Click to jump to signature section
Source: locatedblsoqp.shop | URL Reputation: Label: phishing |
Source: caffegclasiqwp.shop | URL Reputation: Label: malware |
Source: condedqpwqm.shop | URL Reputation: Label: phishing |
Source: millyscroqwp.shop | URL Reputation: Label: malware |
Source: stamppreewntnq.shop | URL Reputation: Label: phishing |
Source: stagedchheiqwo.shop | URL Reputation: Label: phishing |
Source: traineiwnqo.shop | URL Reputation: Label: malware |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Malware Configuration Extractor: LummaC {"C2 url": ["traineiwnqo.shop", "condedqpwqm.shop", "millyscroqwp.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop", "locatedblsoqp.shop", "exmptiondixv.shop", "stagedchheiqwo.shop", "stamppreewntnq.shop"], "Build id": "eFtdO8--"} |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | ReversingLabs: Detection: 28% |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: caffegclasiqwp.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: stamppreewntnq.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: stagedchheiqwo.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: millyscroqwp.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: evoliutwoqm.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: condedqpwqm.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: traineiwnqo.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: locatedblsoqp.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: exmptiondixv.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: lid=%s&j=%s&ver=4.0 |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: TeslaBrowser/5.5 |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: - Screen Resoluton: |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: - Physical Installed Memory: |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: Workgroup: - |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | String decryptor: eFtdO8-- |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Code function: 4x nop then cld | 1_2_00401850 |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Code function: 4x nop then mov ecx, dword ptr [ebp-14h] | 1_2_00442C0A |
Source: Malware configuration extractor | URLs: traineiwnqo.shop |
Source: Malware configuration extractor | URLs: condedqpwqm.shop |
Source: Malware configuration extractor | URLs: millyscroqwp.shop |
Source: Malware configuration extractor | URLs: caffegclasiqwp.shop |
Source: Malware configuration extractor | URLs: evoliutwoqm.shop |
Source: Malware configuration extractor | URLs: locatedblsoqp.shop |
Source: Malware configuration extractor | URLs: exmptiondixv.shop |
Source: Malware configuration extractor | URLs: stagedchheiqwo.shop |
Source: Malware configuration extractor | URLs: stamppreewntnq.shop |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 224 |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Static PE information: No import functions for PE file found |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal92.troj.evad.winEXE@2/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5236 |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | ReversingLabs: Detection: 28% |
Source: unknown | Process created: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe "C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe" |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 224 |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Code function: 1_2_00401297 push esp; ret | 1_2_00401298 |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Code function: 1_2_00401369 pushfd ; ret | 1_2_0040136A |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Amcache.hve.4.dr | Binary or memory string: VMware |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.4.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.4.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.4.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.4.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.4.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.4.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.4.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.4.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe | Process queried: DebugPort | Jump to behavior |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: caffegclasiqwp.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: stamppreewntnq.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: stagedchheiqwo.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: millyscroqwp.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: evoliutwoqm.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: condedqpwqm.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: traineiwnqo.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: locatedblsoqp.shop |
Source: 17280510095e967382974d053261605657b3471f03caa1c9a4bd5790340ce2b59ddaa7f2bf582.dat-decoded.exe, 00000001.00000002.3320659433.0000000000446000.00000008.00000001.01000000.00000003.sdmp | String found in binary or memory: exmptiondixv.shop |
Source: Amcache.hve.4.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: MsMpEng.exe |
Source: Yara match | File source: decrypted.binstr, type: MEMORYSTR |
Source: Yara match | File source: decrypted.binstr, type: MEMORYSTR |