMON

Download Yara Rule

Strings

51;q, xrefs: 0041913E
J, xrefs: 004190D8
,, xrefs: 004190D1
)/$,, xrefs: 00419146
)/$,, xrefs: 004190C1
J, xrefs: 0041915D
;&'$, xrefs: 0041914E
,, xrefs: 00419156
51;q, xrefs: 004190B9
;&'$, xrefs: 004190C9

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ,$ ,$)/$,$)/$,$51;q$51;q$;&'$$;&'$$J$J
API String ID: 0-3876973321
Opcode ID: 31cdf0e0db6db7e1b29e25f15e2e5df66914c3e298220f1d5577c5d26a7f159c
Instruction ID: ac786b719c89e334a27f00425ca3f7df6fc1690f0ce0ad08caae3d0c9f5b954e
Opcode Fuzzy Hash: 31cdf0e0db6db7e1b29e25f15e2e5df66914c3e298220f1d5577c5d26a7f159c
Instruction Fuzzy Hash: BE215CB00083409BD3449F21E99575BBBE4AB9630CF942A1DF0C85A292D779C5458B5B

Function 00427400 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 252COMMON

Download Yara Rule

Strings

V[, xrefs: 004272F8
G, xrefs: 0042734A, 00427362, 00427368
]O, xrefs: 004272F1
'$, xrefs: 004274B8
G, xrefs: 004272FF
~TSJ, xrefs: 00427467, 00427551

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: '$$G$G$V[$]O$~TSJ
API String ID: 0-3060226985
Opcode ID: 30b23e161d6c855239ecf15423b11e00f441238c6a800e57ef15bd0b6e1152e2
Instruction ID: c170e13bf696aae3c1346627234169bca2f5be655450be02382c433076410631
Opcode Fuzzy Hash: 30b23e161d6c855239ecf15423b11e00f441238c6a800e57ef15bd0b6e1152e2
Instruction Fuzzy Hash: A8815776A083108FD724CF68DC817DFB7E1EB85318F19856DE958AB382D77898058B92

Function 00427050 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 340COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042721F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004272BB

Strings

V[, xrefs: 004272F8
G, xrefs: 0042734A, 00427362, 00427368
]O, xrefs: 004272F1
G, xrefs: 004272FF

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: G$G$V[$]O
API String ID: 237503144-3235219038
Opcode ID: e557ea8437e494ab5a348501e1d9d32a5fd17f0c068e804958f71fecc9c80fb5
Instruction ID: 860be4bc2765a18c395a386bc4419bcd3e23a74a170a8526f1cc0adcf36f91d2
Opcode Fuzzy Hash: e557ea8437e494ab5a348501e1d9d32a5fd17f0c068e804958f71fecc9c80fb5
Instruction Fuzzy Hash: 76B12372E002148FDB14CFA9DC41B9EBBB2FB85310F1A8179D914AB395D7B89906CB91

Function 0041993C Relevance: 9.7, Strings: 7, Instructions: 952COMMON

Download Yara Rule

Strings

yr, xrefs: 00419B48
1, xrefs: 0041A2BB
pw, xrefs: 00419B58
Or, xrefs: 00419A5F
OO, xrefs: 00419A6A
*V(, xrefs: 00419AF8
D, xrefs: 00419D1B

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: *V($1$D$OO$Or$pw$yr
API String ID: 0-1441076997
Opcode ID: 7959c8bf3e4bb915f478a052e4283281bfb42debb4f2a09241072458fab6b714
Instruction ID: 71b4b91e9f2bc555cb0b447c8bb6fde0fd059403ec366e199f44411df01fb192
Opcode Fuzzy Hash: 7959c8bf3e4bb915f478a052e4283281bfb42debb4f2a09241072458fab6b714
Instruction Fuzzy Hash: 0E52F5741083409FE724CF24C865BAB77E1FF86314F18896EE0DA8B3A1D7389955CB5A

Function 0040E532 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 340COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E53E

Strings

xO, xrefs: 0040E80D
ssr, xrefs: 0040E66D
Ar, xrefs: 0040E823
{A, xrefs: 0040E54C
tz, xrefs: 0040E82E

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: Uninitialize
String ID: Ar$ssr$tz$xO${A
API String ID: 3861434553-1460575286
Opcode ID: a0aca3a9eb95ce842df059a5ac210f4a26d5ddac5b75e852d99b4382cea516b4
Instruction ID: 440cc566bb72c6cba4c8179e69850c6a7485ef32ccda56f3cbceb27d9410abe0
Opcode Fuzzy Hash: a0aca3a9eb95ce842df059a5ac210f4a26d5ddac5b75e852d99b4382cea516b4
Instruction Fuzzy Hash: 25B1E17450C3D18AE730CF25D4547ABBBE2AFD2304F088C6ED4C9AB382D779450A8B96

Function 0040DC60 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 334COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DC70

Strings

tz, xrefs: 0040DF4C
Ar, xrefs: 0040DF41
ssr, xrefs: 0040DD9C
xO, xrefs: 0040DF2B
{A, xrefs: 0040DC7E

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: Uninitialize
String ID: Ar$ssr$tz$xO${A
API String ID: 3861434553-1460575286
Opcode ID: b599eff80eee8cd28ddcc1aee22c6f47353b7ec21d0580172b0ef0e6a8e21f45
Instruction ID: 471c091d9288cf775d87e93f8e234e5e66f6b31da2e0c5931413cde38b83524e
Opcode Fuzzy Hash: b599eff80eee8cd28ddcc1aee22c6f47353b7ec21d0580172b0ef0e6a8e21f45
Instruction Fuzzy Hash: 6EB1DFB150C7D18BD330CF65D4A47ABBFE1AFA2344F08496DD8D96B342D23949098BA6

Function 00438F80 Relevance: 9.1, APIs: 6, Instructions: 133clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00438FA2
GetClipboardData.USER32 ref: 00438FC3
CloseClipboard.USER32 ref: 00439114

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: ad2fc4ae4318b1226e6982753b0efc896c06ddf1f89fa80d23916dbcefe0e1e1
Instruction ID: 44a9ca2a0143d1aae2d95f0960911addc119bc5fcc49f85c4da1b6c5df8c10d7
Opcode Fuzzy Hash: ad2fc4ae4318b1226e6982753b0efc896c06ddf1f89fa80d23916dbcefe0e1e1
Instruction Fuzzy Hash: B551C6B08087829EDB10AF7C944935EBFA06B16320F05473DE4A5972C2D3789959C797

Function 004161F0 Relevance: 8.4, Strings: 6, Instructions: 937COMMON

Download Yara Rule

Strings

`'%9, xrefs: 004162A7
OH86, xrefs: 00416DE7
X^, xrefs: 00416592
TZ, xrefs: 00416587
0O4_, xrefs: 00416DF2
I?OW, xrefs: 00416DDC

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 0O4_$I?OW$OH86$`'%9$TZ$X^
API String ID: 0-3994251684
Opcode ID: fdeb8ae78b360836a26070eede51e858cf9d830d5a81a6486af8a0e262695889
Instruction ID: 657e0fd9d4c45c495a0a7f79653add63f41cf9862e97fb2f409a6bd2d6eba69d
Opcode Fuzzy Hash: fdeb8ae78b360836a26070eede51e858cf9d830d5a81a6486af8a0e262695889
Instruction Fuzzy Hash: 035226B55083408BD7249F24C8417EBB7E1FFA6308F09892DE5D987391E778D885CB8A

Function 0041CDA0 Relevance: 8.2, Strings: 6, Instructions: 650COMMON

Download Yara Rule

Strings

<., xrefs: 0041D280
OL, xrefs: 0041CE7C
*Z?X, xrefs: 0041CEF3
jkh, xrefs: 0041CF13
rs, xrefs: 0041D44E
&R$P, xrefs: 0041CF03

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: &R$P$*Z?X$<.$OL$rs$jkh
API String ID: 0-4200519583
Opcode ID: 7e044c6312bb1ec4d6eed8b782089f6e1467165e0d176f28ff2da2682c988496
Instruction ID: 6e31c27fbdb29c713ce42a2a3a1df6fed43f8dc78f5ca6c47c7302cd2d14f7a0
Opcode Fuzzy Hash: 7e044c6312bb1ec4d6eed8b782089f6e1467165e0d176f28ff2da2682c988496
Instruction Fuzzy Hash: 671211B29483108FD314DF25C8916ABBBE1EF91318F09892DE4D59B361E778C945CB8B

Function 00430DAC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00430F1F

Strings

Z_, xrefs: 00430F46
RgY, xrefs: 00430F36
kb&], xrefs: 00430F3E

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary
String ID: RgY$Z_$kb&]
API String ID: 3664257935-1762941101
Opcode ID: 0698615e646754455fa8bd521d22818d8d879c20af807f77c3a38c2f12d40996
Instruction ID: 7221e4e315edb871907b990e7e3cfd8ecb1702ef9149a602c85dac77e0672386
Opcode Fuzzy Hash: 0698615e646754455fa8bd521d22818d8d879c20af807f77c3a38c2f12d40996
Instruction Fuzzy Hash: 1D51467190C3909FD3318F24C8217ABBFD1AF9A705F18195DE4D9AB381D7788405CB9A

Function 0041A7D0 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 928COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0041ACD7
FreeLibrary.KERNEL32(?), ref: 0041AD19

Part of subcall function 004432F0: LdrInitializeThunk.NTDLL(0044639B,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0044331E

Strings

:;, xrefs: 0041AAD1

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: :;
API String ID: 764372645-3581617570
Opcode ID: 035b64e812eab1020119bfb20d3671d4de64bae3cc05e7959a1ac69315f65e7c
Instruction ID: 78d8c76ff278884471272e06de6891ad82f9c0ba26530983e48509cb6c2f4e08
Opcode Fuzzy Hash: 035b64e812eab1020119bfb20d3671d4de64bae3cc05e7959a1ac69315f65e7c
Instruction Fuzzy Hash: E66237746083409BE724DF24DC817ABBBE2EF95314F14862EF4948B3A1D3789C95DB4A

Function 00444A1B Relevance: 5.6, Strings: 4, Instructions: 602COMMON

Download Yara Rule

Strings

(qi, xrefs: 00444E5E
JD, xrefs: 00444A39
/9}rqqw, xrefs: 00444FBA
qqw, xrefs: 00444FE0

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: (qi$/9}rqqw$JD$qqw
API String ID: 0-3077424514
Opcode ID: dc9b691f86e9f60987e8dc40a3dfd8d7b76380792358bf4dbdff9224db01edea
Instruction ID: 700e0231e93bcd115f48100ed8757216903023b0dece03e98b67004024499614
Opcode Fuzzy Hash: dc9b691f86e9f60987e8dc40a3dfd8d7b76380792358bf4dbdff9224db01edea
Instruction Fuzzy Hash: 5112D139A18211CFD708CF28D89022BB7E2FF9A325F1A897DD58687391DB34D855CB85

Function 0040D035 Relevance: 5.6, Strings: 4, Instructions: 595COMMON

Download Yara Rule

Strings

oA#C, xrefs: 0040D454, 0040D460
4E/G, xrefs: 0040D81C
HI, xrefs: 0040D827
qnm, xrefs: 0040D053

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: 4E/G$HI$oA#C$qnm
API String ID: 0-4241155200
Opcode ID: e7953381b3bd626c1dd57d52edd89e0c94e33f72ec718c252f066c4d5ff16c19
Instruction ID: fd41dd70987feb4205429c64507d1466b8dc58cd643f1b3dad895ecdaafe82d1
Opcode Fuzzy Hash: e7953381b3bd626c1dd57d52edd89e0c94e33f72ec718c252f066c4d5ff16c19
Instruction Fuzzy Hash: 2412ADB55483D08ED334CF64C459BDBBBE1AFD2304F19896DC8D96B286C73A05098BA7

Function 004093F0 Relevance: 5.4, Strings: 4, Instructions: 421COMMON

Download Yara Rule

Strings

", xrefs: 0040951E
v, xrefs: 0040975E
}, xrefs: 004097B3
oaao, xrefs: 00409770

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: oaao$v$}$"
API String ID: 0-2028497809
Opcode ID: f907a1a6d19398234bc1bd4e095762902d042901b5c50683389b13fb8b91b820
Instruction ID: c134f4994b52a1ef73dbb898e2fd6bc17062e2d6d9a75f67a65df4fce8f9197a
Opcode Fuzzy Hash: f907a1a6d19398234bc1bd4e095762902d042901b5c50683389b13fb8b91b820
Instruction Fuzzy Hash: D7C1C47164C3918BD315CF29986036BBFE19F93304F0849ADE4D19B382D67AC90ACB56

Function 00439BC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00439C00
GetSystemMetrics.USER32 ref: 00439C0F

Strings

, xrefs: 00439CBD

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 9a47d15479aa08b878bacd4df3eead006337a1303438bc820c2973b409c53aa7
Instruction ID: 62383d9fe981f73e778ea1de4b873d2f2ac23b850cac30ce28c9644c508b8c2a
Opcode Fuzzy Hash: 9a47d15479aa08b878bacd4df3eead006337a1303438bc820c2973b409c53aa7
Instruction Fuzzy Hash: F631BFB49143148FDB00EF68D98564EBBF4BB89304F01856EE898DB360D770AD48DF96

Function 00409130 Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

X, xrefs: 00409214
?&, xrefs: 004091EC
LZ"\, xrefs: 004091B4
+, xrefs: 0040918C

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: +$LZ"\$X$?&
API String ID: 0-1224906956
Opcode ID: 569df59cc63c81a2093539804a1647212d1f60bd93043bd6b3b606417f76a063
Instruction ID: cf1a6b334503faba0c3653950d0ecad6e8fca50092055b48c4cd0328210d02b3
Opcode Fuzzy Hash: 569df59cc63c81a2093539804a1647212d1f60bd93043bd6b3b606417f76a063
Instruction Fuzzy Hash: 3871D52014D3C28AD311CF7A84A075BFFE19FA6344F184A6DE8D45B382D379890ADB66

Function 00441F90 Relevance: 4.3, Strings: 3, Instructions: 575COMMON

Download Yara Rule

Strings

f, xrefs: 00442209
S"(w, xrefs: 004422B7
S"(w, xrefs: 00442080

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f
API String ID: 2994545307-891790955
Opcode ID: 3fdd145879ebef5c53c3914aef8e5be88f7a0c7a5041eb9bceae80d4570a7130
Instruction ID: 987ce849c00b802004194bd530b1e3fd3c79ada89b89ba992d9bc4aa9d8f853e
Opcode Fuzzy Hash: 3fdd145879ebef5c53c3914aef8e5be88f7a0c7a5041eb9bceae80d4570a7130
Instruction Fuzzy Hash: EC12D0706083518FE324CF14C990B2BBBE1FBC9314F55866EF9A44B391C7B99905CB9A

Function 00415BA0 Relevance: 4.3, Strings: 3, Instructions: 543COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00416030
NP,?, xrefs: 00415FC0
b_A, xrefs: 00415F5B

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: NP,?$NP,?$b_A
API String ID: 0-2854310487
Opcode ID: e7f4755e2f1289598cec40813b8b02ed29ba6507a4666c4a9b2bfade08cf80d5
Instruction ID: c9bd83c20936857d95b363af4ddc04790443d6c8da8541ca7c628eed2d1be8f9
Opcode Fuzzy Hash: e7f4755e2f1289598cec40813b8b02ed29ba6507a4666c4a9b2bfade08cf80d5
Instruction Fuzzy Hash: D0F17578604200EFE7149F14EC41BBB33A1FB8A315F54463EF5949A2E1E334AD95DB8A

Function 00444C90 Relevance: 4.2, Strings: 3, Instructions: 438COMMON

Download Yara Rule

Strings

(qi, xrefs: 00444E5E
/9}rqqw, xrefs: 00444FBA
qqw, xrefs: 00444FE0

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: (qi$/9}rqqw$qqw
API String ID: 0-842441055
Opcode ID: 0a1468b2313e19638f2214dccf758a2a691e7cd3bd6339c2788d18f317b8d834
Instruction ID: 1635be6d5b0a9071267c1bd2631e17e8deb7fbfa710cd26ab8806c1eaad40420
Opcode Fuzzy Hash: 0a1468b2313e19638f2214dccf758a2a691e7cd3bd6339c2788d18f317b8d834
Instruction Fuzzy Hash: 2DE1D33A618211CFD708CF38D89062AB7E2BFDA315F1A897DD58987351DB34D845CB85

Function 00444DB0 Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

(qi, xrefs: 00444E5E
/9}rqqw, xrefs: 00444FBA
qqw, xrefs: 00444FE0

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: (qi$/9}rqqw$qqw
API String ID: 0-842441055
Opcode ID: 9de241e482cfd27b47b02f70ec63b3ea89fca15b8d1ea96516de309c8f82f853
Instruction ID: cbabc253694ec05f4480007a3ab30e639cb6040d03a70bd8213ed792c1e8e2ac
Opcode Fuzzy Hash: 9de241e482cfd27b47b02f70ec63b3ea89fca15b8d1ea96516de309c8f82f853
Instruction Fuzzy Hash: 0AD106366183508FD718CF38D89062BB7E2AFDA315F1A897DE4C687395DA34D805CB86

Function 00444D20 Relevance: 4.2, Strings: 3, Instructions: 403COMMON

Download Yara Rule

Strings

(qi, xrefs: 00444E5E
/9}rqqw, xrefs: 00444FBA
qqw, xrefs: 00444FE0

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: (qi$/9}rqqw$qqw
API String ID: 0-842441055
Opcode ID: 03446c81db0968e289d9b263694c7b80afbb95f8ff92f0d85c0c0cf32bc54459
Instruction ID: e014eb1d1f411f7bce38a87c0b80cc5480eb076ed9d5db50fd9b4345202bd07a
Opcode Fuzzy Hash: 03446c81db0968e289d9b263694c7b80afbb95f8ff92f0d85c0c0cf32bc54459
Instruction Fuzzy Hash: E1D1B13A618351CFD708CF38D89062AB7E2BFDA315F1A897DE48987391DB34D8458B85

Function 0042FF1E Relevance: 4.0, Strings: 3, Instructions: 226COMMON

Download Yara Rule

Strings

%, xrefs: 004301B7
o, xrefs: 004300F3
CEqB, xrefs: 004300DB

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: %$CEqB$o
API String ID: 0-2061566487
Opcode ID: 5cb8be038a758976d50d1b5b7d233cf53d1d743c87922117646adb4009e3427e
Instruction ID: e8f455109160afc3fa7fdbb779341e3cd129a99704e2fe4cab7e570d38e07100
Opcode Fuzzy Hash: 5cb8be038a758976d50d1b5b7d233cf53d1d743c87922117646adb4009e3427e
Instruction Fuzzy Hash: 9F512B7050C3914BE719CF35947433BBBE09F9B308F186A9EE4C19B382D679C905875A

Function 0042FFA9 Relevance: 4.0, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

%, xrefs: 004301B7
o, xrefs: 004300F3
CEqB, xrefs: 004300DB

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: %$CEqB$o
API String ID: 0-2061566487
Opcode ID: a7845a60e3467fde4cd4ac2be6001102b77b7e294a65f12e31ca27ae493a64bf
Instruction ID: e24a4da4da1cb5ce01410ab1afa794145bf488b0b6298d5dd77bd1e9960b0d97
Opcode Fuzzy Hash: a7845a60e3467fde4cd4ac2be6001102b77b7e294a65f12e31ca27ae493a64bf
Instruction Fuzzy Hash: 9251297050C3914BE719CF39947437BBBE0AF97308F186A9EE4C19B382D679C909875A

Function 0042FFF6 Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

%, xrefs: 004301B7
o, xrefs: 004300F3
CEqB, xrefs: 004300DB

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: %$CEqB$o
API String ID: 0-2061566487
Opcode ID: d791743bbe9599a9dbeb19eb87bc0c8755bc59c482b36121e305765dd7760124
Instruction ID: 9f83a0fe2bd5dfc335cf652d432505244aca99334bda6e66e7ed70ebfb85810f
Opcode Fuzzy Hash: d791743bbe9599a9dbeb19eb87bc0c8755bc59c482b36121e305765dd7760124
Instruction Fuzzy Hash: 3651297050C3918BE719CF35947433BBBE0AF97308F186A9EE4C19B382D679C909875A

Function 0042FFE7 Relevance: 3.9, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

%, xrefs: 004301B7
o, xrefs: 004300F3
CEqB, xrefs: 004300DB

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: %$CEqB$o
API String ID: 0-2061566487
Opcode ID: 05e9db34ef38b5d74a61e41d243411255ea8f7931aa05048dbcda9676fde7542
Instruction ID: fced65b220827af84cdcfa135296411c8e9fa91aa7f20e479a8a27d3d2fe492b
Opcode Fuzzy Hash: 05e9db34ef38b5d74a61e41d243411255ea8f7931aa05048dbcda9676fde7542
Instruction Fuzzy Hash: C751E66090C3918BE719CF259470337FFE1AFA7709F18698EE0C15B382D67989098B5A

Function 0041BF35 Relevance: 3.9, Strings: 3, Instructions: 172COMMON

Download Yara Rule

Strings

#'t, xrefs: 0041C18A
Y, xrefs: 0041C12C
XMI, xrefs: 0041BF90

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: #'t$Y$XMI
API String ID: 0-512708347
Opcode ID: ac2741a947884fd7f2c21d31e2c162684f8a4fb3cb8d79f92a91f7d8e536eb0a
Instruction ID: b9050c1de0f790e3bb932a1e9c1eda06c8bc9d3caeab088e08e79bf90af03324
Opcode Fuzzy Hash: ac2741a947884fd7f2c21d31e2c162684f8a4fb3cb8d79f92a91f7d8e536eb0a
Instruction Fuzzy Hash: 4251F67165C3408FD314CF24C89579BBBE2ABC6308F18595DE0D19B396DBB9C5098B86

Function 0043F9F4 Relevance: 3.4, Strings: 2, Instructions: 876COMMON

Download Yara Rule

Strings

r, xrefs: 0043FAC1
.K, xrefs: 0043FAB5

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: .K$r
API String ID: 0-2259768726
Opcode ID: 256132ab038d1a4ebe18636547147139a8a88ef842e7bf450dfdac04c6d550ab
Instruction ID: 60aab5518459031cc1aa592ef99ea0d76ffc8abeacfb2d0c2a21ed27aadea781
Opcode Fuzzy Hash: 256132ab038d1a4ebe18636547147139a8a88ef842e7bf450dfdac04c6d550ab
Instruction Fuzzy Hash: 0B52463AE10225CBDB04CFA8D8912EEB7B2FF59310F1A857DC945AB391E7789901C794

Function 004180D5 Relevance: 3.0, Strings: 2, Instructions: 541COMMON

Download Yara Rule

Strings

q, xrefs: 004184FD
$Y, xrefs: 00417FE6

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: $Y$q
API String ID: 0-3146994246
Opcode ID: c78bcf8ec7ca903e3b801ce5eb7f659a81f620b184e5b1cb3f7b519666bde721
Instruction ID: 114a6a6b90f0cf980223145c762246095f1cdc6a9135967cbe073f89d09620c5
Opcode Fuzzy Hash: c78bcf8ec7ca903e3b801ce5eb7f659a81f620b184e5b1cb3f7b519666bde721
Instruction Fuzzy Hash: 6AF137745083808BD724CF28C8657ABB7E1EF97314F18866DD4D98B392DB398846CB96

Function 0043F2A0 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043F4D0
g, xrefs: 0043F545

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: NP,?$g
API String ID: 0-2251022636
Opcode ID: 2530fdbdc66cccbf91f9d824c67a79e3073c1c95a934deb44a844e8a9f68e910
Instruction ID: 18f2dd8da73054597654b9d69896696af1b4868ae3dcc6013b91db26e5fbec51
Opcode Fuzzy Hash: 2530fdbdc66cccbf91f9d824c67a79e3073c1c95a934deb44a844e8a9f68e910
Instruction Fuzzy Hash: FCA17B75A04300ABE7149F14CC81B2BB395EB99318F24963EF955973E2D339EC0AC799

Function 0042BD1E Relevance: 2.8, Strings: 2, Instructions: 310COMMON

Download Yara Rule

Strings

%9!", xrefs: 0042BD47
-1)*, xrefs: 0042BD37

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: %9!"$-1)*
API String ID: 0-1259219644
Opcode ID: de2a12aba7344d671dc300774e743451bad35b726c608b9a07d45d30dd2dfe00
Instruction ID: aaecefd6e5161bf8b3d70ad9571fa5bd553968d75967941d3fffcc2cde115768
Opcode Fuzzy Hash: de2a12aba7344d671dc300774e743451bad35b726c608b9a07d45d30dd2dfe00
Instruction Fuzzy Hash: 66B1E8B19083508BC724CF64D88175BBBF1EF96304F58892DE5D687392E779D805CB86

Function 0042EEA0 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

", xrefs: 0042F1D8

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: cbba23b5e530592e4b5d8db04538d3eeb24be527a2a1d7758e3a84c05fb15af8
Instruction ID: 4e714cc0cadded8b4dc7239c1afbbfff912ec98d4d38368bdd320282de49262e
Opcode Fuzzy Hash: cbba23b5e530592e4b5d8db04538d3eeb24be527a2a1d7758e3a84c05fb15af8
Instruction Fuzzy Hash: 41C14871B08320ABD724CE25E440B6BB7E5AB85314FD9893EE89587382D73CDC49C796

Function 0041DE50 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

}, xrefs: 0041DF93

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: 7e47ef235a279bfa8ea16a829817fc38e6d78817e11e40180b00cfe4e122fe47
Instruction ID: 43f5cb5d76d627b01881f8ed468bbae1325697339fe4ff1b795b31cd078b95da
Opcode Fuzzy Hash: 7e47ef235a279bfa8ea16a829817fc38e6d78817e11e40180b00cfe4e122fe47
Instruction Fuzzy Hash: 4EA11B756082614BC712CE29C84179BBFE1AB95324F18857EECE98B3C2D639C846D7D1

Function 0042CB4C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?), ref: 0042CB74

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 9f6e08407af8346cf421c06240f5bdac2622d2a2f62986947884838f4e7ac912
Instruction ID: 71c9f6eb9bfe52ffa337e2853ce656b23d527220e1e68e0c112328658b5d84cb
Opcode Fuzzy Hash: 9f6e08407af8346cf421c06240f5bdac2622d2a2f62986947884838f4e7ac912
Instruction Fuzzy Hash: 5C012BB8A45300DFE3109F60ACC2B2B7368B747709F14113DF644861C2DB34D019C65D

Function 004191AB Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

gfff, xrefs: 004196AA

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 31b77a6325b977cd380b257a6584c384a73de06151282b5fbb32a8c5e8f40866
Instruction ID: 0ec05a3316781326c12a0fe5d050a63c17d06b573a396975e7efea741d0fbdf1
Opcode Fuzzy Hash: 31b77a6325b977cd380b257a6584c384a73de06151282b5fbb32a8c5e8f40866
Instruction Fuzzy Hash: 2B910176A142118BE324CF39CC913AB76D3ABC5314F09C63EE855DB395EB38C8468785

Function 0040EA2B Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

ct, xrefs: 0040EA96

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID: ct
API String ID: 0-1482792894
Opcode ID: 7f72acb111f6f314e268f92278720f7c2360031acb5cf75a93cea98a1d5246d0
Instruction ID: 854f7849514fdffa9c8bb6bbcdde085c30a4618a112acdbec5535559f3095cc4
Opcode Fuzzy Hash: 7f72acb111f6f314e268f92278720f7c2360031acb5cf75a93cea98a1d5246d0
Instruction Fuzzy Hash: 774133755083C04AD330EB39D8617EFBBE09FC5319F084A3ED8C9AB292E73906458746

Function 00445480 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

@, xrefs: 004454E7

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: b878d18069ddc01eefc233168a7123c10e5f47157a735180e3260bdd79b7cf6a
Instruction ID: da8d00d8a6c78d7bf751dd5f576bc0ac2f578df099ed9239dc3ab1c8a1b99990
Opcode Fuzzy Hash: b878d18069ddc01eefc233168a7123c10e5f47157a735180e3260bdd79b7cf6a
Instruction Fuzzy Hash: 6C210171504304ABE7149F08D8C167BB7F5EB86324F10962DFA68473A1D375A808CB9A

Function 00402E90 Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92f431f5f282df372b59cc29a18b90b71f8f15609223258a929f88163add4b2
Instruction ID: b0f0a17b1fc0a033b4a2f1cc02ba86d9755e6f063b47d694df72eea621f1b6b8
Opcode Fuzzy Hash: c92f431f5f282df372b59cc29a18b90b71f8f15609223258a929f88163add4b2
Instruction Fuzzy Hash: 2952F4716083458FCB15CF24C0906AABFE1BF89315F188A7EF8996B381D778D949CB85

Function 004075B0 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db97c5d4605a39ce5dc9f720e393c6d74ae823537de388d576d6b16ddda38814
Instruction ID: 06c8f07ac8cbc34feda8d1841109ee2b6636da8218e647756be6ac9dca59519a
Opcode Fuzzy Hash: db97c5d4605a39ce5dc9f720e393c6d74ae823537de388d576d6b16ddda38814
Instruction Fuzzy Hash: C6129531A0C7118BD724DF18D8816ABB3E1BFC5309F29893ED986A7281D738B955CB47

Function 0042A0AE Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225ecadc539d476f6562695b3bc86078dfa9e782bf827545c5cce5b40862f9c9
Instruction ID: 96fff135db4a057efa9e240d87b449f15cf37cba6abbb5f641b1f027f2a8cd4e
Opcode Fuzzy Hash: 225ecadc539d476f6562695b3bc86078dfa9e782bf827545c5cce5b40862f9c9
Instruction Fuzzy Hash: 01F138B560C351CBD314CF24988026BBBE1AFD6304F18886DE9C59B352DB79D90ACB97

Function 00405A50 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96558bfc746a5a3223c634a59d11508aadd0a8639b0b160b0729f66767d8386b
Instruction ID: e22f2181abad4bfc230c02fca7b2677cd5da42dabbcbe70a6189a4d08cfb2137
Opcode Fuzzy Hash: 96558bfc746a5a3223c634a59d11508aadd0a8639b0b160b0729f66767d8386b
Instruction Fuzzy Hash: AAF1B1356087418FC724DF29C88066BFBE2EFD9304F08882DE5D997791E679E904CB5A

Function 00431E4C Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0dd176c0790ee0c5f884bae5a1172c001938fda98990d212e62d3f92ee95f3
Instruction ID: f5949bf65d63e161820a31d7374a076a9760bff05e9c07d6c174cc10fcdb04b5
Opcode Fuzzy Hash: 0b0dd176c0790ee0c5f884bae5a1172c001938fda98990d212e62d3f92ee95f3
Instruction Fuzzy Hash: 05B1F67150C3918BE739CF3985103ABBFE0AFDA304F1889AED4D997382D77985058B56

Function 00430B9B Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836c6b42ec0611ea18aa404a27ca8aa0d1b2e3d022bbd135fe367631234d58ce
Instruction ID: c6ae8491d15a70da79b7fc2c0f19f8e9b548554856ab7c4746c33663e9dcb25c
Opcode Fuzzy Hash: 836c6b42ec0611ea18aa404a27ca8aa0d1b2e3d022bbd135fe367631234d58ce
Instruction Fuzzy Hash: 4BA1D47050C3D28BE739CF2985603ABBBE0AF9A304F18896ED4D997382D7798505CB57

Function 0043F680 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b09f51ad7863d3873e894769d4cac7c5c4a94dcb148dfc9fad6d8a925a2baed7
Instruction ID: c4766370a8ecb5b604ed4427d7471d2e42e2c110eff7084d179d2d9aa38e71cf
Opcode Fuzzy Hash: b09f51ad7863d3873e894769d4cac7c5c4a94dcb148dfc9fad6d8a925a2baed7
Instruction Fuzzy Hash: 4E419D72E043106BE728AE24DC41B3BB694DF85718F19513EFC8567351E7359C0883DA

Function 00440275 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601827c73579829ad049d4e61699133ca69b58c718b64c9bcdfcd3501d205d07
Instruction ID: 88d4c232e5702a91990132c4681acea672966073dba293fd78a1f3fea14ec7e7
Opcode Fuzzy Hash: 601827c73579829ad049d4e61699133ca69b58c718b64c9bcdfcd3501d205d07
Instruction Fuzzy Hash: D551193AA15620CBD708CF25C89126AB7B2FFC5318F1EC19DC8455F39ADB7959078784

Function 0042C5B2 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880b9d5c2b992efce546c2c4dad669a229ebc235ed9a83e66b70d105e27b7181
Instruction ID: e602c5a7fcf76763f45f3c702c967d0a72e51d1e39e979b1f8ca2e8419a707e7
Opcode Fuzzy Hash: 880b9d5c2b992efce546c2c4dad669a229ebc235ed9a83e66b70d105e27b7181
Instruction Fuzzy Hash: 9B41C2715083658FD725CF28C090A9FBBE1FFC5304F42C92DD8A96B240DB759909DB82

Function 004313A6 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06739b48dd17263fd0c5d8ff830ca2f3f2198606b07f25d392d45c557bc3288f
Instruction ID: 837c5ba2766653da9f9face9a5d7d8ccb6d766050029b5bb99883829ab926cda
Opcode Fuzzy Hash: 06739b48dd17263fd0c5d8ff830ca2f3f2198606b07f25d392d45c557bc3288f
Instruction Fuzzy Hash: 1631B26460C3C25BE725CB3984607FBBBE49F67304F18159ED4DA8B292DB3885098766

Function 0040DA5B Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1072ad6dee5ff189b4b040a2339b61298cf436dc3793388b4ee0e6f34b5d9ee
Instruction ID: 2cb0e7da2f61203fa493e8726841193bda88ef60fd0083a191813caae9c89cdd
Opcode Fuzzy Hash: d1072ad6dee5ff189b4b040a2339b61298cf436dc3793388b4ee0e6f34b5d9ee
Instruction Fuzzy Hash: 86314836A883404BD324DB29DC913EFB7D39BD4325F1D463ED889973A1DB7845068786

Function 004225A0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9561b6f5b47a50e15b93c6dde1671ee657786ec7678328801d777fa68609af2
Instruction ID: ef5578fe1ee93234f88c0e7f3ba483e3510c746868b369ad980919c337776d4b
Opcode Fuzzy Hash: d9561b6f5b47a50e15b93c6dde1671ee657786ec7678328801d777fa68609af2
Instruction Fuzzy Hash: CD2138616083219BC320AF28DC5166BBBF0EF52354F44851DE4D58B391F7BC8A45C3AB

Function 0043B5D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1d9c8598d66c0d4df2664a2682689c1446e4f0d6c0f665ff6b5ea69d477acb49
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7211EC336051D40EC3158D3C8440675BF934AA7234F1D939AF4B89B2D3D7268D8B879A

Function 0042D5B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ec9f092c3934051d65ea62001a4bb5c38501a6afbdabb394a33616aba54ff8
Instruction ID: e605684af66d87fe7097271783427726dcde0be3ad8efacd29e988edfc5e82d2
Opcode Fuzzy Hash: 20ec9f092c3934051d65ea62001a4bb5c38501a6afbdabb394a33616aba54ff8
Instruction Fuzzy Hash: C001D4F1F0071157E720AE19A5C0727B2A8AF95718F18443EE84C57342EBBDEC09C6AD

Function 0042BC60 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531def219193f791eae3c5419b9feb613c0835a8f9ecbf37894c1b358b84b427
Instruction ID: e0af63d0f4f3cd8e3f72af02da2ef108ab3e410d98b8dab8a3273221b227addf
Opcode Fuzzy Hash: 531def219193f791eae3c5419b9feb613c0835a8f9ecbf37894c1b358b84b427
Instruction Fuzzy Hash: F601C438700134ABE728AF15BC9053E73A6FF8A315FB4813AE915862A0F734ED51964D

Function 004303A9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1430266cf1d63f3f28541e386d3041fdd1094e9131619524307d48b0d4bb3dc0
Instruction ID: 147830b722c0e275abaa7049fe641a5d4f952498f1a4b4cd5391013c8faf7209
Opcode Fuzzy Hash: 1430266cf1d63f3f28541e386d3041fdd1094e9131619524307d48b0d4bb3dc0
Instruction Fuzzy Hash: AA01A42494A2D18AE312CF398070772BFE09F57704F2CA2D9DCC11B292C3399D0AD798

Function 004198BC Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed4b62d92ba53a2042ddfffd2dd86adda5e9b7447f7d0935f8bc9f22e8e4d23
Instruction ID: 9f179247e50cebe1be560fe30da9149a745a89dcbd33524b41beb1b09c35144b
Opcode Fuzzy Hash: 5ed4b62d92ba53a2042ddfffd2dd86adda5e9b7447f7d0935f8bc9f22e8e4d23
Instruction Fuzzy Hash: 64016275A14204ABD2208F188941A7B73B5F78A320F64922DF59497391D730FD41C79D

Function 00437C46 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87dd84be769785437457d9b561b16c86ed42e2d302712782539f35e16bef95f
Instruction ID: ea5f62aa47da605256c2f07d8d1c31acc9ddbb8a4ef1b7b851c1058e93f47009
Opcode Fuzzy Hash: a87dd84be769785437457d9b561b16c86ed42e2d302712782539f35e16bef95f
Instruction Fuzzy Hash: 53F0B2B85047058FD355DF38C494A96BBF5BF89304F01896DE8AAC7360EB71A948CB41

Function 00420230 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 77c17f556a7f8bd4b12d0bee7c86091020641db7c883fd0808a3815d6a61f091
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: DED0A77164C7B14E57588D3814E0477FBE8E987752F5814DFE4D5E3206D224DC0146AC

Function 004268F1 Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 412COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?), ref: 0042691A

Strings

QS, xrefs: 00426ACD
UW, xrefs: 00426AD5
`nB, xrefs: 00426E5A
5N:L, xrefs: 00426C65
rp, xrefs: 00426D42
vt, xrefs: 00426D3A

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 5N:L$`nB$QS$UW$rp$vt
API String ID: 237503144-2261627886
Opcode ID: 2967a10d20d7a1feed67c3720a9385946959e266c4c0c94363692ea5e16022b8
Instruction ID: b32ae15696d41cdbe2de62c7e247779fa561c8371c9a23344d16098d65406801
Opcode Fuzzy Hash: 2967a10d20d7a1feed67c3720a9385946959e266c4c0c94363692ea5e16022b8
Instruction Fuzzy Hash: 2DD175B020C3508BD710DF99E85266BBBF0EF82318F45492DF4D59B390E7788605CB6A

Function 004267B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042686F

Strings

F, xrefs: 004267EA
_), xrefs: 004267DA
*Y, xrefs: 004267D2
BU, xrefs: 004267E2

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *Y$BU$F$_)
API String ID: 237503144-745938446
Opcode ID: 2e29c80f54a7f41eb05a2c73ddbb6397b36d7cb394d7fdc8a4ded82d5752038c
Instruction ID: 97f63c92aea2d0dd41e7afa3d4e2f64a8f791cda2844a3e1203fcf2e7389f266
Opcode Fuzzy Hash: 2e29c80f54a7f41eb05a2c73ddbb6397b36d7cb394d7fdc8a4ded82d5752038c
Instruction Fuzzy Hash: 9531EE7424C3509BE318CF15D89579FBBE2EBC5304F44C86DE0E85B285CBB9890A8B96

Function 0042AA36 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042AE0E

Strings

}r, xrefs: 0042AD31
v|, xrefs: 0042AD49

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: v|$}r
API String ID: 237503144-2928966534
Opcode ID: d5240fbaa134dd6f8f3d016a592fdee159e1dd9e32f889a7f3f74b846d51ca19
Instruction ID: a3143c1a559a5499a83d5dfecea6241eb6d0eb4f5fb6bdeddc2647a602faa043
Opcode Fuzzy Hash: d5240fbaa134dd6f8f3d016a592fdee159e1dd9e32f889a7f3f74b846d51ca19
Instruction Fuzzy Hash: 1A6115B6A483508FD3208F65A84071FBBE5FB85304F16493DF9989B381D7B9D8058B8B

Function 0042ACDB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042AE0E

Strings

}r, xrefs: 0042AD31
v|, xrefs: 0042AD49

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: v|$}r
API String ID: 237503144-2928966534
Opcode ID: 36688d20d19aec57deb3083e36cd224b113f499be60080a9b70620810cc3cd69
Instruction ID: cb76ca79c1363bdafd1f58b5083f535b569e2f2e037d8355a887f6df87161652
Opcode Fuzzy Hash: 36688d20d19aec57deb3083e36cd224b113f499be60080a9b70620810cc3cd69
Instruction Fuzzy Hash: 025115B6A483508FD3208F65A84071FBBE5FBC5304F15493DF9989B381D7B998058B8B

Function 0043961F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043966A
GetSystemMetrics.USER32 ref: 00439679

Strings

, xrefs: 0043974D

Memory Dump Source

Source File: 00000003.00000002.1676619511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Installer.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c01cc43c56d3f2343a464f55931a6d4d1ac46e4db450f99656191658adb374f6
Instruction ID: d266c7fc96a4a90b6eac445c9e78e4cbd624c3c938b2ce8c39680ef0926ce840
Opcode Fuzzy Hash: c01cc43c56d3f2343a464f55931a6d4d1ac46e4db450f99656191658adb374f6
Instruction Fuzzy Hash: 7C518FB4A152189FDB40EFACD981A9EBBF0BB89300F10852DE498E7354D734AD45CF96

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Installer.exe_eaf59025957578de3dc17eaaa4ee0532955b6d_ff0f320d_b6604058-c252-4567-a150-f0bdc103ed4e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF160.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF26B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF28B.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Installer.exe

Function 026E8635 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 026E87B2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 00B42C40 Relevance: 1.7, APIs: 1, Instructions: 249
memoryCOMMON

Function 00B406E8 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0040BADE Relevance: 10.2, Strings: 8, Instructions: 218
COMMON

Function 004086E0 Relevance: 7.8, APIs: 5, Instructions: 292
threadCOMMON

Function 0040A2E6 Relevance: 3.8, Strings: 3, Instructions: 78
COMMON

Function 004432F0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0040C1A8 Relevance: .2, Instructions: 206
COMMON

Function 0043D43C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55
COMMON

Function 0044360E Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Function 00443260 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Function 00441900 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON